Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…in permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
The build failed because the Dockerfile used base-builder:v1 (no Jazzer) instead of base-builder-jvm:v1. The compile script's `cp $(which jazzer_driver) ... $OUT/` expanded to nothing, causing the "missing destination file operand" error. Additionally, the @QuarkusTest + RestAssured fuzz tests cannot work in CFL because jazzer_driver bypasses JUnit Platform (no Quarkus server startup). Replace with standalone fuzzerTestOneInput targets that test JSON deserialization of request DTOs and the HashHelper directly. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CFL's is_fuzz_target_local() detects targets by either a _fuzzer filename suffix or the string "LLVMFuzzerTestOneInput" in the file content. JVM wrapper scripts need the latter as a comment — this is the standard oss-fuzz JVM convention. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The bundled JDK 21 approach failed because the runner couldn't resolve java.home/conf/security/java.security from the relocated JDK files. Instead: compile with -Dmaven.compiler.release=17 (the source code uses no Java 21 features) so the runner's native JDK 17 works. Use jazzer_driver_with_sanitizer (set up by the compile script with correct LD_LIBRARY_PATH for the runner). Drop the JDK 21 install from the Dockerfile — base-builder-jvm already ships JDK 17. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The logboekdataverwerking-wrapper is compiled with Java 21 (class version 65.0), so --release 17 won't work. Restore JDK 21 install in the Dockerfile and bundle lib/ + conf/ to $OUT/jdk/. Changes from the previous bundling attempt: - export LD_LIBRARY_PATH (not just inline) so jazzer_driver's dlopen finds our libjvm.so before the runner's JDK 17 - export JAVA_HOME in case jazzer_driver checks it - verify java.security was copied (fail-fast with diagnostics) - append to existing LD_LIBRARY_PATH instead of replacing it Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The java.security error was caused by only copying lib/ and conf/ and by appending to LD_LIBRARY_PATH (which included the runner's JDK 17). Now copies the entire JDK 21 with rsync -aL (dereferences symlinks) and sets JAVA_HOME + LD_LIBRARY_PATH inline without inheriting runner paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The run_fuzzers step expects 'code-change' (not 'pr') and 'prune' (not 'pruning'). Valid modes: batch, code-change, coverage, prune. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New standalone fuzz target that tests all 11 REST endpoints with arbitrary input. The wrapper starts Quarkus as a subprocess with an in-memory H2 database, waits for it to accept connections, then runs jazzer_driver against the EndpointFuzzer target. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Jazzer's built-in SSRF sanitizer flags HttpClient connections as security issues. BugDetectors.allowNetworkConnections() tells Jazzer these connections to localhost are intentional. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The build step needs the token to download previous coverage artifacts, which enables smarter fuzz target selection in code-change mode. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Build with H2 as db-kind (build-time property, can't override at runtime). Copy Quarkus augmented bytecode (generated-bytecode.jar, transformed-bytecode.jar) to classpath so EndpointFuzzer can start Quarkus via Quarkus.run() in the same JVM as Jazzer. This lets Jazzer instrument all controller/service/repository code for coverage-guided fuzzing instead of blackbox HTTP fuzzing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The SSRF sanitizer was triggering during the Quarkus readiness poll in the static block, before fuzzerTestOneInput had a chance to run. Move BugDetectors.allowNetworkConnections() to the static initializer so it covers both the readiness check and all subsequent fuzz calls. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Quarkus.run() fails inside jazzer_driver's JVM due to classloader issues (no Quarkus threads start, causing timeout). Switch to starting Quarkus as a separate subprocess from the wrapper script: - Wrapper starts `java -jar quarkus-app/quarkus-run.jar` in background - Waits for Quarkus to accept connections, then launches jazzer_driver - Quarkus is built with H2 baked in (build-time property), no runtime override needed - EndpointFuzzer.java simplified: just HttpClient + BugDetectors, no Quarkus bootstrap - build.sh copies full quarkus-app directory to $OUT for the subprocess Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ericwout-overheid
requested changes
Feb 12, 2026
Contributor
ericwout-overheid
left a comment
ericwout-overheid
left a comment
There was a problem hiding this comment.
Omdat Claude dit gebouwd heeft, omdat wij niet uit konden vinden hoe het geconfigureerd moest, heb ik Claude ook laten helpen bij de review.
Paar grote en kleine en nitpick punten
src/test/java/nl/rijksoverheid/moz/fuzzing/EndpointFuzzTest.java
Outdated
Show resolved
Hide resolved
ericwout-overheid
approved these changes
Feb 18, 2026
TijmenVDBrink
approved these changes
Feb 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.