spring-cloud-commons: initial integration (#7838)

* Initial integration

Fix java_home, resolve jdk symlink, remove import name temporary fix

Add random salt, add pem dict & fix instrumentation path

* Fix path & use rsync instead of cp

4 files changed, 196 insertions, 0 deletions

diff --git a/projects/spring-cloud-commons/Dockerfile b/projects/spring-cloud-commons/Dockerfile
new file mode 100644
index 00000000..dd89c560
--- /dev/null
+++ b/projects/spring-cloud-commons/Dockerfile
@@ -0,0 +1,35 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-jvm
+
+RUN curl -L https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.zip -o maven.zip && \
+    unzip maven.zip -d $SRC/maven && \
+    rm -rf maven.zip
+
+RUN git clone --depth 1 https://github.com/google/fuzzing && \
+    mv fuzzing/dictionaries/pem.dict $SRC/EncryptionIntegrationFuzzer.dict && \
+    rm -rf fuzzing
+
+RUN apt update && apt install -y openjdk-17-jdk
+
+ENV MVN $SRC/maven/apache-maven-3.6.3/bin/mvn
+
+RUN git clone --depth 1 https://github.com/spring-cloud/spring-cloud-commons
+
+COPY build.sh $SRC/
+COPY *Fuzzer.java $SRC/
+WORKDIR $SRC/spring-cloud-commons
diff --git a/projects/spring-cloud-commons/EncryptionIntegrationFuzzer.java b/projects/spring-cloud-commons/EncryptionIntegrationFuzzer.java
new file mode 100644
index 00000000..888e0996
--- /dev/null
+++ b/projects/spring-cloud-commons/EncryptionIntegrationFuzzer.java
@@ -0,0 +1,37 @@
+import com.code_intelligence.jazzer.api.FuzzedDataProvider;
+
+import org.springframework.cloud.context.encrypt.EncryptorFactory;
+import org.springframework.security.crypto.encrypt.TextEncryptor;
+import java.nio.charset.Charset;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import com.code_intelligence.jazzer.api.FuzzerSecurityIssueHigh;
+import java.math.BigInteger;
+import org.springframework.security.crypto.encrypt.Encryptors;
+import org.springframework.cloud.context.encrypt.KeyFormatException;
+
+public class EncryptionIntegrationFuzzer {
+    public static void fuzzerTestOneInput(FuzzedDataProvider data) {
+        String keyStr = data.consumeString(100);
+        String salt = data.consumeString(50);
+        if (keyStr.isEmpty() || salt.isEmpty()) {
+            return;
+        }
+
+        String content = data.consumeRemainingAsString();
+
+        TextEncryptor encryptor;
+		try {
+            encryptor = new EncryptorFactory(salt).create(keyStr);
+        } catch (KeyFormatException e) {
+            return;
+        }
+
+        String encrypted = encryptor.encrypt(content);
+        String decrypted = encryptor.decrypt(encrypted);
+
+		if (!decrypted.equals(content)) {
+            throw new FuzzerSecurityIssueHigh("Different result when encrypting & decrypting: " + decrypted + " != " + content);
+        }
+	}
+}
\ No newline at end of file
diff --git a/projects/spring-cloud-commons/build.sh b/projects/spring-cloud-commons/build.sh
new file mode 100755
index 00000000..b924f5b7
--- /dev/null
+++ b/projects/spring-cloud-commons/build.sh
@@ -0,0 +1,112 @@
+#!/bin/bash -eu
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+mv $SRC/*.dict $OUT
+
+export JAVA_HOME="$OUT/open-jdk-17"
+mkdir -p $JAVA_HOME
+rsync -aL --exclude=*.zip "/usr/lib/jvm/java-17-openjdk-amd64/" "$JAVA_HOME"
+
+cat > patch.diff <<- EOM
+diff --git a/pom.xml b/pom.xml
+index 831f5a1..855a43e 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -32,6 +32,19 @@
+ 	</properties>
+ 	<build>
+ 		<plugins>
++			<plugin>
++				<groupId>org.apache.maven.plugins</groupId>
++				<artifactId>maven-shade-plugin</artifactId>
++				<version>3.3.0</version>
++				<executions>
++				  <execution>
++				    <phase>package</phase>
++				    <goals>
++				      <goal>shade</goal>
++				    </goals>
++				  </execution>
++				</executions>
++			</plugin>
+ 			<plugin>
+ 				<groupId>org.codehaus.mojo</groupId>
+ 				<artifactId>flatten-maven-plugin</artifactId>
+@@ -61,10 +74,6 @@
+ 				<groupId>io.spring.javaformat</groupId>
+ 				<artifactId>spring-javaformat-maven-plugin</artifactId>
+ 			</plugin>
+-			<plugin>
+-				<groupId>org.apache.maven.plugins</groupId>
+-				<artifactId>maven-checkstyle-plugin</artifactId>
+-			</plugin>
+ 			<plugin>
+ 				<groupId>org.basepom.maven</groupId>
+ 				<artifactId>duplicate-finder-maven-plugin</artifactId>
+@@ -74,10 +83,6 @@
+ 
+ 	<reporting>
+ 		<plugins>
+-			<plugin>
+-				<groupId>org.apache.maven.plugins</groupId>
+-				<artifactId>maven-checkstyle-plugin</artifactId>
+-			</plugin>
+ 		</plugins>
+ 	</reporting>
+ 
+
+EOM
+
+git apply patch.diff -v
+
+MAVEN_ARGS="-Djavac.src.version=17 -Djavac.target.version=17 -DskipTests -Dcheckstyle.skip=true"
+CURRENT_VERSION=$($MVN org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate \
+ -Dexpression=project.version -q -DforceStdout)
+
+$MVN clean package $MAVEN_ARGS
+cp "spring-cloud-commons/target/spring-cloud-commons-$CURRENT_VERSION.jar" "$OUT/spring-cloud-commons.jar"
+cp "spring-cloud-context/target/spring-cloud-context-$CURRENT_VERSION.jar" "$OUT/spring-cloud-context.jar"
+cp "spring-cloud-starter-bootstrap/target/spring-cloud-starter-bootstrap-$CURRENT_VERSION.jar" "$OUT/spring-cloud-starter-bootstrap.jar"
+
+ALL_JARS="spring-cloud-commons.jar spring-cloud-context.jar spring-cloud-starter-bootstrap.jar"
+
+# The classpath at build-time includes the project jars in $OUT as well as the
+# Jazzer API.
+BUILD_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "$OUT/%s:"):$JAZZER_API_PATH
+
+# All .jar and .class files lie in the same directory as the fuzzer at runtime.
+RUNTIME_CLASSPATH=$(echo $ALL_JARS | xargs printf -- "\$this_dir/%s:"):\$this_dir
+
+for fuzzer in $(find $SRC -name '*Fuzzer.java'); do
+  fuzzer_basename=$(basename -s .java $fuzzer)
+  javac -cp $BUILD_CLASSPATH $fuzzer --release 17
+  cp $SRC/$fuzzer_basename.class $OUT/
+
+  # Create an execution wrapper that executes Jazzer with the correct arguments.
+  echo "#!/bin/sh
+# LLVMFuzzerTestOneInput for fuzzer detection.
+this_dir=\$(dirname \"\$0\")
+JAVA_HOME=\"\$this_dir/open-jdk-17/\" \
+LD_LIBRARY_PATH=\"\$this_dir/open-jdk-17/lib/server\":\$this_dir \
+\$this_dir/jazzer_driver --agent_path=\$this_dir/jazzer_agent_deploy.jar \
+--instrumentation_excludes=org.springframework.security.**:org.bouncycastle.** \
+--cp=$RUNTIME_CLASSPATH \
+--target_class=$fuzzer_basename \
+--jvm_args=\"-Xmx2048m\" \
+\$@" > $OUT/$fuzzer_basename
+  chmod u+x $OUT/$fuzzer_basename
+done 
\ No newline at end of file
diff --git a/projects/spring-cloud-commons/project.yaml b/projects/spring-cloud-commons/project.yaml
new file mode 100644
index 00000000..eacb66bd
--- /dev/null
+++ b/projects/spring-cloud-commons/project.yaml
@@ -0,0 +1,12 @@
+homepage: "https://github.com/spring-cloud/spring-cloud-commons"
+language: jvm
+main_repo: "https://github.com/spring-cloud/spring-cloud-commons.git"
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address
+vendor_ccs:
+  - "wagner@code-intelligence.com"
+  - "yakdan@code-intelligence.com"
+  - "glendowne@code-intelligence.com"
+  - "patrice.salathe@code-intelligence.com" 
\ No newline at end of file