Hi all,

I have prepared the initial integration https://github.com/CodeIntelligenceTesting/oss-fuzz/commit/0f1e3c027858e95931fa38ee602c467d83ddafed of spring-boot into google oss-fuzz. This will enable continuous fuzzing of this project, which will be conducted by Google. Bugs that will be found by fuzzing will be reported to you. After the initial integration of this project into oss-fuzz, I will continue to add additional fuzz tests to improve the code coverage over time.

The integration requires a primary contact, someone to deal with the bug reports submitted by oss-fuzz. The email address needs to belong to an established project committer and be associated with a Google account as per here. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, and fuzzer statistics. More than 1 person can be included. Please let me know who I should include, if anyone.

Jazzer is used for fuzzing Java applications. Jazzer is a coverage-guided, in-process fuzzer for the JVM platform developed by Code Intelligence. It is based on libFuzzer and brings many of its instrumentation-powered mutation features to the JVM. Jazzer has already found several bugs in JVM applications: Jazzer Findings

Please let me know if you have any questions regarding fuzzing or the oss-fuzz integration.

Comment From: wilkinsona

@onionpsy Thanks for the suggestion. Fuzzing is of some interest to us, but if we're going to invest time in it we'd prefer to following the ideal integration and maintain the fuzz targets in this repository. We may come back to this topic once we've released Spring Boot 3.0 towards the end of this year.

Comment From: onionpsy

@wilkinsona Thank you for your answer. The described way is indeed the best way to integrate a project in OSS-Fuzz but in the meantime we still want to have a minimal integration of the project. Therefore we'll still integrate it to OSS-Fuzz as well as these Spring libraries/projects: - spring-cloud-commons - spring-security - spring-boot - spring-boot-actuator - spring-framework

These projects will be integrated without maintainer and the bugs found will be public. Then you are free to fix them or not. When you want to manage the OSS-Fuzz integration of spring projects, you can simply take over the current integration and move the existing fuzz targets to your repositories.

Comment From: wilkinsona

These projects will be integrated without maintainer and the bugs found will be public

While we don't have the resources to be directly involved with the integration, if it goes ahead we are interested in triaging any issues that are found. In particular, we would like to ensure than any potential security vulnerabilities are responsibly disclosed.

Comment From: onionpsy

if it goes ahead we are interested in triaging any issues that are found

In the current state, it doesn't necessarily require any additional resources besides reading the findings sent by OSS-Fuzz and judging if they are critical or not. Increasing the code coverage by writing more fuzz targets will be a second step but can probably wait a bit. Same for integrating the fuzz targets in your repositories. The main goal here is mostly to have the different Spring projects integrated into OSS-Fuzz.

we would like to ensure than any potential security vulnerabilities are responsibly disclosed.

I didn't explain it very well sorry. The bugs will be disclosed after a 90-day deadline, which is the policy of Google. You can find more information about that here: https://google.github.io/oss-fuzz/getting-started/bug-disclosure-guidelines/#bug-disclosure-guidelines

Comment From: wilkinsona

That's reassuring. Thank you. How will project authors be notified at the start of the 90 day period?

Comment From: onionpsy

The maintainer(s) will be contacted by email. Maintainer(s) will also get access to the clusterfuzz platform where they will be able to see the stacktrace and get all the information they need to reproduce the crash. Keep in mind that only Google account have access to clusterfuzz.

Comment From: wilkinsona

As the integration proceeded without any maintainer email addresses, does that mean that we won't be notified of any security vulnerabilities? My concern is that the 90-day period will elapse without us knowing that it had begun and a potential vulnerability will be publicly disclosed without us having a chance to fix it first.

Comment From: onionpsy

If you don't want to be added as maintainer or in the CC, I or one of my colleague will inform you by opening a ticket for each findings we get with all the info needed to reproduce it.