v0.20.1

What's Changed

• Bugfix: Fixed a release process issue that corrupted the jazzer Maven artifact (#838)

See v0.20.0 for the full release notes.

Full Changelog: v0.20.0...v0.20.1

v0.20.0

What's Changed

• Breaking change: Boolean-valued JAZZER_* environment variables are parsed more strictly and fail on values that aren't obviously truthy or falsy (#815)
• Feature: Compatibility with JDK 21 (#785 by @cushon, #820)
• Feature: Comparison instrumentation for Clojure standard library functions (#805, #827)
• Feature: junit: @Timeout can now be used to configure per-class and per-test timeouts for individual fuzz test executions (#825)
• Feature: junit: @FuzzTest#maxExecutions can be used to limit the number of executions of a fuzz test during fuzzing
• Feature: junit: Jazzer command-line options can be set via JUnit configuration parameters
• Bugfix: LibFuzzer options that use subprocesses are supported more reliably and in the docker container (#748 by @svenkeidel, #793, #824)
• Bugfix: Instrumented Byte#compare and Short#compare calls no longer throw an exception (#792, reported by @jarnokie)
• Bugfix: junit: Fixed running on individual files from the command line (#819)
• Error messages for JUnit 5 fuzz test setup issues have been improved

New Contributors

• @WillRoque made their first contribution in #782
• @cushon made their first contribution in #785
• @svenkeidel made their first contribution in #784

Full Changelog: v0.19.0...v0.20.0

v0.19.0

What's Changed

• Feature: Rework Opt value handling (#767)
• Feature: Generate temporary seeds with deterministic names (#744)

Full Changelog: v0.18.0...v0.19.0

v0.18.0

What's Changed

• Feature: Add script engine injection sanitizer with real life example by @gdemarcsek (#531)
• Feature: Add equals-hook for Clojure (clojure.lang.Util.equiv) (#765)
• Bugfix: Do not prepare for a subprocess for -fork=0 (#758)
• Bugfix: Honor explicitly stated corpus directory (#761)
• Bugfix: Ignore JetBrains classes during instrumentation (#763)

New Contributors

• @zgtm made their first contribution in #751
• @gdemarcsek made their first contribution in #531

Full Changelog: v0.17.1...v0.18.0

v0.17.1

What's Changed

This release fixes an issue with a corrupted upload to Maven Central.
No changes since v0.17.0 except for the patch version bump.

Full Changelog: v0.17.0...v0.17.1

v0.17.0

What's Changed

• Feature: Added an SSRF detector (#643)
• Feature: junit: Inputs directories are now maintained per test method, not just per test class (#710)
• Feature: junit: A default for jazzer.instrument is set based on the packages containing .class files on the class path (#732)
• Bugfix: Updated instrumentation order to fix coverage reports by @kmnls (#711)
• Bugfix: Windows release binaries have the .exe extension restored (#723)
• Bugfix: Added support for Java 17 in Jazzer docker image (#698)
• Bugfix: autofuzz: Fixed logs for bug detector findings (#699)
• Bugfix: Fixed rare NPEs in sanitizers and runtime (#748)

New Contributors

• @marktefftech made their first contribution in #717
• @hadi88 made their first contribution in #731

Full Changelog: v0.16.1...v0.17.0

v0.16.1

What's Changed

• Bugfix: Reenabled RCE reports for readObject calls (#684)
• Bugfix: Jazzer finds its .jar when executed from PATH (#676)
• Bugfix: JUnit fuzz tests using Autofuzz are executed on the JUnit-provided rather than a new test class instance (#687)

Full Changelog: v0.16.0...v0.16.1

v0.16.0

What's Changed

• Breaking change: Remote code execution findings are no longer reported when the honeypot class jaz.Zer is initialized but not instantiated. This could result in findings that are now considered false positives for lack of exploitability no longer reproducing. (#574)
• Feature: Added an XPath sanitizer by @SyrasX (#443)
• Bugfix: Security exceptions in jaz.Zer are no longer thrown for disabled sanitizers (#574)
• Bugfix: agent: Instrumentation is retried on errors (#652)
• Bugfix: agent: Fixed instrumentation of classes already instrumented with JaCoCo (#621)
• Bugfix: junit: Extende list of ignored packages to include JUnit and Mockito (#664)
• Bugfix: junit: Added missing dependency on org.junit.platform:junit-platform-launcher (#654)
• Bugfix: autofuzz: Filters out unnamed classes (#627)
• Added a Spring controller fuzz test example (#622)

New Contributors

• @JerryWang304 made their first contribution in #614
• @kmnls made their first contribution in #609
• @ligurio made their first contribution in #605
• @oetr made their first contribution in #622
• @TheCoryBarker made their first contribution in #587
• @SyrasX made their first contribution in #443
• @intrigus-lgtm made their first contribution in #640
• @0xricksanchez made their first contribution in #644

Full Changelog: v0.15.0...v0.16.0

v0.15.0

What's Changed

• Breaking change: assert statements are no longer automatically enabled in @FuzzTests executed via JUnit as it is not possible to do so reliably. If you want your @FuzzTests to execute these statements, use the -ea JVM flag.
• Feature: @FuzzTests now use the JUnit-provided test instance, which improves support for mocks (#604)
• Feature: @FuzzTests executed using the Jazzer CLI now use the JUnit
  launcher API and thus support all JUnit lifecycle hooks (#612)
• Feature: The inputs directory for a @FuzzTest is now created automatically if a test resource directory exists (#585)
• Feature: Kotlin integer compares are now tracked (#593)
• Bugfix: autofuzz: Fixed handling of generic array types (#584)
• Bugfix: autofuzz: Fixed findings being reported when autofuzz fails to construct inputs (#588)
• Bugfix: autofuzz: Java reproducers enable assertions (#590)
• Bugfix: Added internal maven and gradle classes to custom hook excludes with JUnit (#601 by @florianGla)
• Native sanitizer lib location can be overriden via an environment variable (#606)

Full Changelog: v0.14.0...v0.15.0

v0.14.0

What's Changed

• Major feature: The fuzzing mode of @FuzzTests is now implemented within JUnit Jupiter and thus supports lifecycle hooks (#556)
• Major feature: Kotlin string comparison functions are instrumented (#566)
• Bugfix: Correctly emit finding inputs generated by @FuzzTest on Windows (#578)
• Bugfix: @FuzzTests no longer interfere with regular unit tests in certain edge cases (#575)
• junit: Inputs are sorted by path (#562)
• docker: Updated to OpenJDK 17 (#559)
• docs: Added CONTRIBUTING.md and restructured docs (#549, #553, #551, #550, #560)

Full Changelog: v0.13.3...v0.14.0