Integration of checker-framework into OSS-Fuzz

[onionpsy]

Hi all,

we have prepared the initial integration CodeIntelligenceTesting/oss-fuzz@b005b8a of checker-framework into Google OSS-Fuzz which will provide more security for your project.

Why do you need Fuzzing?
The Code Intelligence JVM fuzzer Jazzer has already found hundreds of bugs in open source projects including for example OpenJDK, Protobuf or jsoup. Fuzzing proved to be very effective having no false positives. It provides a crashing input which helps you to reproduce and debug any finding easily. The integration of your project into the OSS-Fuzz platform will enable continuous fuzzing of your project by Jazzer.

What do you need to do?
The integration requires the maintainer or one established project commiter to deal with the bug reports.

You need to create or provide one email address that is associated with a google account as per here. When a bug is found, you will receive an email that will provide you with access to ClusterFuzz, crash reports, code coverage reports and fuzzer statistics. More than 1 person can be included.

How Code Intelligence can support?
We will continue to add more fuzz targets to improve code coverage over time. Furthermore, we are permanently enhancing fuzzing technologies by developing new fuzzers and more bug detectors.

Please let me know if you have any questions regarding fuzzing or the OSS-Fuzz integration.

[mernst]

@onionpsy Thanks for this offer.

The instructions are not completely clear as to what you want me to do.

You need to create or provide one email address that is associated with a google account as per here.

The link is to
https://google.github.io/oss-fuzz/getting-started/accepting-new-projects/
which says "Create a pull request", but it does not say what repository to create a pull request against.
Furthermore, it has additional steps beyond that; are they required?

Perhaps I need to merely make a pull request against CodeIntelligenceTesting/oss-fuzz to add my email address to projects/checker-framework/Dockerfile, but that file doesn't yet appear in the repository, and I'm not sure how to create a pull request from CodeIntelligenceTesting/oss-fuzz@b005b8a . Also, I'm not clear whether my email address should be primary_contact or auto_css or something else.

Finally it would be nice for your message to clarify that no commits need to be made to my own project. That is important information that makes me more likely to want to try out the service.

(These suggestions may help you improve the introductory messages you send in the future.)

[onionpsy]

Thank you for the quick answer.

I'll take care of the integration so there's no need to do PR on your side. You can just give me your email address and I will add it as a maintainer.

For the fuzz tests, there is indeed for the moment no obligation to integrate them into your repository even if it is the ideal objective in the long term. They will currently be hosted on the OSS-Fuzz repo. You can read more about that here

Also thank you for the suggestions about the introductory message, I take note it.

[mernst]

@onionpsy My Google ID is michael DOT ernst.

Thanks.

[onionpsy]

Just to be sure: @gmail.com ?

[mernst]

Yes, that is correct.

[onionpsy]

Thank you!
The project has been onboarded, you will receive emails with findings if some are found. I close the issue, feel free to contact me if you have any question.