Skip to content

[COMPRESS-720] Integrate OSS-Fuzz fuzzers and enable CIFuzz#762

Draft
vishalcoc44 wants to merge 4 commits intoapache:masterfrom
vishalcoc44:COMPRESS-720-fuzzing
Draft

[COMPRESS-720] Integrate OSS-Fuzz fuzzers and enable CIFuzz#762
vishalcoc44 wants to merge 4 commits intoapache:masterfrom
vishalcoc44:COMPRESS-720-fuzzing

Conversation

@vishalcoc44
Copy link

@vishalcoc44 vishalcoc44 commented Mar 8, 2026

JIRA Ticket: COMPRESS-720
Currently, our fuzz testing lives externally in the google/oss-fuzz repository. While effective, this creates a gap between development and security testing. and also the fact that google is increasingly wanting their fuzzers to live in the upstream repositories.

This integration ensures that:
Fuzzers evolve with the code: No more "bit-rot" when internal APIs change.

Instant Feedback: The new CIFuzz workflow automatically stress-tests every Pull Request before it's merged.

Developer Empowerment: Any contributor can now run these security tests locally with a single Maven command.

Maven Integration: * Added jazzer-junit as a test-scoped dependency.

Introduced a fuzz Maven profile. This keeps the fuzzers tucked away during standard mvn test runs but makes them easy to trigger via mvn test -Pfuzz.

17 Fuzzer Targets: * We’ve integrated coverage for all major formats: Zip, Tar, 7z, Ar, Arj, Cpio, Dump, and several compressors (BZip2, Gzip, LZ4, Snappy, Z, etc.).

Automated Workflow: * Added .github/workflows/cifuzz.yml to tap into Google's cifuzz actions for continuous security monitoring. (this workflow will run a mini cifuzz test everytime someone changes something in the repo.

@vishalcoc44
Copy link
Author

vishalcoc44 commented Mar 10, 2026

@garydgregory could you check this out.

raboof
raboof reviewed Mar 10, 2026
View reviewed changes
pom.xml Outdated
Comment on lines 222 to 228
<dependency>
<groupId>com.code-intelligence</groupId>
<artifactId>jazzer-junit</artifactId>
<version>0.24.0</version>
<scope>test</scope>
</dependency>
</dependencies>
Copy link
Member

@raboof raboof Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find this dependency, which is not trivial to build and includes native code, difficult to trust.

Copy link
Author

@vishalcoc44 vishalcoc44 Mar 10, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@raboof can you take a look at the new changes, i've removed jazzer-junit entirely. The fuzzer targets are now vanilla Java classes with no external requirements.

@garydgregory garydgregory marked this pull request as draft March 10, 2026 16:39
@garydgregory
Copy link
Member

garydgregory commented Mar 10, 2026
edited
Loading

Hi @raboof
I've set this PR to draft based on your concerns. Also, this is an old version of the dependency. Why is the dependency used at all? I don't see imports that use code from that namespace.

@vishalcoc44
Copy link
Author

vishalcoc44 commented Mar 10, 2026

Hi @raboof I've set this PR to draft based on your concerns. Also, this is an old version of the dependency. Why is the dependency used at all? I don't see imports that use code from that namespace.

I've removed the dependency completely now.

garydgregory
garydgregory requested changes Mar 10, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raboof raboof raboof left review comments

@garydgregory garydgregory garydgregory requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vishalcoc44 @garydgregory @raboof