google · 0ai-Cyberviser · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,49 @@
+version: 2
+updates:
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+
+  # Python - infra CI
+  - package-ecosystem: "pip"
+    directory: "/infra/ci"
+    schedule:
+      interval: "weekly"
+
+  # Python - infra build functions
+  - package-ecosystem: "pip"
+    directory: "/infra/build/functions"
+    schedule:
+      interval: "weekly"
+
+  # Python - cifuzz
+  - package-ecosystem: "pip"
+    directory: "/infra/cifuzz"
+    schedule:
+      interval: "weekly"
+
+  # npm - cifuzz
+  - package-ecosystem: "npm"
+    directory: "/infra/cifuzz"
+    schedule:
+      interval: "weekly"
+
+  # Go - jcc
+  - package-ecosystem: "gomod"
+    directory: "/infra/base-images/base-builder/jcc"
+    schedule:
+      interval: "weekly"
+
+  # Go - gocoverage
+  - package-ecosystem: "gomod"
+    directory: "/infra/base-images/base-runner/gocoverage"
+    schedule:
+      interval: "weekly"
+
+  # Ruby - docs
+  - package-ecosystem: "bundler"
+    directory: "/docs"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -5,9 +5,10 @@ on:
     branches: [ master ]
     paths: [infra/**, .github/**]
   pull_request:
-    # The branches below must be a subset of the branches above
     branches: [ master ]
     paths: [infra/**, .github/**]
+  schedule:
+    - cron: '25 14 * * 3'
 
 jobs:
   analyze:
@@ -27,29 +28,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: python
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
+      uses: github/codeql-action/autobuild@v3
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this repository, please report it
+responsibly. **Do not open a public issue.**
+
+Please report vulnerabilities through
+[GitHub Security Advisories](https://github.com/0ai-Cyberviser/oss-fuzz/security/advisories).
+Click **"New draft security advisory"** and include as much detail as possible:
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact
+- Suggested fix (if any)
+
+## Scope
+
+This policy applies to the infrastructure code in this repository (the `infra/`
+directory, GitHub Actions workflows, and supporting tooling). Individual fuzzing
+project configurations under `projects/` are maintained by their respective
+upstream project owners.
+
+## Response
+
+We will acknowledge receipt of your report within **72 hours** and aim to
+provide an initial assessment within **7 business days**. We will work with you
+to understand and address the issue before any public disclosure.
+
+## Supported Versions
+
+Only the latest version of the code on the default branch is actively
+maintained and receives security updates.
diff --git a/projects/apache-cxf/project-parent/fuzz-targets/pom.xml b/projects/apache-cxf/project-parent/fuzz-targets/pom.xml
@@ -33,19 +33,19 @@
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-core</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>3.5.11</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-frontend-jaxrs</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>2.6.11</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-transports-http</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>3.1.16</version>
         </dependency>
 
         <dependency>

diff --git a/projects/apache-tika/project-parent/fuzz-targets/pom.xml b/projects/apache-tika/project-parent/fuzz-targets/pom.xml
@@ -25,7 +25,7 @@
         <dependency>
             <groupId>org.apache.tika</groupId>
             <artifactId>tika-core</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>3.2.2</version>
         </dependency>
         <dependency>
             <groupId>org.apache.tika</groupId>

diff --git a/projects/async-http-client/project-parent/fuzz-targets/pom.xml b/projects/async-http-client/project-parent/fuzz-targets/pom.xml
@@ -33,7 +33,7 @@
         <dependency>
             <groupId>org.asynchttpclient</groupId>
             <artifactId>async-http-client</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>2.0.35</version>
         </dependency>
 
         <dependency>
@@ -46,7 +46,7 @@
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-server</artifactId>
-            <version>11.0.14</version>
+            <version>11.0.24</version>
             <scope>test</scope>
         </dependency>
 

diff --git a/projects/avro/project-parent/fuzz-targets/pom.xml b/projects/avro/project-parent/fuzz-targets/pom.xml
@@ -33,7 +33,7 @@
         <dependency>
             <groupId>org.apache.avro</groupId>
             <artifactId>avro</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>1.11.4</version>
             <scope>test</scope>
         </dependency>
 

diff --git a/projects/eclipse-equinox/equinox-fuzzer/pom.xml b/projects/eclipse-equinox/equinox-fuzzer/pom.xml
@@ -41,7 +41,7 @@
 		<dependency>
 			<groupId>org.eclipse.platform</groupId>
 			<artifactId>org.eclipse.core.runtime</artifactId>
-			<version>3.26.100</version>
+			<version>3.29.0</version>
 		</dependency>
 	</dependencies>
 

diff --git a/projects/hadoop/project-parent/fuzz-targets/pom.xml b/projects/hadoop/project-parent/fuzz-targets/pom.xml
@@ -33,7 +33,7 @@
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-common</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>3.4.0</version>
         </dependency>
 
     </dependencies>

diff --git a/projects/hancock/Dockerfile b/projects/hancock/Dockerfile
@@ -0,0 +1,21 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-python
+RUN apt-get update && apt-get install -y python3-dev
+RUN git clone --depth 1 https://github.com/0ai-Cyberviser/Hancock.git $SRC/hancock
+WORKDIR $SRC/hancock
+COPY build.sh $SRC/
diff --git a/projects/hancock/build.sh b/projects/hancock/build.sh
@@ -0,0 +1,30 @@
+#!/bin/bash -eu
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Install project dependencies
+pip3 install -r "$SRC/hancock/requirements.txt"
+
+# Compile each Atheris fuzz target using the OSS-Fuzz Python helper
+for fuzzer in $(find $SRC/hancock/fuzz -name 'fuzz_*.py'); do
+  compile_python_fuzzer "$fuzzer"
+done
+
+# Copy seed corpora.
+for corpus_dir in $SRC/hancock/fuzz/corpus/*/; do
+  name=$(basename "$corpus_dir")
+  zip -j "$OUT/fuzz_${name}_seed_corpus.zip" "$corpus_dir"/* 2>/dev/null || true
+done
diff --git a/projects/hancock/project.yaml b/projects/hancock/project.yaml
@@ -0,0 +1,11 @@
+homepage: "https://github.com/0ai-Cyberviser/Hancock"
+language: python
+primary_contact: "cyberviser@proton.me"
+auto_ccs:
+  - "security@cyberviser.ai"
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address
+  - undefined
+main_repo: "https://github.com/0ai-Cyberviser/Hancock"
diff --git a/projects/htmlunit/htmlunit-fuzzer/pom.xml b/projects/htmlunit/htmlunit-fuzzer/pom.xml
@@ -11,7 +11,7 @@
 		<maven.compiler.source>15</maven.compiler.source>
 		<maven.compiler.target>15</maven.compiler.target>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<fuzzedLibaryVersion>2.7.0</fuzzedLibaryVersion>
+		<fuzzedLibaryVersion>3.9.0</fuzzedLibaryVersion>
 		<exec.mainClass>HtmlPageFuzzer</exec.mainClass>
 	</properties>
 	<dependencies>

diff --git a/projects/jetty/project-parent/fuzz-targets/pom.xml b/projects/jetty/project-parent/fuzz-targets/pom.xml
@@ -33,13 +33,13 @@
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-http</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>12.0.31</version>
         </dependency>
 
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-server</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>9.4.56.v20240826</version>
         </dependency>
 
         <dependency>
@@ -86,7 +86,7 @@
         <dependency>
             <groupId>org.eclipse.jetty.http2</groupId>
             <artifactId>http2-server</artifactId>
-            <version>Fuzzing-SNAPSHOT</version>
+            <version>9.4.53.v20231009</version>
             <scope>test</scope>
         </dependency>