Revamp Log4j tests

projects/log4j2/Dockerfile

@@ -16,8 +16,30 @@
 
 FROM gcr.io/oss-fuzz-base/base-builder-jvm
 
-RUN git clone --depth 1 https://github.com/apache/logging-log4j2
+# Install Java 17 using Azul Zulu distribution, because
+#
+# 1. Log4j build requires Java 17, `base-builder-jvm` provides Java 15 (as of 2024-07-10)
+# 2. Apache Logging Services uses Zulu[1] as the OpenJDK distribution in CI
+#
+# [1] https://github.com/apache/logging-parent/blob/main/.github/workflows/build-reusable.yaml#L54
+
+# Add the Zulu APT repository
+RUN apt-get update && \
+    apt-get install -y gnupg ca-certificates && \
+    wget -q -O - https://repos.azul.com/azul-repo.key | \
+    gpg --dearmor -o /usr/share/keyrings/azul.gpg && \
+    echo "deb [signed-by=/usr/share/keyrings/azul.gpg] https://repos.azul.com/zulu/deb stable main" | \
+    tee /etc/apt/sources.list.d/zulu.list
+
+
+# Install Zulu 17
+RUN apt-get update && \
+    apt-get install -y zulu17-jdk
+
+# Update Java-related environment variables
+ENV JAVA_HOME /usr/lib/jvm/zulu17
+ENV JVM_LD_LIBRARY_PATH /usr/lib/jvm/zulu17/lib/server
+ENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/out:/usr/lib/jvm/zulu17/bin
 
 COPY build.sh $SRC/
-COPY *.java *.xml $SRC/
-WORKDIR $SRC/logging-log4j2
+WORKDIR $SRC

projects/log4j2/README.adoc

@@ -0,0 +1,19 @@
+////
+Copyright 2024 Google LLC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+////
+
+Log4j fuzz tests are distributed as a part of https://github.com/apache/logging-log4j2[the official project sources].
+Here we only store the `Dockerfile` to build the container image to build and run fuzz tests.
+Likewise, `build.sh` simply delegates to a build script distributed with the Log4j source code.

projects/log4j2/build.sh

@@ -1,5 +1,5 @@
 #!/bin/bash -eu
-# Copyright 2021 Google Inc.
+# Copyright 2021 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,60 +15,5 @@
 #
 ################################################################################
 
-echo "<?xml version=\"1.0\" encoding=\"UTF8\"?>
-<toolchains>
-  <toolchain>
-    <type>jdk</type>
-    <provides>
-      <version>15</version>
-    </provides>
-    <configuration>
-       <jdkHome>$JAVA_HOME</jdkHome>
-    </configuration>
-  </toolchain>
-</toolchains>
-" > $SRC/maven-toolchains.xml
-
-MAVEN_ARGS="-Dmaven.test.skip=true --no-transfer-progress --global-toolchains $SRC/maven-toolchains.xml"
-./mvnw package org.apache.maven.plugins:maven-shade-plugin:3.2.4:shade -am -pl log4j-perf,log4j-to-slf4j,log4j-slf4j-impl,log4j-api,log4j-api-java9,log4j-core,log4j-core-java9 $MAVEN_ARGS
-CURRENT_VERSION=$(./mvnw org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \
- -Dexpression=project.version -q -DforceStdout)
-cp "log4j-core/target/log4j-core-$CURRENT_VERSION.jar" $OUT/log4j-core.jar
-cp "log4j-api/target/log4j-api-$CURRENT_VERSION.jar" $OUT/log4j-api.jar
-cp "log4j-to-slf4j/target/log4j-to-slf4j-$CURRENT_VERSION.jar" $OUT/log4j-to-slf4j.jar
-cp "./log4j-perf/target/benchmarks.jar" $OUT/log4j-perf.jar
-ALL_JARS="log4j-core.jar log4j-api.jar log4j-to-slf4j.jar log4j-perf.jar"
-
-
-# The classpath at build-time includes the project jars in $OUT as well as the
-# Jazzer API. Additionally, include $OUT itself to pick up
-# BufferedImageLuminanceSource.
-BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH:$OUT:$SRC
-
-# All .jar and .class files lie in the same directory as the fuzzer at runtime.
-RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir
-
-javac -cp $BUILD_CLASSPATH $SRC/*.java
-install -v $SRC/*.class $OUT/
-install -v $SRC/*.xml $OUT/
-
-for fuzzer in $(find $SRC -name '*Fuzzer.java'); do
-  fuzzer_basename=$(basename -s .java $fuzzer)
-
-  # Create an execution wrapper that executes Jazzer with the correct arguments.
-  echo "#!/bin/bash
-# LLVMFuzzerTestOneInput for fuzzer detection.
-this_dir=\$(dirname \"\$0\")
-if [[ \"\$@\" =~ (^| )-runs=[0-9]+($| ) ]]; then
-  mem_settings='-Xmx1900m:-Xss900k'
-else
-  mem_settings='-Xmx2048m:-Xss1024k'
-fi
-LD_LIBRARY_PATH=\"$JVM_LD_LIBRARY_PATH\":\$this_dir \
-\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \
---cp=$RUNTIME_CLASSPATH \
---target_class=$fuzzer_basename \
---jvm_args=\"\$mem_settings\" \
-\$@" > $OUT/$fuzzer_basename
-  chmod u+x $OUT/$fuzzer_basename
-done
+git clone --depth 1 --branch fuzzing --single-branch https://github.com/apache/logging-log4j2
+./logging-log4j2/oss-fuzz-build.sh "$OUT"

projects/log4j2/project.yaml

@@ -1,12 +1,17 @@
-fuzzing_engines:
-- libfuzzer
-homepage: https://logging.apache.org/log4j/2.x/
+homepage: "https://logging.apache.org/log4j/2.x"
+main_repo: "https://github.com/apache/logging-log4j2"
 language: jvm
-main_repo: https://github.com/apache/logging-log4j2
+
+fuzzing_engines:
+  - libfuzzer
 sanitizers:
-- address
-vendor_ccs:
-- wagner@code-intelligence.com
-- norbert.schneider@code-intelligence.com
-- hlin@code-intelligence.com
-- bug-disclosure@code-intelligence.com
+  - address
+
+# Apache Logging Services PMC members[1] that contribute the fuzz tests.
+# We cannot share `security@logging.apache.org` here, since it must be associated with a Google account[2].
+#
+# [1] https://logging.apache.org/team-list.html
+# [2] https://google.github.io/oss-fuzz/getting-started/new-project-guide/#primary
+primary_contact: volkan@yazi.ci
+auto_ccs:
+  - piotr.karwasz@gmail.com