Skip to content

Releases: CodeIntelligenceTesting/jazzer

v0.18.0

16 Jun 12:35
Compare
Choose a tag to compare

What's Changed

  • Feature: Add script engine injection sanitizer with real life example by @gdemarcsek (#531)
  • Feature: Add equals-hook for Clojure (clojure.lang.Util.equiv) (#765)
  • Bugfix: Do not prepare for a subprocess for -fork=0 (#758)
  • Bugfix: Honor explicitly stated corpus directory (#761)
  • Bugfix: Ignore JetBrains classes during instrumentation (#763)

New Contributors

Full Changelog: v0.17.1...v0.18.0

v0.17.1

05 Jun 12:15
Compare
Choose a tag to compare

What's Changed

This release fixes an issue with a corrupted upload to Maven Central.
No changes since v0.17.0 except for the patch version bump.

Full Changelog: v0.17.0...v0.17.1

v0.17.0

31 May 11:37
Compare
Choose a tag to compare

What's Changed

  • Feature: Added an SSRF detector (#643)
  • Feature: junit: Inputs directories are now maintained per test method, not just per test class (#710)
  • Feature: junit: A default for jazzer.instrument is set based on the packages containing .class files on the class path (#732)
  • Bugfix: Updated instrumentation order to fix coverage reports by @kmnls (#711)
  • Bugfix: Windows release binaries have the .exe extension restored (#723)
  • Bugfix: Added support for Java 17 in Jazzer docker image (#698)
  • Bugfix: autofuzz: Fixed logs for bug detector findings (#699)
  • Bugfix: Fixed rare NPEs in sanitizers and runtime (#748)

New Contributors

Full Changelog: v0.16.1...v0.17.0

v0.16.1

30 Mar 11:08
Compare
Choose a tag to compare

What's Changed

  • Bugfix: Reenabled RCE reports for readObject calls (#684)
  • Bugfix: Jazzer finds its .jar when executed from PATH (#676)
  • Bugfix: JUnit fuzz tests using Autofuzz are executed on the JUnit-provided rather than a new test class instance (#687)

Full Changelog: v0.16.0...v0.16.1

v0.16.0

17 Mar 13:14
Compare
Choose a tag to compare

What's Changed

  • Breaking change: Remote code execution findings are no longer reported when the honeypot class jaz.Zer is initialized but not instantiated. This could result in findings that are now considered false positives for lack of exploitability no longer reproducing. (#574)
  • Feature: Added an XPath sanitizer by @SyrasX (#443)
  • Bugfix: Security exceptions in jaz.Zer are no longer thrown for disabled sanitizers (#574)
  • Bugfix: agent: Instrumentation is retried on errors (#652)
  • Bugfix: agent: Fixed instrumentation of classes already instrumented with JaCoCo (#621)
  • Bugfix: junit: Extende list of ignored packages to include JUnit and Mockito (#664)
  • Bugfix: junit: Added missing dependency on org.junit.platform:junit-platform-launcher (#654)
  • Bugfix: autofuzz: Filters out unnamed classes (#627)
  • Added a Spring controller fuzz test example (#622)

New Contributors

Full Changelog: v0.15.0...v0.16.0

v0.15.0

02 Feb 12:40
Compare
Choose a tag to compare

What's Changed

  • Breaking change: assert statements are no longer automatically enabled in @FuzzTests executed via JUnit as it is not possible to do so reliably. If you want your @FuzzTests to execute these statements, use the -ea JVM flag.
  • Feature: @FuzzTests now use the JUnit-provided test instance, which improves support for mocks (#604)
  • Feature: @FuzzTests executed using the Jazzer CLI now use the JUnit
    launcher API and thus support all JUnit lifecycle hooks (#612)
  • Feature: The inputs directory for a @FuzzTest is now created automatically if a test resource directory exists (#585)
  • Feature: Kotlin integer compares are now tracked (#593)
  • Bugfix: autofuzz: Fixed handling of generic array types (#584)
  • Bugfix: autofuzz: Fixed findings being reported when autofuzz fails to construct inputs (#588)
  • Bugfix: autofuzz: Java reproducers enable assertions (#590)
  • Bugfix: Added internal maven and gradle classes to custom hook excludes with JUnit (#601 by @florianGla)
  • Native sanitizer lib location can be overriden via an environment variable (#606)

Full Changelog: v0.14.0...v0.15.0

v0.14.0

03 Jan 12:28
Compare
Choose a tag to compare

What's Changed

  • Major feature: The fuzzing mode of @FuzzTests is now implemented within JUnit Jupiter and thus supports lifecycle hooks (#556)
  • Major feature: Kotlin string comparison functions are instrumented (#566)
  • Bugfix: Correctly emit finding inputs generated by @FuzzTest on Windows (#578)
  • Bugfix: @FuzzTests no longer interfere with regular unit tests in certain edge cases (#575)
  • junit: Inputs are sorted by path (#562)
  • docker: Updated to OpenJDK 17 (#559)
  • docs: Added CONTRIBUTING.md and restructured docs (#549, #553, #551, #550, #560)

Full Changelog: v0.13.3...v0.14.0

v0.13.3

08 Dec 11:09
Compare
Choose a tag to compare

What's Changed

  • driver: Fix timeouts not being detected anymore (#544)

Full Changelog: v0.13.2...v0.13.3

v0.13.2

02 Dec 11:33
Compare
Choose a tag to compare

What's Changed

  • driver: Make jazzer_standalone.jar executable without the launcher (#537)
  • Add support for JDK 19 (#541)
  • junit: Tag Jazzer test engine tests with "jazzer" (#540)

Full Changelog: v0.13.1...v0.13.2

v0.13.1

24 Nov 09:58
Compare
Choose a tag to compare

What's Changed

  • autofuzz: Fix exclusion of Jazzer-internal classes (#528)
  • deps: Update rules_jvm_external to preserve directories in JARs (#532)
  • Fix sanitizers not being loaded with jazzer_standalone_deploy.jar (#533)

Full Changelog: v0.13.0...v0.13.1