v0.17.1

What's Changed

This release fixes an issue with a corrupted upload to Maven Central.
No changes since v0.17.0 except for the patch version bump.

Full Changelog: v0.17.0...v0.17.1

v0.17.0

What's Changed

• Feature: Added an SSRF detector (#643)
• Feature: junit: Inputs directories are now maintained per test method, not just per test class (#710)
• Feature: junit: A default for jazzer.instrument is set based on the packages containing .class files on the class path (#732)
• Bugfix: Updated instrumentation order to fix coverage reports by @kmnls (#711)
• Bugfix: Windows release binaries have the .exe extension restored (#723)
• Bugfix: Added support for Java 17 in Jazzer docker image (#698)
• Bugfix: autofuzz: Fixed logs for bug detector findings (#699)
• Bugfix: Fixed rare NPEs in sanitizers and runtime (#748)

New Contributors

• @marktefftech made their first contribution in #717
• @hadi88 made their first contribution in #731

Full Changelog: v0.16.1...v0.17.0

v0.16.1

What's Changed

• Bugfix: Reenabled RCE reports for readObject calls (#684)
• Bugfix: Jazzer finds its .jar when executed from PATH (#676)
• Bugfix: JUnit fuzz tests using Autofuzz are executed on the JUnit-provided rather than a new test class instance (#687)

Full Changelog: v0.16.0...v0.16.1

v0.16.0

What's Changed

• Breaking change: Remote code execution findings are no longer reported when the honeypot class jaz.Zer is initialized but not instantiated. This could result in findings that are now considered false positives for lack of exploitability no longer reproducing. (#574)
• Feature: Added an XPath sanitizer by @SyrasX (#443)
• Bugfix: Security exceptions in jaz.Zer are no longer thrown for disabled sanitizers (#574)
• Bugfix: agent: Instrumentation is retried on errors (#652)
• Bugfix: agent: Fixed instrumentation of classes already instrumented with JaCoCo (#621)
• Bugfix: junit: Extende list of ignored packages to include JUnit and Mockito (#664)
• Bugfix: junit: Added missing dependency on org.junit.platform:junit-platform-launcher (#654)
• Bugfix: autofuzz: Filters out unnamed classes (#627)
• Added a Spring controller fuzz test example (#622)

New Contributors

• @JerryWang304 made their first contribution in #614
• @kmnls made their first contribution in #609
• @ligurio made their first contribution in #605
• @oetr made their first contribution in #622
• @TheCoryBarker made their first contribution in #587
• @SyrasX made their first contribution in #443
• @intrigus-lgtm made their first contribution in #640
• @0xricksanchez made their first contribution in #644

Full Changelog: v0.15.0...v0.16.0

v0.15.0

What's Changed

• Breaking change: assert statements are no longer automatically enabled in @FuzzTests executed via JUnit as it is not possible to do so reliably. If you want your @FuzzTests to execute these statements, use the -ea JVM flag.
• Feature: @FuzzTests now use the JUnit-provided test instance, which improves support for mocks (#604)
• Feature: @FuzzTests executed using the Jazzer CLI now use the JUnit
  launcher API and thus support all JUnit lifecycle hooks (#612)
• Feature: The inputs directory for a @FuzzTest is now created automatically if a test resource directory exists (#585)
• Feature: Kotlin integer compares are now tracked (#593)
• Bugfix: autofuzz: Fixed handling of generic array types (#584)
• Bugfix: autofuzz: Fixed findings being reported when autofuzz fails to construct inputs (#588)
• Bugfix: autofuzz: Java reproducers enable assertions (#590)
• Bugfix: Added internal maven and gradle classes to custom hook excludes with JUnit (#601 by @florianGla)
• Native sanitizer lib location can be overriden via an environment variable (#606)

Full Changelog: v0.14.0...v0.15.0

v0.14.0

What's Changed

• Major feature: The fuzzing mode of @FuzzTests is now implemented within JUnit Jupiter and thus supports lifecycle hooks (#556)
• Major feature: Kotlin string comparison functions are instrumented (#566)
• Bugfix: Correctly emit finding inputs generated by @FuzzTest on Windows (#578)
• Bugfix: @FuzzTests no longer interfere with regular unit tests in certain edge cases (#575)
• junit: Inputs are sorted by path (#562)
• docker: Updated to OpenJDK 17 (#559)
• docs: Added CONTRIBUTING.md and restructured docs (#549, #553, #551, #550, #560)

Full Changelog: v0.13.3...v0.14.0

v0.13.3

What's Changed

• driver: Fix timeouts not being detected anymore (#544)

Full Changelog: v0.13.2...v0.13.3

v0.13.2

What's Changed

• driver: Make jazzer_standalone.jar executable without the launcher (#537)
• Add support for JDK 19 (#541)
• junit: Tag Jazzer test engine tests with "jazzer" (#540)

Full Changelog: v0.13.1...v0.13.2

v0.13.1

What's Changed

• autofuzz: Fix exclusion of Jazzer-internal classes (#528)
• deps: Update rules_jvm_external to preserve directories in JARs (#532)
• Fix sanitizers not being loaded with jazzer_standalone_deploy.jar (#533)

Full Changelog: v0.13.0...v0.13.1

v0.13.0

What's Changed

• Breaking change: A JUnit @FuzzTest now runs on inputs in a ClassNameInputs rather than a ClassNameSeedCorpus directory.
• Breaking change: Removed the seedCorpus attribute from @FuzzTest. Following the ClassNameInputs convention allows for better integration with the fuzzer.
• Breaking change: --autofuzz no longer enables --keep_going by default, but instead prints suggestions on how to skip uninteresting findings.
• Major feature: JUnit @FuzzTests can now take any parameters and will use Autofuzz if not using the standard byte[] or FuzzedDataProvider signatures (#476)
• Major feature: Jazzer is now available as a jar, using the native launcher is no longer required. (#492)
• Major feature: Jazzer now supports native library fuzzing with release builds. See Fuzzing with Native Libraries. (#500)
• junit: Do not leak fuzzer startup into first seed test (#491)
• junit: Fixed Windows failure when running with corpus (#467)
• Fixed Java reproducer not compiling when referencing non-visible superclasses or interfaces (#471)
• Fixed DEDUP_TOKEN and --ignore behavior (#472)
• Fixed JaCoCo coverage measurements (#479)
• Improved fuzz test class not found error message (#481)
• Cleaned up stack traces (#485)
• Added docs and source JAR for jazzer-junit (#477)
• Ignore regex pattern syntax exceptions caused by stack overflows (#488)
• Added --version flag (#502)
• Improved @FuzzTest docs and increased default duration (#509)
• Improved jar stripping to fix various packaging issues (#515)

Full Changelog: v0.12.0...v0.13.0