v0.16.0

What's Changed

• Breaking change: Remote code execution findings are no longer reported when the honeypot class jaz.Zer is initialized but not instantiated. This could result in findings that are now considered false positives for lack of exploitability no longer reproducing. (#574)
• Feature: Added an XPath sanitizer by @SyrasX (#443)
• Bugfix: Security exceptions in jaz.Zer are no longer thrown for disabled sanitizers (#574)
• Bugfix: agent: Instrumentation is retried on errors (#652)
• Bugfix: agent: Fixed instrumentation of classes already instrumented with JaCoCo (#621)
• Bugfix: junit: Extende list of ignored packages to include JUnit and Mockito (#664)
• Bugfix: junit: Added missing dependency on org.junit.platform:junit-platform-launcher (#654)
• Bugfix: autofuzz: Filters out unnamed classes (#627)
• Added a Spring controller fuzz test example (#622)

New Contributors

• @JerryWang304 made their first contribution in #614
• @kmnls made their first contribution in #609
• @ligurio made their first contribution in #605
• @oetr made their first contribution in #622
• @TheCoryBarker made their first contribution in #587
• @SyrasX made their first contribution in #443
• @intrigus-lgtm made their first contribution in #640
• @0xricksanchez made their first contribution in #644

Full Changelog: v0.15.0...v0.16.0

v0.15.0

What's Changed

• Breaking change: assert statements are no longer automatically enabled in @FuzzTests executed via JUnit as it is not possible to do so reliably. If you want your @FuzzTests to execute these statements, use the -ea JVM flag.
• Feature: @FuzzTests now use the JUnit-provided test instance, which improves support for mocks (#604)
• Feature: @FuzzTests executed using the Jazzer CLI now use the JUnit
  launcher API and thus support all JUnit lifecycle hooks (#612)
• Feature: The inputs directory for a @FuzzTest is now created automatically if a test resource directory exists (#585)
• Feature: Kotlin integer compares are now tracked (#593)
• Bugfix: autofuzz: Fixed handling of generic array types (#584)
• Bugfix: autofuzz: Fixed findings being reported when autofuzz fails to construct inputs (#588)
• Bugfix: autofuzz: Java reproducers enable assertions (#590)
• Bugfix: Added internal maven and gradle classes to custom hook excludes with JUnit (#601 by @florianGla)
• Native sanitizer lib location can be overriden via an environment variable (#606)

Full Changelog: v0.14.0...v0.15.0

v0.14.0

What's Changed

• Major feature: The fuzzing mode of @FuzzTests is now implemented within JUnit Jupiter and thus supports lifecycle hooks (#556)
• Major feature: Kotlin string comparison functions are instrumented (#566)
• Bugfix: Correctly emit finding inputs generated by @FuzzTest on Windows (#578)
• Bugfix: @FuzzTests no longer interfere with regular unit tests in certain edge cases (#575)
• junit: Inputs are sorted by path (#562)
• docker: Updated to OpenJDK 17 (#559)
• docs: Added CONTRIBUTING.md and restructured docs (#549, #553, #551, #550, #560)

Full Changelog: v0.13.3...v0.14.0

v0.13.3

What's Changed

• driver: Fix timeouts not being detected anymore (#544)

Full Changelog: v0.13.2...v0.13.3

v0.13.2

What's Changed

• driver: Make jazzer_standalone.jar executable without the launcher (#537)
• Add support for JDK 19 (#541)
• junit: Tag Jazzer test engine tests with "jazzer" (#540)

Full Changelog: v0.13.1...v0.13.2

v0.13.1

What's Changed

• autofuzz: Fix exclusion of Jazzer-internal classes (#528)
• deps: Update rules_jvm_external to preserve directories in JARs (#532)
• Fix sanitizers not being loaded with jazzer_standalone_deploy.jar (#533)

Full Changelog: v0.13.0...v0.13.1

v0.13.0

What's Changed

• Breaking change: A JUnit @FuzzTest now runs on inputs in a ClassNameInputs rather than a ClassNameSeedCorpus directory.
• Breaking change: Removed the seedCorpus attribute from @FuzzTest. Following the ClassNameInputs convention allows for better integration with the fuzzer.
• Breaking change: --autofuzz no longer enables --keep_going by default, but instead prints suggestions on how to skip uninteresting findings.
• Major feature: JUnit @FuzzTests can now take any parameters and will use Autofuzz if not using the standard byte[] or FuzzedDataProvider signatures (#476)
• Major feature: Jazzer is now available as a jar, using the native launcher is no longer required. (#492)
• Major feature: Jazzer now supports native library fuzzing with release builds. See Fuzzing with Native Libraries. (#500)
• junit: Do not leak fuzzer startup into first seed test (#491)
• junit: Fixed Windows failure when running with corpus (#467)
• Fixed Java reproducer not compiling when referencing non-visible superclasses or interfaces (#471)
• Fixed DEDUP_TOKEN and --ignore behavior (#472)
• Fixed JaCoCo coverage measurements (#479)
• Improved fuzz test class not found error message (#481)
• Cleaned up stack traces (#485)
• Added docs and source JAR for jazzer-junit (#477)
• Ignore regex pattern syntax exceptions caused by stack overflows (#488)
• Added --version flag (#502)
• Improved @FuzzTest docs and increased default duration (#509)
• Improved jar stripping to fix various packaging issues (#515)

Full Changelog: v0.12.0...v0.13.0

v0.12.0

What's Changed

• Breaking change: Autofuzz API methods (consume and autofuzz) have moved from the
  Jazzer class to the dedicated Autofuzz class
• Major feature: Added JUnit 5 integration for fuzzing and regression tests using the
  @FuzzTest annotation (available as com.code-intelligence:jazzer-junit)
• Feature: Added sanitizer for SQL injections
• Feature: Hooks can be selectively disabled by specifying their full class name using the new
  --disabled_hooks flag
• Fix: Remove memory leaks in native code
• Fix: Don't instrument internal Azul JDK classes
• Fix: Classes with local variable annotations are now instrumented without errors

This release also includes smaller improvements and bugfixes, as well as a major refactoring and
Java rewrite of native components.

New Contributors

• @vargen made their first contribution in #416
• @henryrneh made their first contribution in #439

Full Changelog: v0.11.0...v0.12.0

v0.11.0

• Feature: Add sanitizer for context lookups
• Feature: Add sanitizer for OS command injection
• Feature: Add sanitizer for regex injection
• Feature: Add sanitizer for LDAP injections
• Feature: Add sanitizer for arbitrary class loading
• Feature: Guide fuzzer to generate proper map lookups keys
• Feature: Generate standalone Java reproducers for autofuzz
• Feature: Hooks targeting interfaces and abstract classes hook all implementations
• Feature: Enable multiple BEFORE and AFTER hooks for the same target
• Feature: Greatly improve performance of coverage instrumentation
• Feature: Improve performance of interactions between Jazzer and libFuzzer
• Feature: Export JaCoCo coverage dump using --coverage_dump flag
• Feature: Honor JAVA_OPTS
• API: Add exploreState to help the fuzzer maximize state coverage
• API: Provide additionalClassesToHook field in MethodHook annotation to hook dependent classes
• Fix: Synchronize coverage ID generation
• Fix: Support REPLACE hooks for constructors
• Fix: Do not apply REPLACE hooks in Java 6 class files

This release also includes smaller improvements and bugfixes.

v0.10.0

• Added support for macOS and Windows (both x64)
• Added an --autofuzz flag that allows fuzzing a method without writing a fuzz target
• Added bug detectors for insecure reflective calls, deserialization, and validation expression language injection
• Improved compilation time and fuzzing performance