Both the JaCoCo .exec file and the XML report are very useful for
automated analysis of coverage data and IDE integration, so serve them
just like the HTML report.
Hi, I am a coredns maintainer (see https://github.com/coredns/coredns/blob/master/CODEOWNERS)
and I used to receive oss-fuzz issues through `security@coredns.io`.
Recently I tried to address some of the security issues received, but then I noticed that
I can only access the list with google login. Since security@coredns.io
is a mailing list it will not be possible to login.
So adding my email to this list.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit takes an alternative approach to #7358 where instead of
specifically ignoring leaks we use a build of OCaml that doesn't have
the leak to begin with. It looks like the leak was introduced in the
4.12 -> 4.13 update (and Wasmtime is currently using the latest of
4.13). This should also help improve reproducibility by always using the
same OCaml version on oss-fuzz runs. We're mostly interested in fuzzing
Rust code, not OCaml code, so our goal is to just get a working OCaml
reference somehow.
This uses an OCaml backend and we're getting leak messages from OCaml
which we don't have control over so suppress them for now for this
specific fuzzer.
It looks like Wasmtime's fuzzers are failing to run due to them being to
large, so this is a quick band-aid fix to reduce the size of the
binaries. It looks like Rust's `cargo fuzz` tool by default links in
dead code for code coverage purposes (ish, I'm not 100% sure on this),
so the size of fuzzers are reduced by stripping dead code. In a local
build this reduces the size of Wasmtime's output directory from 6.8G to
3.4G and should buy us some time to implement deeper fixes (such as
having one shared library that all of the fuzzers call into instead of
duplicating statically-linked Wasmtime amongst all the fuzzer binaries).
Currently oss-fuzz uses go-coredns as the project name. However,
there is no main_repo in project file, and it looks like
the OSSF's scoreboard will not be able to find the coredns project
from oss-fuzz.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* libvips: add pdfium to build
Many Rails users will shortly be switching to libvips pdfium load for
PDF rendering. pdfium is well tested and doesn't need fuzzing itself,
but we do need to fuzz the code that links libvips to pdfium.
This PR adds pdfium nightly builds to the libvips fuzzer.
* fix pdfium download
* ooop missing RUN
* fix pdfium install
* Fix PDFium link
* layout
Co-authored-by: Kleis Auke Wolthuizen <github@kleisauke.nl>
- Remove unused dependencies.
- Prefer .git URLs in git clone invocations.
- Use the --static flag of pkg-config for all invocations.
- Remove suspicious LDFLAGS environment variable.
- Disable NLS in libexif.
- Make libc++ a private dependency of libheif and libjxl.
- Build libspng with Meson.
- Ninja does not require a -j flag.
- Re-order linker flags.
This replaces the manual CMake invocations, as the project now will
build code generator tools in a first stage build to enable fuzzing
generated code too.
Gerald Combs