Skip to content

Added cluster fuzz lite#21

Open
FlawzyByte wants to merge 3 commits into
hyphae:mainfrom
FlawzyByte:added-ClusterFuzzLite
Open

Added cluster fuzz lite#21
FlawzyByte wants to merge 3 commits into
hyphae:mainfrom
FlawzyByte:added-ClusterFuzzLite

Conversation

@FlawzyByte

Copy link
Copy Markdown
Member

I've added a small Jazzer harness under fuzz/ plus a ClusterFuzzLite layout in .clusterfuzzlite/ (Dockerfile, build.sh, and a minimal project.yaml).
The harness exercises parsing and utility paths that see untrusted data (JSON, dates, strings) without touching pom.xml, so normal Maven builds stay as they are; the Docker script pins apis-bom the same way CI does, builds the jar, pulls runtime deps, and compiles the fuzzer the way OSS-Fuzz-style JVM projects usually do. The goal is better supply-chain hygiene for OpenSSF Scorecard’s fuzzing signal and a clear path to wire this into OSS-Fuzz or PR fuzzing later, without dragging Jazzer into every developer’s default classpath and every other repo.
Note: 2nd PR for removing extra licensing.

@FlawzyByte FlawzyByte requested a review from axmsoftware May 3, 2026 22:44
@FlawzyByte FlawzyByte self-assigned this May 3, 2026
@FlawzyByte FlawzyByte added documentation Improvements or additions to documentation enhancement New feature or request labels May 3, 2026
Comment thread fuzz/ApisCommonFuzzer.java Outdated

private static void fuzzJsonObjectUtil(FuzzedDataProvider data) {
String raw = data.consumeString(8192);
final JsonObject jo;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use the full name jsonObject (or anything more relevant/descriptive) here.
As Java people, we commit to having descriptive variable names :)

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have a solid point here, as "jo" might be misleading.
I'll change it to simply jsonobject 👍🏼

@axmsoftware axmsoftware left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting feature. Would you like to demo it?

@FlawzyByte

Copy link
Copy Markdown
Member Author

Yes Miss arila, as it mentioned in the scorecard that Fuzzing is needed,
So basically fuzzing is a way to find bugs by inputting to the program/app lots of strange or random inputs to see what breaks.
Think of it like throwing weird combinations of letters, numbers, or files (often auto, multiple times) and watching for crashes, errors, or odd behavior.
When the program misbehaves, that gives us a clue where the code is fragile or insecure so we can patch it faster.
Compared to heavier platforms(OSSFuzz, ClusterFuzz, AFL++), ClusterFuzzLite is simpler to set up and CI-friendly on modest hardware.

private static void fuzzJsonObjectUtil(FuzzedDataProvider data) {
String raw = data.consumeString(8192);
final JsonObject jo;
final JsonObject jsonobject;

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more request - please camelCase

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants