Jazzer open source project has been discontinued

[Marcono1234]

Jazzer and Jazzer.js which are used by a lot of Java and JavaScript projects here have unfortunately been discountinued as open source projects, see READMEs:

• https://github.com/CodeIntelligenceTesting/jazzer
• https://github.com/CodeIntelligenceTesting/jazzer.js

Are there any plans yet how to handle this? Or will oss-fuzz for now continue using Jazzer until things break with the current versions?

[oliverchang]

Thanks for posting this. We've been exploring options here, and will keep this issue posted.

[Marcono1234]

It seems there is "Jazzer Pro" now: https://www.code-intelligence.com/introducing-jazzer-pro
That page says:

Free for Open Source Projects and Non-Commercial Security Research

We believe in empowering the community. That's why we offer Jazzer Pro free of charge for testing open-source projects and for non-commercial security research endeavors. Join us in advancing the field of software testing and security without any financial barriers.

But I assume you have a more direct connection to them and know whether using Jazzer Pro for oss-fuzz in the future would be possible or not.

[xuanswe]

It seems there is "Jazzer Pro" now: https://www.code-intelligence.com/introducing-jazzer-pro

The link is broken now. I couldn't find any official page about "Jazzer Pro" anymore.

[Marcono1234]

Hmm, yes a bit weird, I don't find anything either even though it seems they just introduced "Jazzer Pro" a few months ago. At least it had been archived on the Internet Archive: https://web.archive.org/web/20240502162115/https://www.code-intelligence.com/introducing-jazzer-pro

Have raised the question about "Jazzer Pro" here now as well: CodeIntelligenceTesting/jazzer#905

[oliverchang]

Stay tuned -- there's some interesting updates here coming soon.

[oliverchang]

This is now resolved thanks to @kyakdan and team!

Jazzer Pro features are open source once again, and automation is allowed under its new license via OSS-Fuzz.

See #12375 :)

[ljharb]

@oliverchang i'm a bit unclear; have any lawyers publicly commented that that license, for an OSI-approved-licensed project, constitutes an OSI-approved license?

[jakebailey]

Here's what You may also do with the Software, but only with an Open
Source Codebase and subject to the License Restrictions provisions
below:

  * Perform analysis on the Open Source Codebase but without automated
    analysis / fuzzing, CI, or CD.

  * Perform analysis on Open Source Codebases, including automated 
    analysis / fuzzing, CI, or CD only through the OSS-Fuzz Infrastructure
    operated by Google (https://github.com/google/oss-fuzz).

Wait, so the resolution is that the only open source project which is allowed to use jazzer is oss-fuzz, so long as it's deployed by on the official oss-fuzz infrastructure?

And how does one run jazzer without it doing fuzzing? (jazzer is a fuzzer, no?)

[oliverchang]

Thanks for the feedback all!

Wait, so the resolution is that the only open source project which is allowed to use jazzer is oss-fuzz, so long as it's deployed by on the official oss-fuzz infrastructure?

And how does one run jazzer without it doing fuzzing? (jazzer is a fuzzer, no?)

I'll let @kyakdan answer on the specifics since its their license, but anybody should be able to run/use Jazzer locally, just not in a CI/CD or automated fuzzing infrastructure context (except via OSS-Fuzz).

@oliverchang i'm a bit unclear; have any lawyers publicly commented that that license, for an OSI-approved-licensed project, constitutes an OSI-approved license?

Unfortunately no.

[ljharb]

Unfortunately I think that the license remains unclear enough that it'll mean cautious folks won't even want to use oss-fuzz, just in case :-/ i think a completely distinct alternative to jazzer is going to be required (unless they revert to an unmodified OSI-approved license)

[oliverchang]

Unfortunately I think that the license remains unclear enough that it'll mean cautious folks won't even want to use oss-fuzz, just in case :-/ i think a completely distinct alternative to jazzer is going to be required (unless they revert to an unmodified OSI-approved license)

Are there specific things in the current licensing that we'd be able to clarify / change to alleviate these concerns?

[ljharb]

I mean, in general, if a license isn't precisely an unmodified OSI-approved license, it's not "open source" and thus its legal status is very questionable. I'd be comfortable with a "fair source" license, which is delayed open source, but can be used as open source for non-competing uses in the interim, but I'm not sure what jazzer's goals are and whether that'd be compatible.

[evverx]

I'd appreciate it if there was a switch that I can flip to exclude this stuff from images and prevent it from ever being run accidentally on my machines. My use cases aren't covered by that license.

[lovell]

Are there specific things in the current licensing that we'd be able to clarify / change to alleviate these concerns?

Yes please. Does "OSS-Fuzz Infrastructure operated by Google" refer to hardware only, software only, use of either, or use of both?

I ask as this phrase appears in the following context:

"only through the OSS-Fuzz Infrastructure operated by Google (https://github.com/google/oss-fuzz)"

The (non-standard, not OSI-approved) licence attempts to clarify "OSS-Fuzz Infrastructure operated by Google" by including a URL that references the OSS Fuzz software repository.

This leads to ambiguity. For example, the OSS Fuzz software repository uses the term "infrastructure" to include its GitHub Action, which runs on non-Google hardware.

[evverx]

FWIW I don't think clarifications can help here because in places where those things matter nobody is going to read them anyway (because it's essentially a commercial product with non-commercial clause, export controls and stuff like that). There is nothing inherently wrong with that but ideally it should be opt-in and be pulled by the OSS-Fuzz infrastructure. For the same reasons I asked not to include Google Analytics in Fuzz Introspector pages back in the day. It's of course OK for Google to pull and run that stuff using their infrastructure but I wouldn't expect those things to be included by default in general.

[xuanswe]

Hi, is there a plan to replace Jazzer Pro completely with something OSI-approved license?

[oliverchang]

Thank you all once again for the feedback .

We've been having some discussions with @serj and @kyakdan on how we can make the licensing better for open source/OSS-Fuzz, and there's a currently a PR here: CodeIntelligenceTesting/jazzer#909 with some suggested changes.

The TL;DR / intention is that all projects which have been accepted by/integrated into OSS-Fuzz can freely use Jazzer Pro on any hardware.

Do these address the concerns people have for OSS-Fuzz? Or are there other things we can do here to address licensing concerns?

[evverx]

@oliverchang licenses like that are unlikely to get past bureaucracy (where even actual open-source licenses are rejected from time to time because they aren't permissive enough) so I still think it would be great if it was opt-in (or if it was possible to exclude it explicitly).

[evverx]

Looking at https://blog.oss-fuzz.com/posts/introducing-java-auto-harnessing/ (where Jazzer is heavily relied on) I'm now curious how all that stuff is supposed to be integrated into upstream projects. Is it going to be masqueraded as an open source dependency?

(I'm asking because I can't move a (non-Java) fuzz target from OSS-Fuzz to an upstream project because it was apparently generated by a bot and its license isn't compatible upstream and nobody can confirm that it's OK)

[ljharb]

@oliverchang frankly i don’t think anything short of an OSI-approved license, with unmodified text, is going to suffice. This project is “OSS fuzz”, which means it needs to only use OSS, which means it’s deps need an OSI-approved license.

[evverx]

To be fair CodeQL and things like that are commercial products too but they come with clear TOSes and it's kind of unlikely anyone can accidentally violate them by pulling anything. This whole OSS-Fuzz integration is weird from that perspective (and it can't even cover ClusterFuzzLite use cases where projects aren't integrated into OSS-Fuzz because they aren't critical enough).

[serj]

@evverx et al Thanks for your feedback and pointing out the issues with ClusterFuzzLite / oss-fuzz-gen and the accidental violation by simply pulling anything. This wasn't our intention. The idea behind the new non-commercial clause is to allow the OSS-Fuzz community to use Jazzer without limitations without sacrificing our commercial interest in non-OSS projects. The last pull request mentioned by @oliverchang should already have fixed most of the issues. Give us a few more days for the remaining issue with the rejected projects though.

Feel free to suggest clarifications to help with your concern as long as it is for OSS code only.

[evverx]

@serj I think it should be possible to (partly) cover ClusterFuzz use cases by allowing testing open source codebases by analogy with what CodeQL does: https://github.com/github/codeql-cli-binaries/blob/main/LICENSE.md. Then again all the scanners are going to keep flagging Jazzer anyway regardless of what the license says and it's probably going to be banned altogether in some places just in case. I don't think it's going to be used in most upstream projects either (unless their tests are kept in separate repositories or something like that).

Either way I think OSS-Fuzz/Code Intelligence should talk to actual lawyers to figure out what the OSS-Fuzz license should be given that it embeds Jazzer and ships it in their images.

[Marcono1234]

Because so far most comments here sounded rather pessimistic (even if that might not have been intended), I would like to mention that I appreciate that the company behind Jazzer made this decision to not stop Jazzer open source development, and that the OSS-Fuzz maintainers possibly helped to convince them.

Yes, ideally the fuzzer would be open source and licensed under a permissive license, but often that is not sustainable and the project is abandoned in the end¹. With this new model it is hopefully sustainable for the company behind Jazzer, and open source projects can benefit from Jazzer.

But as mentioned in the previous comments it would be good to resolve any legal uncertainty with the current license and OSS-Fuzz integration.

Footnotes

1. For completeness, there are other projects which are still maintained, such as JQF + Zest, but I haven't tested them yet. However multiple other ones don't seem to be actively developed anymore, such as Javafuzz. ↩

[evverx]

so far most comments here sounded rather pessimistic

@Marcono1234 I wouldn't say they are pessimistic. It's just that non-standard licenses prevent things from being used in some places. I don't think it affects all the maintainers but for example some maintainers would have to go to departments where things should be approved and then bought if they are approved and nobody usually goes that far.

I appreciate that the company behind Jazzer made this decision to not stop Jazzer open source development, and that the OSS-Fuzz maintainers possibly helped to convince them

I appreciate that too.

ideally the fuzzer would be open source and licensed under a permissive license, but often that is not sustainable and the project is abandoned in the end

I'm just spitballing but since OSS-Fuzz is technically affiliated with OpenSSF and OpenSSF in theory can fund technical initiatives (ossf/tac#311, ossf/tac#360) would that maybe be an option in terms of keeping Jazzer open-source? (I don't know whether it actually invests in anything or whether those funds can even cover development and ongoing maintenance of anything though).