Revamp Log4j tests #12304
Revamp Log4j tests #12304
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
vy is a new contributor to projects/log4j2. The PR must be approved by known contributors before it can be merged. The past contributors are: fmeum, henryrneh, aschaich, 0roman |
There was a problem hiding this comment.
LGTM
I also looked at the fuzz tests on the fuzzing branch in the log4j repo and they look much, much better than the basic tests I added as part of the initial integration. Great work! You may want to apply for an integration reward.
|
Hey @DavidKorczynski! Thanks for triggering the CI. There, out of 11, only the |
There was a problem hiding this comment.
Renamed log4j2 project folder to apache-logging-log4j2 to comply with the naming convention followed by other ASF projects integrated with OSS-Fuzz
Could we avoid doing this please, and keep it in the same folder? Due to the backend running OSS-Fuzz we prefer to not change the name
In #12304, we used `fuzzing` branch of the `apache/logging-log4j2` repository while developing the Log4j 2 integration. This work was successful and we eventually merged the `fuzzing` branch to `2.x`<sup>1</sup> in apache/logging-log4j2#2949. Now we can point OSS-Fuzz to the permanent location of the Log4j 2 fuzz tests. <sup>1</sup> [`2.x` is the main branch where Log4j 2 development takes place.](https://logging.apache.org/log4j/2.x/development.html#branching)
I am an Apache Logging Services (the Apache Software Foundation project responsible for Log4j, Log4cxx, Log4net, etc. subprojects) PMC member – see the team. This PR revamps the Log4j tests with following changes:
Replaced existing tests1 with new, improved ones in the
fuzzingbranch2 of the official Log4j repository. This will not only ensure that tests will be maintained as a part of the official project, also enables maintainers to introduce new tests, make changes, etc. without touching the OSS-Fuzz code base.Introduced JSON dictionary and seed corpus for fuzzing JSON-related Log4j components
Rewrote
Dockerfileto match the JDK version to the one used by the official Log4j project.Delegated
build.shto the one provided in the official Log4j distribution. This enables maintainers to introduce new tests, make changes, etc. without touching the OSS-Fuzz code base.Rewrote
project.yamlsuch thatprimary_contactvendor_ccs, since found vulnerabilities should not be disclosed to individuals outside the PMCRenamed
log4j2project folder toapache-logging-log4j2to comply with the naming convention followed by other ASF projects integrated with OSS-Fuzz1 Existing tests were not even compiling anymore due to bit rot.
2 I choose using a dedicated branch to carry out the development. Once I have a ClusterFuzz account and see things moving, I will merge the
fuzzingbranch to2.x, the branch serving Log4j 2 releases.