Add hancock to OSS-Fuzz

.github/workflows/pr_helper.yml

@@ -45,16 +45,21 @@ jobs:
         run: python infra/pr_helper.py
 
       - name: Leave comments
-        if: env.IS_INTERNAL == 'FALSE'
+        if: env.IS_INTERNAL == 'False'
         uses: actions/github-script@v8
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
+            const body = process.env.MESSAGE;
+            if (!body || !body.trim()) {
+              console.log('No message to post, skipping comment.');
+              return;
+            }
             github.rest.issues.createComment({
               issue_number: context.issue.number,
               owner: context.repo.owner,
               repo: context.repo.repo,
-              body: process.env.MESSAGE
+              body: body
             })
 
       - name: Add labels for valid PR

SECURITY.md

@@ -0,0 +1,69 @@
+# Security Policy
+
+## Overview
+
+OSS-Fuzz is a continuous fuzzing service for open source software. Security is
+central to the project's mission—we help find and fix vulnerabilities in open
+source projects. We take the security of this infrastructure seriously.
+
+## Supported Versions
+
+This repository tracks the latest development of the OSS-Fuzz platform. We
+support only the latest version on the `main` branch. There are no separately
+maintained release branches.
+
+| Branch   | Supported          |
+| -------- | ------------------ |
+| `main`   | :white_check_mark: |
+| Others   | :x:                |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in the OSS-Fuzz infrastructure (build
+scripts, CI configuration, container definitions, or supporting code in this
+repository), please report it responsibly.
+
+### How to Report
+
+1. **Do not open a public issue.** Security vulnerabilities should be reported
+   privately so that they can be addressed before public disclosure.
+2. **Use GitHub Private Vulnerability Reporting.** Navigate to the
+   [Security Advisories](../../security/advisories)
+   page and click **"Report a vulnerability"** to submit a private report.
+3. **Alternatively, contact via email.** You may email
+   [oss-fuzz-team@google.com](mailto:oss-fuzz-team@google.com) with details of
+   the vulnerability.
+
+### What to Include
+
+- A description of the vulnerability and its potential impact.
+- Steps to reproduce the issue, or a proof-of-concept if available.
+- The affected files or components (e.g., project build scripts, infrastructure
+  code, CI workflows).
+- Any suggested mitigations or fixes.
+
+### What to Expect
+
+- **Acknowledgment:** We aim to acknowledge receipt of your report within
+  **3 business days**.
+- **Assessment:** We will evaluate the report and provide an initial assessment
+  within **10 business days**.
+- **Resolution:** Confirmed vulnerabilities will be addressed as quickly as
+  possible. We will coordinate with you on an appropriate disclosure timeline.
+- **Credit:** We appreciate responsible disclosure and are happy to credit
+  reporters in any related advisory, unless you prefer to remain anonymous.
+
+## Scope
+
+This policy covers vulnerabilities in the OSS-Fuzz infrastructure itself,
+including:
+
+- Build and CI configuration files
+- Docker container definitions
+- Python infrastructure code (`infra/`)
+- Project integration scripts (`projects/`)
+
+For vulnerabilities found **in fuzzed open source projects** (i.e., bugs
+discovered by OSS-Fuzz), please refer to the
+[OSS-Fuzz documentation](https://google.github.io/oss-fuzz/) on disclosure
+policies and report them to the respective upstream project maintainers.

docs/Gemfile.lock

@@ -1,33 +1,47 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.0.7.2)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+    activesupport (7.2.3.1)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
-      minitest (>= 5.1)
-      tzinfo (~> 2.0)
-    addressable (2.8.0)
-      public_suffix (>= 2.0.2, < 5.0)
+      logger (>= 1.4.2)
+      minitest (>= 5.1, < 6)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+    addressable (2.9.0)
+      public_suffix (>= 2.0.2, < 8.0)
+    base64 (0.3.0)
+    benchmark (0.5.0)
+    bigdecimal (4.1.1)
     coffee-script (2.4.1)
       coffee-script-source
       execjs
     coffee-script-source (1.11.1)
     colorator (1.1.0)
     commonmarker (0.23.10)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
     dnsruby (1.61.9)
       simpleidn (~> 0.1)
+    drb (2.2.3)
     em-websocket (0.5.3)
       eventmachine (>= 0.12.9)
       http_parser.rb (~> 0)
     ethon (0.15.0)
       ffi (>= 1.15.0)
     eventmachine (1.2.7)
     execjs (2.8.1)
-    faraday (2.4.0)
-      faraday-net_http (~> 2.0)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (2.1.0)
+    faraday (2.14.1)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.2)
+      net-http (~> 0.5)
     ffi (1.15.5)
     forwardable-extended (2.6.0)
     gemoji (3.0.1)
@@ -86,7 +100,7 @@ GEM
       activesupport (>= 2)
       nokogiri (>= 1.4)
     http_parser.rb (0.8.0)
-    i18n (1.14.1)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
     jekyll (3.9.3)
       addressable (~> 2.4)
@@ -196,6 +210,7 @@ GEM
       gemoji (~> 3.0)
       html-pipeline (~> 2.2)
       jekyll (>= 3.0, < 5.0)
+    json (2.19.3)
     kramdown (2.3.2)
       rexml
     kramdown-parser-gfm (1.1.0)
@@ -204,13 +219,16 @@ GEM
     listen (3.7.1)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
+    logger (1.7.0)
     mercenary (0.3.6)
     minima (2.5.1)
       jekyll (>= 3.5, < 5.0)
       jekyll-feed (~> 0.9)
       jekyll-seo-tag (~> 2.1)
-    minitest (5.19.0)
-    nokogiri (1.18.9-x86_64-linux-gnu)
+    minitest (5.27.0)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
+    nokogiri (1.19.1-x86_64-linux-gnu)
       racc (~> 1.4)
     octokit (4.25.1)
       faraday (>= 1, < 3)
@@ -224,7 +242,6 @@ GEM
       ffi (~> 1.0)
     rexml (3.4.2)
     rouge (3.26.0)
-    ruby2_keywords (0.0.5)
     rubyzip (2.3.2)
     safe_yaml (1.0.5)
     sass (3.7.4)
@@ -235,6 +252,7 @@ GEM
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
+    securerandom (0.4.1)
     simpleidn (0.2.1)
       unf (~> 0.1.4)
     terminal-table (1.8.0)
@@ -247,6 +265,7 @@ GEM
       unf_ext
     unf_ext (0.0.8.2)
     unicode-display_width (1.8.0)
+    uri (1.1.1)
     webrick (1.8.2)
 
 PLATFORMS

infra/base-images/base-runner-debug/Dockerfile

@@ -17,9 +17,5 @@
 FROM gcr.io/oss-fuzz-base/base-runner
 RUN apt-get update && apt-get install -y valgrind zip
 
-# Installing GDB 12, re https://github.com/google/oss-fuzz/issues/7513.
-RUN apt-get install -y build-essential libgmp-dev && \
-    wget https://ftp.gnu.org/gnu/gdb/gdb-12.1.tar.xz && \
-    tar -xf gdb-12.1.tar.xz && cd gdb-12.1 && ./configure &&  \
-    make -j $(expr $(nproc) / 2) && make install && cd .. && \
-    rm -rf gdb-12.1* && apt-get remove --purge -y build-essential libgmp-dev
+# Installing GDB, re https://github.com/google/oss-fuzz/issues/7513.
+RUN apt-get install -y gdb

infra/base-images/base-runner/Dockerfile

@@ -57,18 +57,50 @@ COPY install_deps.sh /
 RUN /install_deps.sh && rm /install_deps.sh
 
 ENV CODE_COVERAGE_SRC=/opt/code_coverage
+ARG CODE_COVERAGE_REV=edba4873b5e8a390e977a64c522db2df18a8b27d
 # Pin coverage to the same as in the base builder:
 # https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/install_python.sh#L22
-RUN git clone https://chromium.googlesource.com/chromium/src/tools/code_coverage $CODE_COVERAGE_SRC && \
-    cd /opt/code_coverage && \
-    git checkout edba4873b5e8a390e977a64c522db2df18a8b27d && \
-    pip3 install wheel && \
-    # If version "Jinja2==2.10" is in requirements.txt, bump it to a patch version that
-    # supports upgrading its MarkupSafe dependency to a Python 3.11 compatible release:
-    sed -i 's/Jinja2==2.10/Jinja2==2.10.3/' requirements.txt && \
-    pip3 install -r requirements.txt && \
-    pip3 install MarkupSafe==2.0.1 && \
-    pip3 install coverage==6.3.2
+# Retry clone and fetch up to 5 times each to handle transient HTTP errors
+# (429 rate-limit, 403 access denied) from chromium.googlesource.com.
+# If all attempts fail, skip code_coverage setup so non-coverage builds can proceed.
+RUN set -eux; \
+    clone_ok=false; \
+    for i in 1 2 3 4 5; do \
+      rm -rf "$CODE_COVERAGE_SRC"; \
+      if git clone --filter=blob:none --no-checkout \
+           https://chromium.googlesource.com/chromium/src/tools/code_coverage \
+           "$CODE_COVERAGE_SRC"; then \
+        clone_ok=true; \
+        break; \
+      fi; \
+      echo "Clone attempt $i failed"; \
+      if [ "$i" -lt 5 ]; then echo "retrying in $((i * 15))s..."; sleep $((i * 15)); fi; \
+    done; \
+    if [ "$clone_ok" = "true" ]; then \
+      cd "$CODE_COVERAGE_SRC"; \
+      fetch_ok=false; \
+      for i in 1 2 3 4 5; do \
+        if git fetch --depth=1 origin "$CODE_COVERAGE_REV"; then \
+          fetch_ok=true; \
+          break; \
+        fi; \
+        echo "Fetch attempt $i failed"; \
+        if [ "$i" -lt 5 ]; then echo "retrying in $((i * 15))s..."; sleep $((i * 15)); fi; \
+      done; \
+      if [ "$fetch_ok" = "true" ]; then \
+        git checkout "$CODE_COVERAGE_REV" && \
+        pip3 install wheel && \
+        sed -i 's/Jinja2==2.10/Jinja2==2.10.3/' requirements.txt && \
+        pip3 install -r requirements.txt && \
+        pip3 install MarkupSafe==2.0.1 && \
+        pip3 install coverage==6.3.2; \
+      else \
+        echo "WARNING: All fetch attempts failed. Skipping code_coverage setup."; \
+        rm -rf "$CODE_COVERAGE_SRC"; \
+      fi; \
+    else \
+      echo "WARNING: All clone attempts failed. Skipping code_coverage setup."; \
+    fi
 
 # Default environment options for various sanitizers.
 # Note that these match the settings used in ClusterFuzz and

infra/base-images/base-runner/ubuntu-20-04.Dockerfile

@@ -57,18 +57,50 @@ COPY install_deps_ubuntu_20_04.sh /
 RUN /install_deps_ubuntu_20_04.sh && rm /install_deps_ubuntu_20_04.sh
 
 ENV CODE_COVERAGE_SRC=/opt/code_coverage
+ARG CODE_COVERAGE_REV=edba4873b5e8a390e977a64c522db2df18a8b27d
 # Pin coverage to the same as in the base builder:
 # https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/install_python.sh#L22
-RUN git clone https://chromium.googlesource.com/chromium/src/tools/code_coverage $CODE_COVERAGE_SRC && \
-    cd /opt/code_coverage && \
-    git checkout edba4873b5e8a390e977a64c522db2df18a8b27d && \
-    pip3 install wheel && \
-    # If version "Jinja2==2.10" is in requirements.txt, bump it to a patch version that
-    # supports upgrading its MarkupSafe dependency to a Python 3.11 compatible release:
-    sed -i 's/Jinja2==2.10/Jinja2==2.10.3/' requirements.txt && \
-    pip3 install -r requirements.txt && \
-    pip3 install MarkupSafe==2.0.1 && \
-    pip3 install coverage==6.3.2
+# Retry clone and fetch up to 5 times each to handle transient HTTP errors
+# (429 rate-limit, 403 access denied) from chromium.googlesource.com.
+# If all attempts fail, skip code_coverage setup so non-coverage builds can proceed.
+RUN set -eux; \
+    clone_ok=false; \
+    for i in 1 2 3 4 5; do \
+      rm -rf "$CODE_COVERAGE_SRC"; \
+      if git clone --filter=blob:none --no-checkout \
+           https://chromium.googlesource.com/chromium/src/tools/code_coverage \
+           "$CODE_COVERAGE_SRC"; then \
+        clone_ok=true; \
+        break; \
+      fi; \
+      echo "Clone attempt $i failed"; \
+      if [ "$i" -lt 5 ]; then echo "retrying in $((i * 15))s..."; sleep $((i * 15)); fi; \
+    done; \
+    if [ "$clone_ok" = "true" ]; then \
+      cd "$CODE_COVERAGE_SRC"; \
+      fetch_ok=false; \
+      for i in 1 2 3 4 5; do \
+        if git fetch --depth=1 origin "$CODE_COVERAGE_REV"; then \
+          fetch_ok=true; \
+          break; \
+        fi; \
+        echo "Fetch attempt $i failed"; \
+        if [ "$i" -lt 5 ]; then echo "retrying in $((i * 15))s..."; sleep $((i * 15)); fi; \
+      done; \
+      if [ "$fetch_ok" = "true" ]; then \
+        git checkout "$CODE_COVERAGE_REV" && \
+        pip3 install wheel && \
+        sed -i 's/Jinja2==2.10/Jinja2==2.10.3/' requirements.txt && \
+        pip3 install -r requirements.txt && \
+        pip3 install MarkupSafe==2.0.1 && \
+        pip3 install coverage==6.3.2; \
+      else \
+        echo "WARNING: All fetch attempts failed. Skipping code_coverage setup."; \
+        rm -rf "$CODE_COVERAGE_SRC"; \
+      fi; \
+    else \
+      echo "WARNING: All clone attempts failed. Skipping code_coverage setup."; \
+    fi
 
 # Default environment options for various sanitizers.
 # Note that these match the settings used in ClusterFuzz and
@@ -136,4 +168,4 @@ COPY bad_build_check \
     test_all.py \
     test_one.py \
     python_coverage_runner_help.py \
-    /usr/local/bin/
+    /usr/local/bin/