A quick update: OSS-Fuzz has gained coverage support for Java. You can
access the latest apache-commons report at
https://oss-fuzz.com/coverage-report/job/libfuzzer_asan_apache-commons/latest
and check how well the fuzzer is doing.
Fabian
On Thu, Apr 22, 2021, 17:44 Fabian Meumertzheim <
meumertz
No worries, I'm also not in a rush to change anything, so we can give this
discussion the space and time it deserves. If you want me to weigh in on
any issue you open on GitHub, just @fmeum.
An additional argument in favor of a delayed publication could be that
sometimes completely unrelated upstr
Many thanks Fabian
and sorry for the delay - unfortunately I'm not really able to free up
as much time as necessary for any OSS stuff right now
On 2021-05-03, Fabian Meumertzheim wrote:
> The behavior you are observing has only become the standard somewhat
> recently [1], which is also why I had
Hi,
The behavior you are observing has only become the standard somewhat
recently [1], which is also why I had decided to point it out before we
performed the integration [2].
Let me first confirm the facts: It is correct that OSS-Fuzz will
automatically open the Monorail bugs to the public rough
Voting takes three days or less if we decide we need an emergency release
for a security issue for example. In reality, it can take weeks for a
release manager to volunteer for a given component, review code, PRs,
Jiras, an so on, before going through all the hoops to create a release
candidate and
Hi (Fabian)
by now we've resolved the first issues detected by ClusterFuzz (and I
forgot to credit it OSS Fuzz in Compress, my bad). What we observed is
that the issues became public automatically once the patch fixing the
issue was merged into master and ClusterFuzz reran the test. In the case
of
On Thu, Apr 22, 2021 at 5:27 PM Peter Lee wrote:
> I just created a PR in Compress
> https://github.com/apache/commons-compress/pull/189
Thanks!
> IIUC I could create a PR github.com/google/oss-fuzz to include my google
> account in auto_ccs, and I should ask the primary contact, who is Stefen
Hi Fabian,
Thanks a lot for all this.
> One more thing: Could you perhaps add the following line to the READMEs of
> compress and imaging?
>
I just created a PR in Compress
https://github.com/apache/commons-compress/pull/189
Seems I missed a lot these days. :-(
I also got a Google account(pete
Done in imaging! Thanks
https://github.com/apache/commons-imaging/pull/130
Bruno
On Wednesday, 21 April 2021, 2:27:38 am NZST, Fabian Meumertzheim
wrote:
The first OSS-Fuzz build passed and some bugs have already been created.
Everything looks good from my side, but let me know if
I see that now. Thanks for handling the ticket!
On Tue, 20 Apr 2021 at 11:38, sebb wrote:
>
> On Tue, 20 Apr 2021 at 17:22, Matt Sicker wrote:
> >
> > I've tried adding that email to the allow-subscribe list for that
> > mailing list. Let's see if the next messages get through without
> > modera
On Tue, 20 Apr 2021 at 17:22, Matt Sicker wrote:
>
> I've tried adding that email to the allow-subscribe list for that
> mailing list. Let's see if the next messages get through without
> moderation now.
As already noted, the Return-Path is different for each email - have a
look at the headers in
I've tried adding that email to the allow-subscribe list for that
mailing list. Let's see if the next messages get through without
moderation now.
On Tue, 20 Apr 2021 at 10:46, Matt Sicker wrote:
>
> I've accepted all the moderation requests so far, though I also get
> CC'd on the same emails, so
I've accepted all the moderation requests so far, though I also get
CC'd on the same emails, so my inbox is a little messy at the moment
to verify that it's going through the mailing list, too. There's
already been like 20 alerts found, so good call on the separate
mailing list! :)
On Tue, 20 Apr
On Tue, 20 Apr 2021 at 16:34, Fabian Meumertzheim
wrote:
>
> I think that the sender address has been monorail+v2.382749...@chromium.org
> for
> me since February, so it might be more stable than it looks.
Yes, but ezmlm uses the envelope sender, i.e. the Return-Path.
At least the current ones
On Tue, 20 Apr 2021 at 16:30, Matt Sicker wrote:
>
> Guess we'll have to ask infra then. They probably have a way to filter
> based on regex or something.
I just remembered we had to do something similar for Travis and
Twitter, see INFRA-18843 and INFRA-19360
Are you going to accept the moderati
I think that the sender address has been monorail+v2.382749...@chromium.org for
me since February, so it might be more stable than it looks.
On Tue, Apr 20, 2021, 17:30 Matt Sicker wrote:
> Guess we'll have to ask infra then. They probably have a way to filter
> based on regex or something.
>
>
Guess we'll have to ask infra then. They probably have a way to filter
based on regex or something.
On Tue, 20 Apr 2021 at 10:05, sebb wrote:
>
> On Tue, 20 Apr 2021 at 15:53, Matt Sicker wrote:
>
> > Looks like we need to add the bot email as an allowed sender to the list.
> >
>
> Easier said t
On Tue, 20 Apr 2021 at 15:53, Matt Sicker wrote:
> Looks like we need to add the bot email as an allowed sender to the list.
>
Easier said than done, as email appears to use a dynamic address.
> Otherwise, I’ve seen the alerts start already 😁
>
> On Tue, Apr 20, 2021 at 09:27 Fabian Meumertz
Looks like we need to add the bot email as an allowed sender to the list.
Otherwise, I’ve seen the alerts start already 😁
On Tue, Apr 20, 2021 at 09:27 Fabian Meumertzheim <
meumertzh...@code-intelligence.com> wrote:
> The first OSS-Fuzz build passed and some bugs have already been created.
> Eve
The first OSS-Fuzz build passed and some bugs have already been created.
Everything looks good from my side, but let me know if you have any
questions.
One more thing: Could you perhaps add the following line to the READMEs of
compress and imaging?
[![Fuzzing Status](
https://oss-fuzz-build-logs.
On Mon, 19 Apr 2021 at 07:54, Stefan Bodewig wrote:
>
> On 2021-04-18, Stefan Bodewig wrote:
>
> > I've created https://issues.apache.org/jira/browse/INFRA-21741 if you
> > want to lend a hand moderating, you may want to add yourself to the
> > ticket before the list is created.
>
> The list has b
On Mon, Apr 19, 2021 at 8:56 AM Stefan Bodewig wrote:
>
> Can there be more than one "primary" contact? There is a reason why we
> use role based mail aliases and mailing lists, it is pretty likely
> people become completely unavailable for a while and I don't want to
> block adding people to auto
On Mon, Apr 19, 2021 at 9:03 AM Stefan Bodewig wrote:
> I hope my approval has been enough as I'm not a "reviewer with write
> access".
I think it will suffice to prove that I have submitted the PRs on
behalf of someone affiliated with Apache Commons. The OSS-Fuzz
reviewers will review the PR fo
On 2021-04-19, Stefan Bodewig wrote:
> On 2021-04-18, Fabian Meumertzheim wrote:
>> Stefan, if you agree, I would submit the two PRs tomorrow and ask you
>> to sign them off on GitHub via a comment on the PR and a link to this
>> email thread.
> Fine with me.
I hope my approval has been enough
On 2021-04-18, Fabian Meumertzheim wrote:
> Stefan, if you agree, I would submit the two PRs tomorrow and ask you
> to sign them off on GitHub via a comment on the PR and a link to this
> email thread.
Fine with me.
Thank you
Stefan
---
On 2021-04-18, Fabian Meumertzheim wrote:
> On Sun, Apr 18, 2021 at 6:22 PM Stefan Bodewig wrote:
>> Can probably do, what is the duty of a primary contact? My github
>> username is bodewig.
> The primary contact may be asked to sign off on PRs to that project in
> the OSS-Fuzz repo, in particul
On 2021-04-18, Stefan Bodewig wrote:
> I've created https://issues.apache.org/jira/browse/INFRA-21741 if you
> want to lend a hand moderating, you may want to add yourself to the
> ticket before the list is created.
The list has been created, so if you want to receive the fuzz reports
please subs
Thank you Stefan!
Bruno
On Monday, 19 April 2021, 4:22:18 am NZST, Stefan Bodewig
wrote:
On 2021-04-18, Fabian Meumertzheim wrote:
> Anyone who is (or wants to be) a moderator on that list and has a Google
> account, please let me know the primary email address so that I can add it
Hi Fabian,
Yes, please: brunodepaulak at gmail
Thanks!
Bruno
On Monday, 19 April 2021, 7:36:42 am NZST, Fabian Meumertzheim
wrote:
I have prepared the integrations at
https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/commons-compress
and https://github.com/CodeIntelligenceTest
I have prepared the integrations at
https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/commons-compress
and https://github.com/CodeIntelligenceTesting/oss-fuzz/tree/commons-imaging.
I have included Matt's Google account in the auto_ccs list for both,
so you will have access to the full report
On Sun, Apr 18, 2021 at 6:22 PM Stefan Bodewig wrote:
> Can probably do, what is the duty of a primary contact? My github
> username is bodewig.
The primary contact may be asked to sign off on PRs to that project in
the OSS-Fuzz repo, in particular if someone needs to be added to the
"auto_ccs" l
On 2021-04-18, Fabian Meumertzheim wrote:
> Anyone who is (or wants to be) a moderator on that list and has a Google
> account, please let me know the primary email address so that I can add it
> to the "auto_ccs" list for oss-fuzz.com access.
> Stefan, would you want to act as the "primary_conta
Thanks for creating the list.
Anyone who is (or wants to be) a moderator on that list and has a Google
account, please let me know the primary email address so that I can add it
to the "auto_ccs" list for oss-fuzz.com access.
Stefan, would you want to act as the "primary_contact"? That does not
r
Hi all
I've created https://issues.apache.org/jira/browse/INFRA-21741 if you
want to lend a hand moderating, you may want to add yourself to the
ticket before the list is created.
Thanks
Stefan
-
To unsubscribe, e-mail:
On 2021-04-17, Matt Sicker wrote:
> I have a Google account I can be CC’d on. I do security engineering
> professionally, so I have some experience in the area as well.
Thanks Matt, I'll add you as one of the initial moderators as well.
Stefan
---
On 2021-04-17, Fabian Meumertzheim wrote:
> Let me describe the restrictions in more detail, including example reports.
> Everyone listed under "primary" or "auto_cc" will receive the bugs created
> in the issue tracker at [1] in email form and can also add comments by
> replying to the email thre
Le 17/04/2021 à 18:33, Gary Gregory a écrit :
> I'll go with the consensus here but I feel that the security list should be
> for humans and posts there deserve human attention on an ASAP basis. I've
> just seen too many false positives and noise from automated tools over the
> years.
Let's just g
On Sun, Apr 18, 2021 at 12:43 AM sebb wrote:
> How do you ensure that a specific Google account is authorised to view
> a particular project?
This is exclusively governed by the project's "project.yaml" [1]. An
example of such a file is [2].
[1]
https://google.github.io/oss-fuzz/getting-started
Can we make a Google group or shared Google account for the commons PMC?
On Sat, Apr 17, 2021 at 17:43 sebb wrote:
> On Sat, 17 Apr 2021 at 18:05, Fabian Meumertzheim
> wrote:
> >
> > On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig
> wrote:
> > >
> > > I'm not sure I understand this. AFAIU I co
On Sat, 17 Apr 2021 at 18:05, Fabian Meumertzheim
wrote:
>
> On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig wrote:
> >
> > I'm not sure I understand this. AFAIU I could never become a "primary"
> > or an "auto_cc" as I will not create a Google account. Do we need to
> > have one? In that case som
On Sat, 17 Apr 2021 at 17:33, Gary Gregory wrote:
>
> I'll go with the consensus here but I feel that the security list should be
> for humans and posts there deserve human attention on an ASAP basis. I've
> just seen too many false positives and noise from automated tools over the
> years.
Agree
On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig wrote:
>
> I'm not sure I understand this. AFAIU I could never become a "primary"
> or an "auto_cc" as I will not create a Google account. Do we need to
> have one? In that case somebody who doesn't share my personal set of
> allergic reactions may wa
I'll go with the consensus here but I feel that the security list should be
for humans and posts there deserve human attention on an ASAP basis. I've
just seen too many false positives and noise from automated tools over the
years.
Gary
On Sat, Apr 17, 2021, 09:48 Stefan Bodewig wrote:
> On 202
I have a Google account I can be CC’d on. I do security engineering
professionally, so I have some experience in the area as well.
On Sat, Apr 17, 2021 at 08:58 Stefan Bodewig wrote:
> On 2021-04-15, Fabian Meumertzheim wrote:
>
> > Just to keep the following in mind: Full access to bug reports
On 2021-04-15, Fabian Meumertzheim wrote:
> Just to keep the following in mind: Full access to bug reports and
> reproducers requires a Google account (which can be associated with
> any existing non-list email address). At least the moderators of the
> list would therefore have to be listed expli
On 2021-04-13, Gary Gregory wrote:
> Please don't use @security for automated emails, that ML IMO should be for
> humans.
> If you want to setup a new ML for bots that's fine, we can direct GitHub's
> Dependanot emails there if GitHub allows for that.
I don't believe dependabot and the results o
On 2021-04-13, Mark Thomas wrote:
> On 13/04/2021 17:49, Stefan Bodewig wrote:
>
>> Fabian has offered to set up OSS Fuzz for Compress. Given that the
>> issues OSS Fuzz detects may or may not be security sensitive, I don't
>> feel it would be a good idea to have the tool send reports to a publ
> > From: Fabian Meumertzheim
> > Sent: Wednesday, April 14, 2021 12:13 PM
> > To: Commons Developers List
> > Subject: Re: [all] OSS Fuzz
> >
> > On Wed, Apr 14, 2021, 17:14 Matt Sicker wrote:
> >
> > > Would the undeclared
sted in fuzzing for that as well. I do not have a preference on the
> email list question.
>
> Regards,
> Matt J
>
> From: Fabian Meumertzheim
> Sent: Wednesday, April 14, 2021 12:13 PM
> To: Commons Developers List
> Subject: Re: [all]
PM
To: Commons Developers List
Subject: Re: [all] OSS Fuzz
On Wed, Apr 14, 2021, 17:14 Matt Sicker wrote:
> Would the undeclared runtime exceptions be "fixable" for the fuzzing
> tool if the methods declared their runtime exceptions being thrown? Or
> the javadocs? As in,
and also
> > can't give a meaningful estimate of the ratio of normal bugs to
> > security issues we will find, I will only provide the following
> > general points of information on OSS-Fuzz:
> >
> > * By design, fuzzing produces little to no false positives. Unless
information on OSS-Fuzz:
>
> * By design, fuzzing produces little to no false positives. Unless a
> library maintains non-trivial global state that is not accounted for
> in the fuzz target, all OSS-Fuzz findings should at least be fully
> reproducible reports of normal bugs, in
false positives. Unless a
library maintains non-trivial global state that is not accounted for
in the fuzz target, all OSS-Fuzz findings should at least be fully
reproducible reports of normal bugs, including stack traces and
minimized reproducing inputs.
* Deduplicating certain kinds of issues m
+1 for oss fuzz. Fabian also got in contact a few days earlier, and asked me
about using it with Commons Imaging. I told him it had to be discussed here
first, but that I thought it could be useful (we are parsing several image file
formats, probably a few things could be improved).
As for th
Please don't use @security for automated emails, that ML IMO should be for
humans.
If you want to setup a new ML for bots that's fine, we can direct GitHub's
Dependanot emails there if GitHub allows for that.
Gary
On Tue, Apr 13, 2021, 12:57 Mark Thomas wrote:
> On 13/04/2021 17:49, Stefan Bod
On 13/04/2021 17:49, Stefan Bodewig wrote:
Fabian has offered to set up OSS Fuzz for Compress. Given that the
issues OSS Fuzz detects may or may not be security sensitive, I don't
feel it would be a good idea to have the tool send reports to a public
mailing list. Therefore I propose to create
Hi all
I want to pick up (and finish) the discussion that started in
Compress[1].
Short Recap:
OSS Fuzz[2] runs fuzz testing for open source projects by invoking
methods of our code with random data looking for unexpected outcomes
(undeclared exceptions or worse code that never retu
57 matches
Mail list logo
