Yes, please use the existing fuzz-testing list. It’s basically a notifications
list at this point due to differences in memory safety between Java and the C
family making fuzzing a little trickier to reproduce security issues.
—
Matt Sicker
> On Nov 23, 2022, at 08:58, Mark Thomas wrote:
>
> O
On 21/11/2022 04:22, Oliver Chang wrote:
Hi Mark,
Thanks for the early feedback.
Re a), unfortunately I'm not aware of an easy way to do this with our
current bug tracking system (Monorail). If it's an important feature to
have, one way to achieve this may be to set up a separate "
security-oss
Hi Mark,
Thanks for the early feedback.
Re a), unfortunately I'm not aware of an easy way to do this with our
current bug tracking system (Monorail). If it's an important feature to
have, one way to achieve this may be to set up a separate "
security-oss-fuzz-not...@commons.apache.org" group or s
Hi Oliver,
The following are a couple of (hopefully) low hanging fruit that will
smooth a couple of rough edges. These aren't the biggest issues - just
something to get started with.
a) It would be very helpful if there was an option to enable sending of
notifications for your own comments
Thanks Mark.
Please let us know how we can help make this fuzzing experience better for
you. We're also happy to jump on a call to walk through your concerns and
reach a good outcome.
Best regards,
--
Oliver
On Thu, 17 Nov 2022 at 06:56, Mark Thomas wrote:
> I haven't forgotten about this. I
I haven't forgotten about this. I am currently working through the open
issues. I want to complete first that so feedback isn't skewed by a
single project.
Mark
On 11/11/2022 14:45, Roman Wagner wrote:
Hi Mark,
I think the best way forward is to collaborate and have a short feedback
loop.
Hi Mark,
I think the best way forward is to collaborate and have a short feedback
loop.
Did you mean build failures by “Invalid due to broken test”? If yes, I am
not sure what we can do about the broken tests since those are already
executed and tested by check build scripts locally and in a CI/C
Hi Mark,
In addition to the reasons Roman listed, the current structure also allows
us to allocate more compute resources to all of these Apache packages,
rather than all of them sharing the CPUs allocated for a single OSS-Fuzz
"project".
We can definitely ensure that secur...@commons.apache.org
Oliver,
My requirements regarding configuration are:
- secur...@commons.apache.org MUST be notified of all security
vulnerability reports for all Apache Commons components
- a mechanism MUST be provided for the secur...@commons.apache.org
Google user to view all historical reports that were
Hi Mark,
I have added @Oliver Chang from the Google OSS-Fuzz to
the thread.
I had a short discussion with Oliver. There could be different issues in
OSS-Fuzz by design If all apache-commons components will move under
apache-commons directory:
- it is not scalable and will slow down both fuzz
Thanks for the update.
I'll wait for that PR to be resolved before taking any further action.
Mark
On 08/11/2022 16:42, Roman Wagner wrote:
Hi Mark,
there is a PR open in oss-fuzz https://github.com/google/oss-fuzz/pull/8933
.
Best regards
Roman
On Tue, Nov 8, 2022 at 4:15 PM Gary Gregory
Hi Mark,
there is a PR open in oss-fuzz https://github.com/google/oss-fuzz/pull/8933
.
Best regards
Roman
On Tue, Nov 8, 2022 at 4:15 PM Gary Gregory wrote:
> Sounds good.
>
> Gary
>
> On Tue, Nov 8, 2022, 10:07 Mark Thomas wrote:
>
>> There has been no response to this email from anyone from
Sounds good.
Gary
On Tue, Nov 8, 2022, 10:07 Mark Thomas wrote:
> There has been no response to this email from anyone from Code
> Intelligence.
>
> Unless there are objections from the Apache Commons Community my next
> step will be to submit a PR to have the following modules removed from
> o
There has been no response to this email from anyone from Code Intelligence.
Unless there are objections from the Apache Commons Community my next
step will be to submit a PR to have the following modules removed from
oss-fuzz:
apache-commons-bcel
apache-commons-beanutils
apache-commons-cli
a
Hi,
You are receiving this email as you are currently configured as the
recipients for oss-fuzz reports for Apache Commons JXPath.
As per the discussion on the Apache Commons dev list[1], please make the
following configuration changes to the oss-fuzz integrations with
immediate effect:
-
15 matches
Mail list logo
