Merge branch 'master' into make_centipede_default_engine

.github/workflows/presubmit.yml

@@ -29,6 +29,10 @@ jobs:
         uses: actions/setup-python@v3
         with:
           python-version: 3.8
+          cache: pip
+          cache-dependency-path: |
+            infra/ci/requirements.txt
+            infra/build/functions/requirements.txt
 
       - name: Install dependencies
         run: |

.github/workflows/project_tests.yml

@@ -23,6 +23,7 @@ jobs:
           - memory
           - undefined
           - coverage
+          - none
         architecture:
           - x86_64
         include:
@@ -73,6 +74,9 @@ jobs:
         uses: actions/setup-python@v3
         with:
           python-version: 3.8
+          cache: pip
+          cache-dependency-path: |
+            infra/ci/requirements.txt
 
       - name: Install dependencies
         run: |

README.md

@@ -32,7 +32,7 @@ execution environment and reporting tool.
 [ClusterFuzz]: https://github.com/google/clusterfuzz
 [ClusterFuzzLite]: https://google.github.io/clusterfuzzlite/
 
-Currently, OSS-Fuzz supports C/C++, Rust, Go, Python and Java/JVM code. Other languages
+Currently, OSS-Fuzz supports C/C++, Rust, Go, Python, Java/JVM, and JavaScript code. Other languages
 supported by [LLVM] may work too. OSS-Fuzz supports fuzzing x86_64 and i386
 builds.
 
@@ -47,21 +47,29 @@ Read our [detailed documentation] to learn how to use OSS-Fuzz.
 [detailed documentation]: https://google.github.io/oss-fuzz
 
 ## Trophies
-As of July 2022, OSS-Fuzz has found over [40,500] bugs in [650] open source
-projects.
+As of February 2023, OSS-Fuzz has helped identify and fix over [8,900] vulnerabilities and [28,000] bugs across [850] projects.
 
-[40,500]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=-status%3AWontFix%2CDuplicate%20-component%3AInfra&can=1
-[650]: https://github.com/google/oss-fuzz/tree/master/projects
+[8,900]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=status%3AFixed%2CVerified%20Type%3DBug-Security&can=1
+[28,000]: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=status%3AFixed%2CVerified%20Type%3DBug&can=1
+[850]: https://github.com/google/oss-fuzz/tree/master/projects
 
 ## Blog posts
 * 2016-12-01 - [Announcing OSS-Fuzz: Continuous fuzzing for open source software]
 * 2017-05-08 - [OSS-Fuzz: Five months later, and rewarding projects]
 * 2018-11-06 - [A New Chapter for OSS-Fuzz]
 * 2020-10-09 - [Fuzzing internships for Open Source Software]
 * 2020-12-07 - [Improving open source security during the Google summer internship program]
+* 2021-03-10 - [Fuzzing Java in OSS-Fuzz]
+* 2021-12-16 - [Improving OSS-Fuzz and Jazzer to catch Log4Shell]
+* 2022-09-08 - [Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically]
+* 2023-02-01 - [Taking the next step: OSS-Fuzz in 2023]
 
 [Announcing OSS-Fuzz: Continuous fuzzing for open source software]: https://opensource.googleblog.com/2016/12/announcing-oss-fuzz-continuous-fuzzing.html
 [OSS-Fuzz: Five months later, and rewarding projects]: https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html
 [A New Chapter for OSS-Fuzz]: https://security.googleblog.com/2018/11/a-new-chapter-for-oss-fuzz.html
 [Fuzzing internships for Open Source Software]: https://security.googleblog.com/2020/10/fuzzing-internships-for-open-source.html
 [Improving open source security during the Google summer internship program]: https://security.googleblog.com/2020/12/improving-open-source-security-during.html
+[Fuzzing Java in OSS-Fuzz]: https://security.googleblog.com/2021/03/fuzzing-java-in-oss-fuzz.html
+[Improving OSS-Fuzz and Jazzer to catch Log4Shell]: https://security.googleblog.com/2021/12/improving-oss-fuzz-and-jazzer-to-catch.html
+[Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically]: https://security.googleblog.com/2022/09/fuzzing-beyond-memory-corruption.html
+[Taking the next step: OSS-Fuzz in 2023]: https://security.googleblog.com/2023/02/taking-next-step-oss-fuzz-in-2023.html

docs/Gemfile.lock

@@ -1,21 +1,21 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.0.5.1)
+    activesupport (6.1.7.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     addressable (2.8.0)
       public_suffix (>= 2.0.2, < 5.0)
     coffee-script (2.4.1)
       coffee-script-source
       execjs
     coffee-script-source (1.11.1)
     colorator (1.1.0)
-    commonmarker (0.23.6)
-    concurrent-ruby (1.1.10)
+    commonmarker (0.23.7)
+    concurrent-ruby (1.2.0)
     dnsruby (1.61.9)
       simpleidn (~> 0.1)
     em-websocket (0.5.3)
@@ -210,7 +210,7 @@ GEM
       jekyll (>= 3.5, < 5.0)
       jekyll-feed (~> 0.9)
       jekyll-seo-tag (~> 2.1)
-    minitest (5.16.2)
+    minitest (5.17.0)
     nokogiri (1.13.10-x86_64-linux)
       racc (~> 1.4)
     octokit (4.25.1)
@@ -250,7 +250,7 @@ GEM
     unf_ext (0.0.8.2)
     unicode-display_width (1.8.0)
     webrick (1.7.0)
-    zeitwerk (2.6.0)
+    zeitwerk (2.6.6)
 
 PLATFORMS
   x86_64-linux

docs/README.md

@@ -15,5 +15,5 @@ $ bundle exec jekyll serve
 ```
 
 ## Theme documentation
-We are using the [just the docs](https://pmarsceill.github.io/just-the-docs/)
+We are using the [just the docs](https://just-the-docs.github.io/just-the-docs/)
 theme.

docs/advanced-topics/fuzz_introspector.md

@@ -0,0 +1,119 @@
+---
+layout: default
+title: Fuzz Introspector
+parent: Advanced topics
+nav_order: 2
+permalink: /advanced-topics/fuzz-introspector/
+---
+
+# Fuzz Introspector
+{: .no_toc}
+
+For projects written in C/C++, Python and Java you can generate Fuzz
+Introspector reports to help guide the development of your fuzzing suite.
+These reports help to extract details about the fuzzing setup of your
+project with the goal of making it easier to improve the fuzzing set up.
+The Fuzz Introspector reports are generated automatically and uploaded
+to the cloud like code coverage reports, and you can also generate them
+locally using the OSS-Fuzz helper script.
+
+
+- TOC
+{:toc}
+---
+
+## Fuzz Introspector overview
+
+As soon as your project is run with ClusterFuzz (<1 day), you can view the Fuzz
+Introspector report for your project.
+[Fuzz Introspector](https://github.com/ossf/fuzz-introspector) helps you
+understand your fuzzers' performance and identify any potential blockers.
+It provides individual and aggregated fuzzer reachability and coverage reports.
+You can monitor each fuzzer's static reachability potential and compare it
+against dynamic coverage and identify any potential bottlenecks.
+Fuzz Introspector can offer suggestions on increasing coverage by adding new
+fuzz targets or modify existing ones.
+Fuzz Introspector reports can be viewed from the [OSS-Fuzz
+homepage](https://oss-fuzz.com/) or through this
+[index](http://oss-fuzz-introspector.storage.googleapis.com/index.html).
+
+- [Fuzz Introspector documentation](https://fuzz-introspector.readthedocs.io/en/latest/)
+- [Fuzz Introspector source code](https://github.com/ossf/fuzz-introspector)
+- [OSS-Fuzz Fuzz Introspector reports](http://oss-fuzz-introspector.storage.googleapis.com/index.html)
+
+
+## Tutorials and guides
+
+The reports generated can be a lot to digest when first viewing them. The 
+[Fuzz Introspector documentation](https://fuzz-introspector.readthedocs.io/en/latest/)
+provides various user guides and tutorials rooted in OSS-Fuzz projects, which is
+a useful reference on how to make use of the reports.
+
+For ideas on how to use Fuzz Introspector, see [user guides](https://fuzz-introspector.readthedocs.io/en/latest/user-guides/index.html) which includes sections e.g.
+- [Quickly extract overview of a given project](https://fuzz-introspector.readthedocs.io/en/latest/user-guides/quick-overview.html)
+- [Get ideas for new fuzz targets](https://fuzz-introspector.readthedocs.io/en/latest/user-guides/get-ideas-for-new-targets.html)
+- [Comparing introspector reports](https://fuzz-introspector.readthedocs.io/en/latest/user-guides/comparing-introspector-reports.html)
+
+## Run Fuzz Introspector locally
+
+To generate a Fuzz Introspector report locally use `infra/helper.py` and the
+`introspector` command. Fuzz Introspector relies on code coverage to
+analyze a given project, and this means we need to extract code coverage in the
+Fuzz Introspector process. We can do this in two ways. First, by running the fuzzers
+for a given amount of time, and, second, by generating code coverage using the public
+corpus available from OSS-Fuzz.
+
+
+### Generate reports by running fuzzers for X seconds
+
+The following command will generate a Fuzz Introspector report for the `libdwarf` project
+and will extract code coverage based on a corpus created from running the fuzzers for 30
+seconds.
+
+```bash
+$ python3 infra/helper.py introspector libdwarf --seconds=30
+```
+
+If the above command was succesful, you should see output along the lines of:
+
+```bash
+INFO:root:To browse the report, run: python3 -m http.server 8008 --directory /home/my_user/oss-fuzz/build/out/libdwarf/introspector-report/inspector and navigate to localhost:8008/fuzz_report.html in your browser
+```
+The above output gives you directions on how to start a simple webserver using
+`python3 -m http.server`, which you can use to view the Fuzz Introspector report.
+
+### Generate reports by using public corpora
+
+The following command will generate a Fuzz Introspector report for the `libdwarf` project
+and will extract code coverage based on a corpus created from running the fuzzers for 30
+seconds.
+
+```bash
+$ python3 infra/helper.py introspector libdwarf --public-corpora
+```
+
+Assuming the above command is succesful you can view the report using `python3 -m http.server`
+following the example described above.
+
+
+## Differences in build tooling
+
+There are some differences in build environment for Fuzz Introspector builds
+in comparison to e.g. ASAN or code coverage builds. The reason is that
+Fuzz Introspector relies on certain compile-time tools to do its analysis.
+This compile time tooling differs between languages, namely:
+- For C/C++, Fuzz Introspector relies on [LLVM LTO](https://llvm.org/docs/LinkTimeOptimization.html) and [LLVM Gold](https://llvm.org/docs/GoldPlugin.html)
+- For Python, Fuzz Introspector relies on a modified [PyCG](https://github.com/vitsalis/PyCG)
+- For Java, Fuzz Introspector relies on [Soot](https://soot-oss.github.io/soot/)
+
+The consequence of this is your project must be compatible with these projects.
+PyCG and Soot have not shown to be a blocker for many projects, however, experience
+has shown that sometimes a project's build needs modification in order to compile
+with LLVM LTO. The easiest way to test if your project works with LLVM is checking
+whether your project can compile with the flags `-flto -fuse-ld=gold` and using
+the gold linker. OSS-Fuzz automatically sets these flags and linker options when
+using `infra/helper.py` to build your project with `--sanitizer=introspector`, e.g.
+
+```bash
+python3 infra/helper.py build_fuzzers --sanitizer=introspector PROJ_NAME
+```

docs/getting-started/integration_rewards.md

@@ -8,24 +8,8 @@ permalink: /getting-started/integration-rewards/
 
 # Integration rewards
 
-We encourage you to apply for integration rewards (up to **$20,000**) once your project
-is successfully integrated with OSS-Fuzz. Please see the details in our blog post
-[here](https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html).
+We encourage you to apply for integration rewards (up to **$30,000**) once your project
+is successfully integrated with OSS-Fuzz. Please see the full details
+[here](https://bughunters.google.com/about/rules/5097259337383936/oss-fuzz-reward-program-rules).
 
-Rewards are based on the quality of integration with OSS-Fuzz, which is evaluated using
-the following criteria:
-* Upstream integration of the fuzz targets and build support.
-* Performance of the fuzz targets and code coverage achieved with fuzzing.
-* Regression testing in the upstream repository using fuzz targets and OSS-Fuzz corpora.
-  Enabling [CIFuzz](https://google.github.io/oss-fuzz/getting-started/continuous-integration/)
-  is the easiest way to address this.
-* Discretion bonus to recognize outstanding work.
-
-For each of the points above, the OSS-Fuzz rewards panel first sets up a cap of up to $5,000.
-Then, the panel decides the actual reward amount (ranging from $0 up to the cap) for each
-criteria, depending on how well the criteria is satisfied.
-
-The highest cap values ($5,000) are awarded only to projects of a critical importance for the
-global infrastructure and/or widely used products, devices, or services.
-
-To submit your application for a reward, please fill out [this form](https://docs.google.com/forms/d/e/1FAIpQLSd5TlIXAiWRmbsHtPDR-8aDYKAZVgkJ5tcn6Dh-ym79r4iUxA/viewform) after reading the [blog post](https://opensource.googleblog.com/2017/05/oss-fuzz-five-months-later-and.html).
+To submit your application for a reward, please fill out [this form](https://goo.gle/oss-fuzz-submission).