Hi everyone, I've recently submitted a Pull Request [ Repo Link <https://github.com/apache/calcite-avatica/pull/300> ] to significantly expand the fuzzing coverage for Avatica using Jazzer (libFuzzer for the JVM). I’d like to start a discussion here to gather feedback and bring visibility to these changes.
Problem : Currently, Avatica’s oss-fuzz integration reports near 0% coverage on core modules because it only targets minor utility classes (which i checked through the fuzz introspector report). This leaves the critical RPC serialization layers (JSON/Protobuf) and JDBC mapping logic vulnerable to crashes from malformed payloads. So I am proposing an "Ideal Integration" model where fuzzer targets live directly in the upstream repository. So these are the additions[ Repo Link <https://github.com/apache/calcite-avatica/pull/300> ] : 1. Adds 6 high-coverage Jazzer fuzzers to the `core` module, targeting JsonService, ProtobufTranslation, TypedValue, and JDBC type proxies. 2. Introduces a CIFuzz workflow (.github/workflows/cifuzz.yml) to automatically run these fuzzers on every PR. 3. Successfully passes all current CI checks (Checkstyle, forbiddenApis, and Gradle build). Integration Status I have also already prepared the corresponding PR for the Google OSS-Fuzz repository [ Repo Link <https://github.com/google/oss-fuzz/pull/15131> ]. Once these targets are merged upstream, the OSS-Fuzz infrastructure will immediately begin running them 24/7 directly from the Apache source, ensuring continuous security and stability testing. Keeping these fuzzers upstream in the main repo we have makes stability testing a native part of the project’s lifecycle. SO any changes to the RPC layer will be immediately validated by the fuzzers in the CI pipeline, catching regressions before they reach the main branch. I would appreciate the community’s review of the architectural placement and the CIFuzz integration. I would like any maintainer to help me out so we could merge the changes in both the calcite-avatica repo and the google oss fuzz repo. I'll once again drop all the necessary repository links and apache issue link below calcite-avatica PR Link : https://github.com/apache/calcite-avatica/pull/300 oss-fuzz PR Link : https://github.com/google/oss-fuzz/pull/15131 Jira Issue Link : https://issues.apache.org/jira/browse/CALCITE-7436 Best regards, Vishal S
