Copilot/dependabotmaven bump project parent#15250
Open
0ai-Cyberviser wants to merge 130 commits intogoogle:masterfrom
Open
Copilot/dependabotmaven bump project parent#152500ai-Cyberviser wants to merge 130 commits intogoogle:masterfrom
0ai-Cyberviser wants to merge 130 commits intogoogle:masterfrom
Conversation
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/d9a92d73-f23d-4da7-b01e-e2120897c92a Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…ang, fix corpus copying Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/a1668967-46ee-418f-96a4-049e1c8cc7bb Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/a1668967-46ee-418f-96a4-049e1c8cc7bb Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…d.sh, Dockerfile, project.yaml Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/af52d22e-2d85-45fc-8730-fb6a7a2c9beb Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Fix hancock OSS-Fuzz integration: use compile_python_fuzzer, fix build config
…anches Fix hancock OSS-Fuzz project integration
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/8bb39d09-4a6c-4678-9353-a6b31c1412b5 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Fix hancock project: deduplicate build.sh and project.yaml from overlapping merges
- Create SECURITY.md with vulnerability reporting guidelines - Create .github/dependabot.yml for automated dependency updates (GitHub Actions, pip, npm, gomod, bundler) - Update .github/workflows/codeql-analysis.yml from deprecated v2 to v3 CodeQL actions, add weekly scheduled scan Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/41c406a0-8905-4b19-b9bd-2e71001dc78d Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Remove email reporting option that lacked a specific address. Address code review feedback. Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/41c406a0-8905-4b19-b9bd-2e71001dc78d Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…n-alerts Set up repository security: policy, Dependabot, and CodeQL v3
Bumps the maven group with 2 updates in the /projects/apache-cxf/project-parent/fuzz-targets directory: org.apache.cxf:cxf-core and org.apache.cxf:cxf-rt-frontend-jaxrs. Bumps the maven group with 1 update in the /projects/async-http-client/project-parent/fuzz-targets directory: org.eclipse.jetty:jetty-server. Bumps the maven group with 1 update in the /projects/avro/project-parent/fuzz-targets directory: org.apache.avro:avro. Bumps the maven group with 1 update in the /projects/eclipse-equinox/equinox-fuzzer directory: [org.eclipse.platform:org.eclipse.core.runtime](https://github.com/eclipse-platform/eclipse.platform). Bumps the maven group with 1 update in the /projects/hadoop/project-parent/fuzz-targets directory: org.apache.hadoop:hadoop-common. Bumps the maven group with 1 update in the /projects/htmlunit/htmlunit-fuzzer directory: [org.htmlunit:htmlunit](https://github.com/HtmlUnit/htmlunit). Bumps the maven group with 3 updates in the /projects/jetty/project-parent/fuzz-targets directory: org.eclipse.jetty:jetty-server, org.eclipse.jetty:jetty-http and org.eclipse.jetty.http2:http2-server. Bumps the maven group with 1 update in the /projects/jose4j/project-parent/fuzz-targets directory: [org.bitbucket.b_c:jose4j](https://bitbucket.org/b_c/jose4j). Bumps the maven group with 1 update in the /projects/nimbus-jwt/nimbus-jwt-fuzzer directory: [com.nimbusds:nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt). Bumps the maven group with 2 updates in the /projects/opencensus-java/project-parent/fuzz-targets directory: [com.google.guava:guava](https://github.com/google/guava) and [com.google.protobuf:protobuf-java](https://github.com/protocolbuffers/protobuf). Bumps the maven group with 1 update in the /projects/pdfbox/project-parent/fuzz-targets directory: org.apache.logging.log4j:log4j-core. Bumps the maven group with 1 update in the /projects/struts/struts2-fuzzer/webapp directory: org.apache.logging.log4j:log4j-core. Bumps the maven group with 1 update in the /projects/xnio-api/xnio-fuzzer directory: org.jboss.xnio:xnio-api. Bumps the maven group with 1 update in the /projects/yamlbeans/project-parent/fuzz-targets directory: [com.esotericsoftware.yamlbeans:yamlbeans](https://github.com/EsotericSoftware/yamlbeans). Updates `org.apache.cxf:cxf-core` from Fuzzing-SNAPSHOT to 3.5.11 Updates `org.apache.cxf:cxf-rt-frontend-jaxrs` from Fuzzing-SNAPSHOT to 2.6.11 Updates `org.eclipse.jetty:jetty-server` from 11.0.14 to 11.0.24 Updates `org.apache.avro:avro` from Fuzzing-SNAPSHOT to 1.11.4 Updates `org.eclipse.platform:org.eclipse.core.runtime` from 3.26.100 to 3.29.0 - [Commits](https://github.com/eclipse-platform/eclipse.platform/commits) Updates `org.apache.hadoop:hadoop-common` from Fuzzing-SNAPSHOT to 3.4.0 Updates `org.htmlunit:htmlunit` from 2.7.0 to 3.9.0 - [Release notes](https://github.com/HtmlUnit/htmlunit/releases) - [Commits](HtmlUnit/htmlunit@HtmlUnit-2.7...3.9.0) Updates `org.eclipse.jetty:jetty-server` from Fuzzing-SNAPSHOT to 9.4.56.v20240826 Updates `org.eclipse.jetty:jetty-http` from Fuzzing-SNAPSHOT to 12.0.31 Updates `org.eclipse.jetty.http2:http2-server` from Fuzzing-SNAPSHOT to 9.4.53.v20231009 Updates `org.bitbucket.b_c:jose4j` from Fuzzing-SNAPSHOT to 0.9.6 - [Commits](https://bitbucket.org/b_c/jose4j/commits/tag/jose4j-0.9.6) Updates `com.nimbusds:nimbus-jose-jwt` from 9.30.1 to 9.37.4 - [Changelog](https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/CHANGELOG.txt) - [Commits](https://bitbucket.org/connect2id/nimbus-jose-jwt/branches/compare/9.37.4..9.30.1) Updates `com.google.guava:guava` from 31.1-jre to 32.0.0-jre - [Release notes](https://github.com/google/guava/releases) - [Commits](https://github.com/google/guava/commits) Updates `com.google.protobuf:protobuf-java` from 4.0.0-rc-2 to 4.27.5 - [Release notes](https://github.com/protocolbuffers/protobuf/releases) - [Commits](https://github.com/protocolbuffers/protobuf/commits) Updates `org.apache.logging.log4j:log4j-core` from 2.24.3 to 2.25.3 Updates `org.apache.logging.log4j:log4j-core` from 2.24.2 to 2.25.3 Updates `org.jboss.xnio:xnio-api` from 3.8.8.Final to 3.8.14.Final Updates `com.esotericsoftware.yamlbeans:yamlbeans` from Fuzzing-SNAPSHOT to 1.17 - [Release notes](https://github.com/EsotericSoftware/yamlbeans/releases) - [Commits](https://github.com/EsotericSoftware/yamlbeans/commits/1.17) --- updated-dependencies: - dependency-name: org.apache.cxf:cxf-core dependency-version: 3.5.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.cxf:cxf-rt-frontend-jaxrs dependency-version: 2.6.11 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.jetty:jetty-server dependency-version: 11.0.24 dependency-type: direct:development dependency-group: maven - dependency-name: org.apache.avro:avro dependency-version: 1.11.4 dependency-type: direct:development dependency-group: maven - dependency-name: org.eclipse.platform:org.eclipse.core.runtime dependency-version: 3.29.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.hadoop:hadoop-common dependency-version: 3.4.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.htmlunit:htmlunit dependency-version: 3.9.0 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.jetty:jetty-server dependency-version: 9.4.56.v20240826 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.jetty:jetty-http dependency-version: 12.0.31 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.jetty.http2:http2-server dependency-version: 9.4.53.v20231009 dependency-type: direct:development dependency-group: maven - dependency-name: org.bitbucket.b_c:jose4j dependency-version: 0.9.6 dependency-type: direct:production dependency-group: maven - dependency-name: com.nimbusds:nimbus-jose-jwt dependency-version: 9.37.4 dependency-type: direct:production dependency-group: maven - dependency-name: com.google.guava:guava dependency-version: 32.0.0-jre dependency-type: direct:production dependency-group: maven - dependency-name: com.google.protobuf:protobuf-java dependency-version: 4.27.5 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.logging.log4j:log4j-core dependency-version: 2.25.3 dependency-type: direct:production dependency-group: maven - dependency-name: org.apache.logging.log4j:log4j-core dependency-version: 2.25.3 dependency-type: direct:production dependency-group: maven - dependency-name: org.jboss.xnio:xnio-api dependency-version: 3.8.14.Final dependency-type: direct:production dependency-group: maven - dependency-name: com.esotericsoftware.yamlbeans:yamlbeans dependency-version: '1.17' dependency-type: direct:production dependency-group: maven ... Signed-off-by: dependabot[bot] <support@github.com>
…ilure Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/ade44b0d-7838-4de9-a4db-ce88db9bfb71 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…pache-cxf/project-parent/fuzz-targets/maven-77120b2e27 build(deps): bump the maven group across 14 directories with 16 updates
Bumps the maven group with 1 update in the /projects/zt-zip/project-parent/fuzz-targets directory: [org.zeroturnaround:zt-zip](https://github.com/zeroturnaround/zt-zip). Updates `org.zeroturnaround:zt-zip` from Fuzzing-SNAPSHOT to 1.13 - [Changelog](https://github.com/zeroturnaround/zt-zip/blob/master/Changelog.txt) - [Commits](https://github.com/zeroturnaround/zt-zip/commits/zt-zip-1.13) --- updated-dependencies: - dependency-name: org.zeroturnaround:zt-zip dependency-version: '1.13' dependency-type: direct:production dependency-group: maven ... Signed-off-by: dependabot[bot] <support@github.com>
…t-zip/project-parent/fuzz-targets/maven-77d0655455 build(deps): bump org.zeroturnaround:zt-zip from Fuzzing-SNAPSHOT to 1.13 in /projects/zt-zip/project-parent/fuzz-targets in the maven group across 1 directory
…updates Bumps the npm_and_yarn group with 7 updates in the /tools/vscode-extension directory: | Package | From | To | | --- | --- | --- | | [@tootallnate/once](https://github.com/TooTallNate/once) | `1.1.2` | `removed` | | [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.13` | | [flatted](https://github.com/WebReflection/flatted) | `3.2.7` | `3.4.2` | | [minimatch](https://github.com/isaacs/minimatch) | `3.1.2` | `3.1.5` | | [js-yaml](https://github.com/nodeca/js-yaml) | `3.14.1` | `3.14.2` | | [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.17.23` | | [picomatch](https://github.com/micromatch/picomatch) | `2.3.1` | `2.3.2` | Bumps the npm_and_yarn group with 1 update in the /infra/cifuzz directory: [brace-expansion](https://github.com/juliangruber/brace-expansion). Removes `@tootallnate/once` Updates `brace-expansion` from 1.1.11 to 1.1.13 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.13) Updates `flatted` from 3.2.7 to 3.4.2 - [Commits](WebReflection/flatted@v3.2.7...v3.4.2) Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `js-yaml` from 3.14.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.14.2) Updates `lodash` from 4.17.21 to 4.17.23 - [Release notes](https://github.com/lodash/lodash/releases) - [Commits](lodash/lodash@4.17.21...4.17.23) Updates `picomatch` from 2.3.1 to 2.3.2 - [Release notes](https://github.com/micromatch/picomatch/releases) - [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md) - [Commits](micromatch/picomatch@2.3.1...2.3.2) Updates `brace-expansion` from 1.1.11 to 2.0.3 - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.13) Updates `minimatch` from 3.1.2 to 5.1.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) --- updated-dependencies: - dependency-name: "@tootallnate/once" dependency-version: dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 1.1.13 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: lodash dependency-version: 4.17.23 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: picomatch dependency-version: 2.3.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: brace-expansion dependency-version: 2.0.3 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 5.1.9 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/159ce0b5-411b-4b11-967d-f7f944558db0 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…failure Add retry logic to project tests workflow for transient network failures
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/d9eaeee6-c35d-4d0c-94d7-4b57081f4451 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…ls/vscode-extension/npm_and_yarn-136114a06a build(deps): bump the npm_and_yarn group across 2 directories with 7 updates
…dates Bumps the npm_and_yarn group with 1 update in the /infra/cifuzz directory: [@octokit/request-error](https://github.com/octokit/request-error.js). Updates `@octokit/request-error` from 2.1.0 to 7.1.0 - [Release notes](https://github.com/octokit/request-error.js/releases) - [Commits](octokit/request-error.js@v2.1.0...v7.1.0) Updates `@octokit/plugin-paginate-rest` from 2.21.3 to 14.0.0 - [Release notes](https://github.com/octokit/plugin-paginate-rest.js/releases) - [Commits](octokit/plugin-paginate-rest.js@v2.21.3...v14.0.0) Updates `@octokit/request` from 5.6.3 to 10.0.8 - [Release notes](https://github.com/octokit/request.js/releases) - [Commits](octokit/request.js@v5.6.3...v10.0.8) Updates `undici` from 5.29.0 to 6.24.1 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.29.0...v6.24.1) --- updated-dependencies: - dependency-name: "@octokit/request-error" dependency-version: 7.1.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@octokit/plugin-paginate-rest" dependency-version: 14.0.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@octokit/request" dependency-version: 10.0.8 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: undici dependency-version: 6.24.1 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/05f65760-d077-4251-bcd1-79d0ac164bbf Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…nforcement Add branch protection ruleset with enforcement disabled
…fra/cifuzz/npm_and_yarn-76cca83af0 build(deps): bump the npm_and_yarn group across 1 directory with 4 updates
Update Jetty dependencies to 9.4.58.v20250814 to address CVE-2023-44487: - http2-server: 9.4.53.v20231009 → 9.4.58.v20250814 (vulnerable → patched) - jetty-server: 9.4.56.v20240826 → 9.4.58.v20250814 (consistency update) CVE-2023-44487 is an HTTP/2 Rapid Reset vulnerability that allows attackers to cause denial of service by rapidly resetting large numbers of streams. The fix was introduced in Jetty 9.4.54+. Resolves Dependabot alert google#113 Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/ab3285e6-d52e-4a41-b118-b02dc25306de Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…itigation build.sh rewrites all pom.xml dependency versions to the cloned project.version at build time, so pom.xml changes alone don't ensure the built fuzzers use a patched Jetty. Pin to jetty-9.4.x branch which: - Includes the CVE-2023-44487 fix (>=9.4.54) - Matches the 9.4.x APIs used by fuzz targets (javax.servlet, AbstractHandler) - Was previously unpinned (defaulted to jetty-12.1.x, incompatible with targets) Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/053ad28b-706d-4380-afbb-0a1c8956964e Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
build.sh rewrites all Jetty dependency versions at build time via versions:use-dep-version, so the POM values are just placeholders. Make them all consistent as Fuzzing-SNAPSHOT: - jetty-http: 12.0.31 → Fuzzing-SNAPSHOT (fixes mixed Jetty 12.x/9.4.x) - jetty-server: 9.4.58.v20250814 → Fuzzing-SNAPSHOT (placeholder) - http2-server: 9.4.58.v20250814 → Fuzzing-SNAPSHOT (consistent with http2-common) The actual CVE-2023-44487 fix is the Dockerfile pin to jetty-9.4.x branch, which ensures build.sh clones and builds a patched 9.4.x release. Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/a8026280-08c7-4c33-a342-b08352fb8540 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…ut in CI Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/a5e2bde8-451d-434b-80cf-860645ed4790 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…e pip conflict Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/1e12132c-be27-4394-956e-44b640f70e49 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…r test-jar resolution Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/9c8431b6-7704-4bd2-9941-c6e6a2db661e Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/a6ed980d-6332-4267-a65d-a93bc7d88d2d Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…ncellation-attack Fix CVE-2023-44487: Pin Jetty build to jetty-9.4.x branch for HTTP/2 Rapid Reset mitigation
Bumps the maven group with 3 updates in the /projects/jetty/project-parent/fuzz-targets directory: org.eclipse.jetty:jetty-http, org.eclipse.jetty:jetty-server and org.eclipse.jetty.http2:http2-server. Updates `org.eclipse.jetty:jetty-http` from Fuzzing-SNAPSHOT to 12.0.31 Updates `org.eclipse.jetty:jetty-server` from Fuzzing-SNAPSHOT to 9.4.56.v20240826 Updates `org.eclipse.jetty.http2:http2-server` from Fuzzing-SNAPSHOT to 9.4.53.v20231009 --- updated-dependencies: - dependency-name: org.eclipse.jetty:jetty-http dependency-version: 12.0.31 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.jetty:jetty-server dependency-version: 9.4.56.v20240826 dependency-type: direct:production dependency-group: maven - dependency-name: org.eclipse.jetty.http2:http2-server dependency-version: 9.4.53.v20231009 dependency-type: direct:development dependency-group: maven ... Signed-off-by: dependabot[bot] <support@github.com>
…jetty/project-parent/fuzz-targets/maven-8014a649cd build(deps): bump the maven group across 1 directory with 3 updates
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/8575e503-9b70-4c6f-ae57-9150af4f9870 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…LEMENTATION=python Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/8575e503-9b70-4c6f-ae57-9150af4f9870 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
…on-in-requirements [WIP] Fix protobuf version to resolve CI failure in Infra tests
…-errors [WIP] Fix infra test job errors related to AttributeError
…on-compatibility [WIP] Fix protobuf version compatibility for ndb tests
Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/8e682e2d-c2af-45c0-a51c-c7ba5f932ac4 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Fix hancock build.sh: use glob pattern and single loop for robustness
…ld.sh Dependabot incorrectly changed Fuzzing-SNAPSHOT placeholder versions to specific release versions in 6 pom.xml files. These placeholders are intentional: the build.sh scripts for each project clone the upstream source and use mvn versions:use-dep-version to rewrite the dependency versions at build time. Affected projects: apache-cxf (3 deps), apache-tika (1 dep), async-http-client (1 dep), avro (1 dep), hadoop (1 dep), jetty (3 deps) Agent-Logs-Url: https://github.com/0ai-Cyberviser/oss-fuzz/sessions/24ab884e-a28d-40c2-ba28-172197745c99 Co-authored-by: 0ai-Cyberviser <266508493+0ai-Cyberviser@users.noreply.github.com>
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several infrastructure and dependency management improvements, as well as bug fixes and documentation updates. The main themes are dependency updates (including security-related upgrades), improvements to GitHub Actions workflows, enhanced configuration and automation, and expanded test coverage.
Dependency and Security Updates:
protobufto version 5.29.6 ininfra/build/functions/requirements.txtand added detailed security policy and rationale inSECURITY.md, including compatibility notes and a workaround for Google Cloud dependencies. [1] [2]requests,pytest,pytest-xdist,PyYAML, and others to their latest versions for improved security and compatibility. [1] [2] [3] [4]GitHub Actions and Workflow Improvements:
.github/dependabot.ymlfor automated dependency updates across Python, Go, Ruby, and npm ecosystems, and introduced a branch protection ruleset in.github/rulesets/branch-protection.json. [1] [2]codeql-analysis.ymlto use the latest v4 CodeQL actions, added a scheduled run, and cleaned up comments for clarity and maintainability. [1] [2]pr_helper.ymlto only leave comments when a message exists and fixed a case sensitivity bug for merge readiness checks. [1] [2]project_tests.ymlby retrying test runs up to three times to reduce flakiness.PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=pythonininfra_tests.ymlto ensure compatibility with pinned protobuf and Google Cloud dependencies.Infrastructure and Code Quality:
infra/build/functions/project_sync.pyand its tests to align with current Google Cloud client libraries, improving reliability and correctness. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]Test Coverage:
infra/cifuzz/base_runner_utils_test.pyto increase coverage for environment variable handling and configuration logic in the base runner utilities.