Khaled Yakdan

@aschaich I've tried your OSS-Fuzz setup and no fuzz targets were built. Could you check whether you've pushed the latest state? I've created your fuzz test locally (without OSS-Fuzz) with...

One more thing from my side: We still need to integrate source-based coverage reporting for JavaScript in OSS-Fuzz. This has been recently added to Jazzer.js, and we'll take care of...

As @jonathanmetzman, this is the workflow in OSS-Fuzz. Bugs, including the crashing inputs, are only disclosed to the public once they are fixed, or the disclosure deadline passes with no...

Here is the link to all public issues found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/list?q=&can=1. For each issue, you have several details, including a link to download the test case (failing input). Ideally,...

I'm not aware of `tape`, but see that you are the maintainer of it. Would you be interested in adding support for fuzzing runs using Jazzer.js?

Sounds great! We can collaborate there and we can provide the support you need regarding Jazzer.js.

@bhmohanr-techie With the deny list approach, users do not get any protection whatsoever if they don't change their configurations. This means they stay insecure by default. In both approaches, you...

@madrob @garydgregory Thanks for the review. @garydgregory I've rebased again and the PR does not contain changes to pom.xml or changes.xml now.

@Warxim Many thanks for the detailed explanation and the PoC of still insecure methods. I've added checks to the `MethodFunciton` class that checks the declaring class before invoking the method....

@garydgregory @Warxim @madrob I've address your review. Could you have look?