Hi,
I think that the security reports for 1.21 are missing from
https://commons.apache.org/proper/commons-compress/security-reports.html
Maybe they went missing during a recent CMS change?
Fabian
-
To unsubscribe, e-mail: dev-u
The JFrog reports seem to reference the following two OSS-Fuzz findings,
which have not been classified as security issues:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34437
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33959
OSS-Fuzz and Jazzer, its Java fuzzer, never mark unca
A quick update: OSS-Fuzz has gained coverage support for Java. You can
access the latest apache-commons report at
https://oss-fuzz.com/coverage-report/job/libfuzzer_asan_apache-commons/latest
and check how well the fuzzer is doing.
Fabian
On Thu, Apr 22, 2021, 17:44 Fabian Meumertzheim
able to free up
> as much time as necessary for any OSS stuff right now
>
> On 2021-05-03, Fabian Meumertzheim wrote:
>
> > The behavior you are observing has only become the standard somewhat
> > recently [1], which is also why I had decided to point it out before we
> > pe
Hi,
The behavior you are observing has only become the standard somewhat
recently [1], which is also why I had decided to point it out before we
performed the integration [2].
Let me first confirm the facts: It is correct that OSS-Fuzz will
automatically open the Monorail bugs to the public rough
On Thu, Apr 22, 2021 at 5:27 PM Peter Lee wrote:
> I just created a PR in Compress
> https://github.com/apache/commons-compress/pull/189
Thanks!
> IIUC I could create a PR github.com/google/oss-fuzz to include my google
> account in auto_ccs, and I should ask the primary contact, who is Stefen
mail appears to use a dynamic address.
> >
> >
> > > Otherwise, I’ve seen the alerts start already
> > >
> >
> >
> > > On Tue, Apr 20, 2021 at 09:27 Fabian Meumertzheim <
> > > meumertzh...@code-intelligence.com> wrote:
> > >
&g
The first OSS-Fuzz build passed and some bugs have already been created.
Everything looks good from my side, but let me know if you have any
questions.
One more thing: Could you perhaps add the following line to the READMEs of
compress and imaging?
[![Fuzzing Status](
https://oss-fuzz-build-logs.
On Mon, Apr 19, 2021 at 8:56 AM Stefan Bodewig wrote:
>
> Can there be more than one "primary" contact? There is a reason why we
> use role based mail aliases and mailing lists, it is pretty likely
> people become completely unavailable for a while and I don't want to
> block adding people to auto
On Mon, Apr 19, 2021 at 9:03 AM Stefan Bodewig wrote:
> I hope my approval has been enough as I'm not a "reviewer with write
> access".
I think it will suffice to prove that I have submitted the PRs on
behalf of someone affiliated with Apache Commons. The OSS-Fuzz
reviewers will review the PR fo
, Apr 18, 2021 at 6:22 PM Stefan Bodewig wrote:
>
> On 2021-04-18, Fabian Meumertzheim wrote:
>
> > Anyone who is (or wants to be) a moderator on that list and has a Google
> > account, please let me know the primary email address so that I can add it
> > to the "a
On Sun, Apr 18, 2021 at 6:22 PM Stefan Bodewig wrote:
> Can probably do, what is the duty of a primary contact? My github
> username is bodewig.
The primary contact may be asked to sign off on PRs to that project in
the OSS-Fuzz repo, in particular if someone needs to be added to the
"auto_ccs" l
Thanks for creating the list.
Anyone who is (or wants to be) a moderator on that list and has a Google
account, please let me know the primary email address so that I can add it
to the "auto_ccs" list for oss-fuzz.com access.
Stefan, would you want to act as the "primary_contact"? That does not
r
On Sun, Apr 18, 2021 at 12:43 AM sebb wrote:
> How do you ensure that a specific Google account is authorised to view
> a particular project?
This is exclusively governed by the project's "project.yaml" [1]. An
example of such a file is [2].
[1]
https://google.github.io/oss-fuzz/getting-started
On Sat, Apr 17, 2021 at 3:58 PM Stefan Bodewig wrote:
>
> I'm not sure I understand this. AFAIU I could never become a "primary"
> or an "auto_cc" as I will not create a Google account. Do we need to
> have one? In that case somebody who doesn't share my personal set of
> allergic reactions may wa
sted in fuzzing for that as well. I do not have a preference on the
> email list question.
>
> Regards,
> Matt J
> ________
> From: Fabian Meumertzheim
> Sent: Wednesday, April 14, 2021 12:13 PM
> To: Commons Developers List
> Subject: Re: [all]
to see fuzzed
> (for different reasons; some for handling XML or other languages,
> others for concurrency issues, serializability, etc).
>
> On Wed, 14 Apr 2021 at 01:42, Fabian Meumertzheim
> wrote:
> >
> > As I am not familiar with the structure of your mailing lists
As I am not familiar with the structure of your mailing lists and also
can't give a meaningful estimate of the ratio of normal bugs to
security issues we will find, I will only provide the following
general points of information on OSS-Fuzz:
* By design, fuzzing produces little to no false positiv
g the list of recipients requires a pull request to the
OSS-Fuzz repo, but the folks there are very responsive.
On Wed, Mar 10, 2021 at 2:00 PM Fabian Meumertzheim
wrote:
>
> > > On Tue, Mar 9, 2021 at 11:16 PM sebb wrote:
> > > >
> > > > How often will the to
> > On Tue, Mar 9, 2021 at 11:16 PM sebb wrote:
> > >
> > > How often will the tool be run?
> > > How often does it need to be run?
> >
> > OSS-Fuzz runs its fuzzers continuously and will automatically pick up
> > new project commits. I don't know its precise schedule, but I expect
> > every proje
On Tue, Mar 9, 2021 at 11:16 PM sebb wrote:
>
> How often will the tool be run?
> How often does it need to be run?
OSS-Fuzz runs its fuzzers continuously and will automatically pick up
new project commits. I don't know its precise schedule, but I expect
every project to be fuzzed at least a coup
On Sat, Mar 6, 2021 at 10:08 PM Stefan Bodewig wrote:
> OTOH I'm not sure I understand the requirements of OSS-Fuzz. I haven't
> read the docs only looked at the image of the process. Seeing a
> Sheriffbot tracking deadlines makes the me very uncomfortable. I'm a
> volunteer and so are most other
I am one of the maintainers of Jazzer
(https://github.com/CodeIntelligenceTesting/jazzer), a new open-source
fuzzer for JVM projects based on libFuzzer.
I have set up a few Commons projects for local fuzzing with Jazzer,
which lead to quite a few bug reports in Compress and other projects
(https:/
23 matches
Mail list logo
