v0.21.1

What's Changed

No functional changes to the Maven artifacts.

• Bugfix: jazzer_standalone.jar in the release archives can be executed with java -jar (#858)

See v0.21.0 for the full release notes.

Full Changelog: v0.21.0...v0.21.1

v0.21.0

What's Changed

• Breaking change: Bugfixes for edge cases in FuzzedDataProvider can result in altered behavior when reproducing old findings (ed7e7b2)
• Feature: junit: The new lifecycle parameter of @FuzzTest can be set to PER_EXECUTION to run "before each" and "after each" lifecycle methods and extension callbacks for each individual execution of a fuzz test rather than just once per test (#833, #851)
• Feature: junit: @FuzzTest can now be applied to other annotations as a meta-annotation, allowing for the creation of custom reusable fuzz test annotations (#849)
• Feature: Improved Map instrumentation (#845)
• Bugfix: junit: Only create .cifuzz-corpus if it is the generated corpus (#855)

Full Changelog: v0.20.1...v0.21.0

v0.20.1

What's Changed

• Bugfix: Fixed a release process issue that corrupted the jazzer Maven artifact (#838)

See v0.20.0 for the full release notes.

Full Changelog: v0.20.0...v0.20.1

v0.20.0

What's Changed

• Breaking change: Boolean-valued JAZZER_* environment variables are parsed more strictly and fail on values that aren't obviously truthy or falsy (#815)
• Feature: Compatibility with JDK 21 (#785 by @cushon, #820)
• Feature: Comparison instrumentation for Clojure standard library functions (#805, #827)
• Feature: junit: @Timeout can now be used to configure per-class and per-test timeouts for individual fuzz test executions (#825)
• Feature: junit: @FuzzTest#maxExecutions can be used to limit the number of executions of a fuzz test during fuzzing
• Feature: junit: Jazzer command-line options can be set via JUnit configuration parameters
• Bugfix: LibFuzzer options that use subprocesses are supported more reliably and in the docker container (#748 by @svenkeidel, #793, #824)
• Bugfix: Instrumented Byte#compare and Short#compare calls no longer throw an exception (#792, reported by @jarnokie)
• Bugfix: junit: Fixed running on individual files from the command line (#819)
• Error messages for JUnit 5 fuzz test setup issues have been improved

New Contributors

• @WillRoque made their first contribution in #782
• @cushon made their first contribution in #785
• @svenkeidel made their first contribution in #784

Full Changelog: v0.19.0...v0.20.0

v0.19.0

What's Changed

• Feature: Rework Opt value handling (#767)
• Feature: Generate temporary seeds with deterministic names (#744)

Full Changelog: v0.18.0...v0.19.0

v0.18.0

What's Changed

• Feature: Add script engine injection sanitizer with real life example by @gdemarcsek (#531)
• Feature: Add equals-hook for Clojure (clojure.lang.Util.equiv) (#765)
• Bugfix: Do not prepare for a subprocess for -fork=0 (#758)
• Bugfix: Honor explicitly stated corpus directory (#761)
• Bugfix: Ignore JetBrains classes during instrumentation (#763)

New Contributors

• @zgtm made their first contribution in #751
• @gdemarcsek made their first contribution in #531

Full Changelog: v0.17.1...v0.18.0

v0.17.1

What's Changed

This release fixes an issue with a corrupted upload to Maven Central.
No changes since v0.17.0 except for the patch version bump.

Full Changelog: v0.17.0...v0.17.1

v0.17.0

What's Changed

• Feature: Added an SSRF detector (#643)
• Feature: junit: Inputs directories are now maintained per test method, not just per test class (#710)
• Feature: junit: A default for jazzer.instrument is set based on the packages containing .class files on the class path (#732)
• Bugfix: Updated instrumentation order to fix coverage reports by @kmnls (#711)
• Bugfix: Windows release binaries have the .exe extension restored (#723)
• Bugfix: Added support for Java 17 in Jazzer docker image (#698)
• Bugfix: autofuzz: Fixed logs for bug detector findings (#699)
• Bugfix: Fixed rare NPEs in sanitizers and runtime (#748)

New Contributors

• @marktefftech made their first contribution in #717
• @hadi88 made their first contribution in #731

Full Changelog: v0.16.1...v0.17.0

v0.16.1

What's Changed

• Bugfix: Reenabled RCE reports for readObject calls (#684)
• Bugfix: Jazzer finds its .jar when executed from PATH (#676)
• Bugfix: JUnit fuzz tests using Autofuzz are executed on the JUnit-provided rather than a new test class instance (#687)

Full Changelog: v0.16.0...v0.16.1

v0.16.0

What's Changed

• Breaking change: Remote code execution findings are no longer reported when the honeypot class jaz.Zer is initialized but not instantiated. This could result in findings that are now considered false positives for lack of exploitability no longer reproducing. (#574)
• Feature: Added an XPath sanitizer by @SyrasX (#443)
• Bugfix: Security exceptions in jaz.Zer are no longer thrown for disabled sanitizers (#574)
• Bugfix: agent: Instrumentation is retried on errors (#652)
• Bugfix: agent: Fixed instrumentation of classes already instrumented with JaCoCo (#621)
• Bugfix: junit: Extende list of ignored packages to include JUnit and Mockito (#664)
• Bugfix: junit: Added missing dependency on org.junit.platform:junit-platform-launcher (#654)
• Bugfix: autofuzz: Filters out unnamed classes (#627)
• Added a Spring controller fuzz test example (#622)

New Contributors

• @JerryWang304 made their first contribution in #614
• @kmnls made their first contribution in #609
• @ligurio made their first contribution in #605
• @oetr made their first contribution in #622
• @TheCoryBarker made their first contribution in #587
• @SyrasX made their first contribution in #443
• @intrigus-lgtm made their first contribution in #640
• @0xricksanchez made their first contribution in #644

Full Changelog: v0.15.0...v0.16.0