Added cluster fuzz lite#21
Conversation
|
|
||
| private static void fuzzJsonObjectUtil(FuzzedDataProvider data) { | ||
| String raw = data.consumeString(8192); | ||
| final JsonObject jo; |
There was a problem hiding this comment.
Use the full name jsonObject (or anything more relevant/descriptive) here.
As Java people, we commit to having descriptive variable names :)
There was a problem hiding this comment.
You have a solid point here, as "jo" might be misleading.
I'll change it to simply jsonobject 👍🏼
axmsoftware
left a comment
There was a problem hiding this comment.
Interesting feature. Would you like to demo it?
|
Yes Miss arila, as it mentioned in the scorecard that Fuzzing is needed, |
| private static void fuzzJsonObjectUtil(FuzzedDataProvider data) { | ||
| String raw = data.consumeString(8192); | ||
| final JsonObject jo; | ||
| final JsonObject jsonobject; |
There was a problem hiding this comment.
One more request - please camelCase
I've added a small Jazzer harness under fuzz/ plus a ClusterFuzzLite layout in
.clusterfuzzlite/ (Dockerfile, build.sh, and a minimal project.yaml).The harness exercises parsing and utility paths that see untrusted data (JSON, dates, strings) without touching pom.xml, so normal Maven builds stay as they are; the Docker script pins apis-bom the same way CI does, builds the jar, pulls runtime deps, and compiles the fuzzer the way OSS-Fuzz-style JVM projects usually do. The goal is better supply-chain hygiene for OpenSSF Scorecard’s fuzzing signal and a clear path to wire this into OSS-Fuzz or PR fuzzing later, without dragging Jazzer into every developer’s default classpath and every other repo.
Note: 2nd PR for removing extra licensing.