| <?xml version="1.0" encoding="UTF-8"?> | |
| <!-- | |
| ~ Licensed to the Apache Software Foundation (ASF) under one | |
| ~ or more contributor license agreements. See the NOTICE file | |
| ~ distributed with this work for additional information | |
| ~ regarding copyright ownership. The ASF licenses this file | |
| ~ to you under the Apache License, Version 2.0 (the | |
| ~ "License"); you may not use this file except in compliance | |
| ~ with the License. You may obtain a copy of the License at | |
| ~ | |
| ~ http://www.apache.org/licenses/LICENSE-2.0 | |
| ~ | |
| ~ Unless required by applicable law or agreed to in writing, | |
| ~ software distributed under the License is distributed on an | |
| ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | |
| ~ KIND, either express or implied. See the License for the | |
| ~ specific language governing permissions and limitations | |
| ~ under the License. | |
| --> | |
| <project xmlns="http://maven.apache.org/POM/4.0.0" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> | |
| <modelVersion>4.0.0</modelVersion> | |
| <groupId>org.apache.axis2</groupId> | |
| <artifactId>axis2-fuzz</artifactId> | |
| <version>2.0.1-SNAPSHOT</version> | |
| <packaging>jar</packaging> | |
| <name>Apache Axis2 - Fuzz Testing</name> | |
| <description> | |
| Comprehensive fuzz testing for Axis2/Java parsers. | |
| Mirrors the Axis2/C OSS-Fuzz approach for finding security vulnerabilities. | |
| Fuzz targets: | |
| - XmlParserFuzzer: AXIOM/StAX XML parsing (XXE, XML bombs, buffer overflows) | |
| - JsonParserFuzzer: Gson JSON parsing (deep nesting, malformed JSON) | |
| - HttpHeaderFuzzer: HTTP header parsing (injection, overflows) | |
| - UrlParserFuzzer: URL/URI parsing (SSRF, malformed URLs) | |
| </description> | |
| <properties> | |
| <maven.compiler.source>11</maven.compiler.source> | |
| <maven.compiler.target>11</maven.compiler.target> | |
| <jazzer.version>0.22.1</jazzer.version> | |
| <!-- Use 2.0.0 release (March 2025) for standalone testing; change to ${project.version} when integrated --> | |
| <axis2.test.version>2.0.0</axis2.test.version> | |
| </properties> | |
| <dependencies> | |
| <!-- Jazzer fuzzing framework --> | |
| <dependency> | |
| <groupId>com.code-intelligence</groupId> | |
| <artifactId>jazzer-api</artifactId> | |
| <version>${jazzer.version}</version> | |
| </dependency> | |
| <dependency> | |
| <groupId>com.code-intelligence</groupId> | |
| <artifactId>jazzer-junit</artifactId> | |
| <version>${jazzer.version}</version> | |
| <scope>test</scope> | |
| </dependency> | |
| <!-- Axis2 modules to fuzz (using released version for standalone testing) --> | |
| <dependency> | |
| <groupId>org.apache.axis2</groupId> | |
| <artifactId>axis2-kernel</artifactId> | |
| <version>${axis2.test.version}</version> | |
| </dependency> | |
| <dependency> | |
| <groupId>org.apache.axis2</groupId> | |
| <artifactId>axis2-json</artifactId> | |
| <version>${axis2.test.version}</version> | |
| </dependency> | |
| <dependency> | |
| <groupId>org.apache.axis2</groupId> | |
| <artifactId>axis2-transport-http</artifactId> | |
| <version>${axis2.test.version}</version> | |
| </dependency> | |
| <!-- AXIOM for XML parsing (matches Axis2 2.0.0) --> | |
| <dependency> | |
| <groupId>org.apache.ws.commons.axiom</groupId> | |
| <artifactId>axiom-api</artifactId> | |
| <version>2.0.0</version> | |
| </dependency> | |
| <dependency> | |
| <groupId>org.apache.ws.commons.axiom</groupId> | |
| <artifactId>axiom-impl</artifactId> | |
| <version>2.0.0</version> | |
| </dependency> | |
| <!-- Gson for JSON parsing --> | |
| <dependency> | |
| <groupId>com.google.code.gson</groupId> | |
| <artifactId>gson</artifactId> | |
| <version>2.10.1</version> | |
| </dependency> | |
| <!-- Testing --> | |
| <dependency> | |
| <groupId>junit</groupId> | |
| <artifactId>junit</artifactId> | |
| <version>4.13.2</version> | |
| <scope>test</scope> | |
| </dependency> | |
| </dependencies> | |
| <build> | |
| <plugins> | |
| <plugin> | |
| <groupId>org.apache.maven.plugins</groupId> | |
| <artifactId>maven-shade-plugin</artifactId> | |
| <version>3.5.1</version> | |
| <executions> | |
| <execution> | |
| <phase>package</phase> | |
| <goals> | |
| <goal>shade</goal> | |
| </goals> | |
| <configuration> | |
| <filters> | |
| <filter> | |
| <artifact>*:*</artifact> | |
| <excludes> | |
| <exclude>META-INF/*.SF</exclude> | |
| <exclude>META-INF/*.DSA</exclude> | |
| <exclude>META-INF/*.RSA</exclude> | |
| </excludes> | |
| </filter> | |
| </filters> | |
| </configuration> | |
| </execution> | |
| </executions> | |
| </plugin> | |
| </plugins> | |
| </build> | |
| </project> |