Integrate Hancock with OSS-Fuzz and update dependencies#15234
Open
0ai-Cyberviser wants to merge 16 commits intogoogle:masterfrom
Open
Conversation
…ang, fix corpus copying Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/a1668967-46ee-418f-96a4-049e1c8cc7bb Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/a1668967-46ee-418f-96a4-049e1c8cc7bb Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…d.sh, Dockerfile, project.yaml Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/af52d22e-2d85-45fc-8730-fb6a7a2c9beb Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Fix hancock OSS-Fuzz integration: use compile_python_fuzzer, fix build config
…anches Fix hancock OSS-Fuzz project integration
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/8bb39d09-4a6c-4678-9353-a6b31c1412b5 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Fix hancock project: deduplicate build.sh and project.yaml from overlapping merges
- Create SECURITY.md with vulnerability reporting guidelines - Create .github/dependabot.yml for automated dependency updates (GitHub Actions, pip, npm, gomod, bundler) - Update .github/workflows/codeql-analysis.yml from deprecated v2 to v3 CodeQL actions, add weekly scheduled scan Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/41c406a0-8905-4b19-b9bd-2e71001dc78d Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Remove email reporting option that lacked a specific address. Address code review feedback. Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/41c406a0-8905-4b19-b9bd-2e71001dc78d Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…n-alerts Set up repository security: policy, Dependabot, and CodeQL v3
Bumps the maven group with 1 update in the /projects/hadoop/project-parent/fuzz-targets directory: org.apache.hadoop:hadoop-common. Bumps the maven group with 1 update in the /projects/eclipse-equinox/equinox-fuzzer directory: [org.eclipse.platform:org.eclipse.core.runtime](https://github.com/eclipse-platform/eclipse.platform). Bumps the maven group with 1 update in the /projects/avro/project-parent/fuzz-targets directory: org.apache.avro:avro. Bumps the maven group with 2 updates in the /projects/async-http-client/project-parent/fuzz-targets directory: [org.asynchttpclient:async-http-client](https://github.com/AsyncHttpClient/async-http-client) and org.eclipse.jetty:jetty-server. Bumps the maven group with 1 update in the /projects/apache-tika/project-parent/fuzz-targets directory: [org.apache.tika:tika-core](https://github.com/apache/tika). Bumps the maven group with 3 updates in the /projects/apache-cxf/project-parent/fuzz-targets directory: org.apache.cxf:cxf-core, org.apache.cxf:cxf-rt-frontend-jaxrs and org.apache.cxf:cxf-rt-transports-http. Updates `org.apache.hadoop:hadoop-common` from Fuzzing-SNAPSHOT to 3.4.0 Updates `org.eclipse.platform:org.eclipse.core.runtime` from 3.26.100 to 3.29.0 - [Commits](https://github.com/eclipse-platform/eclipse.platform/commits) Updates `org.apache.avro:avro` from Fuzzing-SNAPSHOT to 1.11.4 Updates `org.asynchttpclient:async-http-client` from Fuzzing-SNAPSHOT to 2.0.35 - [Release notes](https://github.com/AsyncHttpClient/async-http-client/releases) - [Commits](https://github.com/AsyncHttpClient/async-http-client/commits/async-http-client-project-2.0.35) Updates `org.eclipse.jetty:jetty-server` from 11.0.14 to 11.0.24 Updates `org.apache.tika:tika-core` from Fuzzing-SNAPSHOT to 3.2.2 - [Changelog](https://github.com/apache/tika/blob/main/CHANGES.txt) - [Commits](https://github.com/apache/tika/commits/3.2.2) Updates `org.apache.cxf:cxf-core` from Fuzzing-SNAPSHOT to 3.5.11 Updates `org.apache.cxf:cxf-rt-frontend-jaxrs` from Fuzzing-SNAPSHOT to 2.6.11 Updates `org.apache.cxf:cxf-rt-transports-http` from Fuzzing-SNAPSHOT to 3.1.16 --- updated-dependencies: - dependency-name: org.apache.hadoop:hadoop-common dependency-version: 3.4.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.platform:org.eclipse.core.runtime dependency-version: 3.29.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.avro:avro dependency-version: 1.11.4 dependency-type: direct:development dependency-group: maven - dependency-name: org.asynchttpclient:async-http-client dependency-version: 2.0.35 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.jetty:jetty-server dependency-version: 11.0.24 dependency-type: direct:development dependency-group: maven - dependency-name: org.apache.tika:tika-core dependency-version: 3.2.2 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.cxf:cxf-core dependency-version: 3.5.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.cxf:cxf-rt-frontend-jaxrs dependency-version: 2.6.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.cxf:cxf-rt-transports-http dependency-version: 3.1.16 dependency-type: direct:production dependency-group: maven ... Signed-off-by: dependabot[bot] <support@github.com>
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
0ai-Cyberviser is a new contributor to projects/avro. The PR must be approved by known contributors before it can be merged. The past contributors are: henryrneh, martin-g |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several infrastructure and security improvements, as well as dependency updates for multiple projects. The most significant changes are the addition of a security policy, the introduction of automated dependency management, the upgrade of CI workflows, and the inclusion of a new fuzzing target for the Hancock project.
Security and Infrastructure Enhancements:
SECURITY.mdfile outlining the process for responsibly reporting vulnerabilities and clarifying the scope and response policy for security issues in the repository..github/dependabot.ymlconfiguration to enable automated dependency updates for GitHub Actions, Python, npm, Go, and Ruby components across various subdirectories.Continuous Integration Improvements:
.github/workflows/codeql-analysis.yml. [1] [2]New Fuzzing Target:
Dockerfile,build.sh, andproject.yamlto integrate the Python-based Hancock project into the OSS-Fuzz infrastructure. [1] [2] [3]Dependency Updates for Fuzzing Projects:
Fuzzing-SNAPSHOTor outdated versions. This affects Apache CXF, Apache Tika, Async HTTP Client, Avro, Eclipse Equinox, and Hadoop fuzz targets, improving build reproducibility and stability. [1] [2] [3] [4] [5] [6] [7]