-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jazzer open source project has been discontinued #11652
Comments
Thanks for posting this. We've been exploring options here, and will keep this issue posted. |
It seems there is "Jazzer Pro" now: https://www.code-intelligence.com/introducing-jazzer-pro
But I assume you have a more direct connection to them and know whether using Jazzer Pro for oss-fuzz in the future would be possible or not. |
The link is broken now. I couldn't find any official page about "Jazzer Pro" anymore. |
Hmm, yes a bit weird, I don't find anything either even though it seems they just introduced "Jazzer Pro" a few months ago. At least it had been archived on the Internet Archive: https://web.archive.org/web/20240502162115/https://www.code-intelligence.com/introducing-jazzer-pro Have raised the question about "Jazzer Pro" here now as well: CodeIntelligenceTesting/jazzer#905 |
Stay tuned -- there's some interesting updates here coming soon. |
This is now resolved thanks to @kyakdan and team! Jazzer Pro features are open source once again, and automation is allowed under its new license via OSS-Fuzz. See #12375 :) |
@oliverchang i'm a bit unclear; have any lawyers publicly commented that that license, for an OSI-approved-licensed project, constitutes an OSI-approved license? |
Wait, so the resolution is that the only open source project which is allowed to use jazzer is oss-fuzz, so long as it's deployed by on the official oss-fuzz infrastructure? And how does one run jazzer without it doing fuzzing? (jazzer is a fuzzer, no?) |
Thanks for the feedback all!
I'll let @kyakdan answer on the specifics since its their license, but anybody should be able to run/use Jazzer locally, just not in a CI/CD or automated fuzzing infrastructure context (except via OSS-Fuzz).
Unfortunately no. |
Unfortunately I think that the license remains unclear enough that it'll mean cautious folks won't even want to use oss-fuzz, just in case :-/ i think a completely distinct alternative to jazzer is going to be required (unless they revert to an unmodified OSI-approved license) |
Are there specific things in the current licensing that we'd be able to clarify / change to alleviate these concerns? |
I mean, in general, if a license isn't precisely an unmodified OSI-approved license, it's not "open source" and thus its legal status is very questionable. I'd be comfortable with a "fair source" license, which is delayed open source, but can be used as open source for non-competing uses in the interim, but I'm not sure what jazzer's goals are and whether that'd be compatible. |
I'd appreciate it if there was a switch that I can flip to exclude this stuff from images and prevent it from ever being run accidentally on my machines. My use cases aren't covered by that license. |
Yes please. Does "OSS-Fuzz Infrastructure operated by Google" refer to hardware only, software only, use of either, or use of both? I ask as this phrase appears in the following context:
The (non-standard, not OSI-approved) licence attempts to clarify "OSS-Fuzz Infrastructure operated by Google" by including a URL that references the OSS Fuzz software repository. This leads to ambiguity. For example, the OSS Fuzz software repository uses the term "infrastructure" to include its GitHub Action, which runs on non-Google hardware. |
FWIW I don't think clarifications can help here because in places where those things matter nobody is going to read them anyway (because it's essentially a commercial product with non-commercial clause, export controls and stuff like that). There is nothing inherently wrong with that but ideally it should be opt-in and be pulled by the OSS-Fuzz infrastructure. For the same reasons I asked not to include Google Analytics in Fuzz Introspector pages back in the day. It's of course OK for Google to pull and run that stuff using their infrastructure but I wouldn't expect those things to be included by default in general. |
Hi, is there a plan to replace Jazzer Pro completely with something OSI-approved license? |
Thank you all once again for the feedback . We've been having some discussions with @serj and @kyakdan on how we can make the licensing better for open source/OSS-Fuzz, and there's a currently a PR here: CodeIntelligenceTesting/jazzer#909 with some suggested changes. The TL;DR / intention is that all projects which have been accepted by/integrated into OSS-Fuzz can freely use Jazzer Pro on any hardware. Do these address the concerns people have for OSS-Fuzz? Or are there other things we can do here to address licensing concerns? |
@oliverchang licenses like that are unlikely to get past bureaucracy (where even actual open-source licenses are rejected from time to time because they aren't permissive enough) so I still think it would be great if it was opt-in (or if it was possible to exclude it explicitly). |
Looking at https://blog.oss-fuzz.com/posts/introducing-java-auto-harnessing/ (where Jazzer is heavily relied on) I'm now curious how all that stuff is supposed to be integrated into upstream projects. Is it going to be masqueraded as an open source dependency? (I'm asking because I can't move a (non-Java) fuzz target from OSS-Fuzz to an upstream project because it was apparently generated by a bot and its license isn't compatible upstream and nobody can confirm that it's OK) |
@oliverchang frankly i don’t think anything short of an OSI-approved license, with unmodified text, is going to suffice. This project is “OSS fuzz”, which means it needs to only use OSS, which means it’s deps need an OSI-approved license. |
To be fair CodeQL and things like that are commercial products too but they come with clear TOSes and it's kind of unlikely anyone can accidentally violate them by pulling anything. This whole OSS-Fuzz integration is weird from that perspective (and it can't even cover ClusterFuzzLite use cases where projects aren't integrated into OSS-Fuzz because they aren't critical enough). |
@evverx et al Thanks for your feedback and pointing out the issues with ClusterFuzzLite / oss-fuzz-gen and the accidental violation by simply pulling anything. This wasn't our intention. The idea behind the new non-commercial clause is to allow the OSS-Fuzz community to use Jazzer without limitations without sacrificing our commercial interest in non-OSS projects. The last pull request mentioned by @oliverchang should already have fixed most of the issues. Give us a few more days for the remaining issue with the rejected projects though. Feel free to suggest clarifications to help with your concern as long as it is for OSS code only. |
@serj I think it should be possible to (partly) cover ClusterFuzz use cases by allowing testing open source codebases by analogy with what CodeQL does: https://github.com/github/codeql-cli-binaries/blob/main/LICENSE.md. Then again all the scanners are going to keep flagging Jazzer anyway regardless of what the license says and it's probably going to be banned altogether in some places just in case. I don't think it's going to be used in most upstream projects either (unless their tests are kept in separate repositories or something like that). Either way I think OSS-Fuzz/Code Intelligence should talk to actual lawyers to figure out what the OSS-Fuzz license should be given that it embeds Jazzer and ships it in their images. |
Because so far most comments here sounded rather pessimistic (even if that might not have been intended), I would like to mention that I appreciate that the company behind Jazzer made this decision to not stop Jazzer open source development, and that the OSS-Fuzz maintainers possibly helped to convince them. Yes, ideally the fuzzer would be open source and licensed under a permissive license, but often that is not sustainable and the project is abandoned in the end1. With this new model it is hopefully sustainable for the company behind Jazzer, and open source projects can benefit from Jazzer. But as mentioned in the previous comments it would be good to resolve any legal uncertainty with the current license and OSS-Fuzz integration. Footnotes
|
@Marcono1234 I wouldn't say they are pessimistic. It's just that non-standard licenses prevent things from being used in some places. I don't think it affects all the maintainers but for example some maintainers would have to go to departments where things should be approved and then bought if they are approved and nobody usually goes that far.
I appreciate that too.
I'm just spitballing but since OSS-Fuzz is technically affiliated with OpenSSF and OpenSSF in theory can fund technical initiatives (ossf/tac#311, ossf/tac#360) would that maybe be an option in terms of keeping Jazzer open-source? (I don't know whether it actually invests in anything or whether those funds can even cover development and ongoing maintenance of anything though). |
Good news! It took some time, but we found a way to bring Jazzer back to open source and continue under the Apache 2 license. All concerns should be resolved now :) |
@serj Does this include https://github.com/CodeIntelligenceTesting/jazzer.js too? |
@oliverchang I just submitted a PR to update Jazzer: #12814 |
https://github.com/CodeIntelligenceTesting/jazzer.js still looks closed and unmaintained, and its packages are still deprecated on npm; is jazzer.js still being used to fuzz JS/TS code in oss-fuzz? |
Jazzer and Jazzer.js which are used by a lot of Java and JavaScript projects here have unfortunately been discountinued as open source projects, see READMEs:
Are there any plans yet how to handle this? Or will oss-fuzz for now continue using Jazzer until things break with the current versions?
The text was updated successfully, but these errors were encountered: