What's Changed

• fix: use user-friendly type names in exception messages by @Marcono1234 in #1024
• fix: support lists of arbitrary types by @oetr in #1020
• Add missing space to annotation error message by @fmeum in #1023
• feat: add char and Character mutator by @oetr in #1019
• feat: SSRF env var to allow all connections before it's configured by @oetr in #1018
• feat: sometimes interpret char[] mutations as single bytes by @florianGla in #1013
• chore: fix maven publishing script by @simonresch in #1029
• chore(deps): update bazel dependencies by @simonresch in #1015
• chore: reduce number of executions in selffuzz test by @simonresch in #1025
• docs: add trophies for lz4-java and aircompressor findings by @simonresch in #1027
• trophies: add entry for lz4-java by @Marcono1234 in #1021

Full Changelog: v0.28.0...v0.29.1

Note: There is no release for v0.29.0 due to a bug in the release pipeline.

What's Changed

• feat: add @ValuePool to propagate values to types by @oetr in #975
• feat: add mutator support for generic classes by @simonresch in #1008
• fix: handle null values in Arrays.equal/compare hooks by @simonresch in #1017
• chore: almost automatic release to Maven Central by @oetr in #1016

Full Changelog: v0.27.0...v0.28.0

What's Changed

• chore: update bazel dependencies by @simonresch in #987
• fix: guard against malformed corpus entries in protobuf mutator by @simonresch in #989
• chore: update maven dependencies by @simonresch in #988
• fix: fixes for sanitizer handling in honeypot class by @simonresch in #991
• feat: add guidance hook for SpEL injection by @simonresch in #990
• feat: add big decimal sanitizer by @florianGla in #992
• BREAKING: remove Spring API fuzz test helpers by @florianGla in #993
• chore(deps): update github workflows by @simonresch in #997
• chore: update bazel dependencies by @simonresch in #998
• fix: fuzz test invocation with referring protobufs by @simonresch in #995
• chore: exclude potentially dangerous tests by default by @simonresch in #996
• fix: assertion failure when fuzzing proto strings by @simonresch in #1002
• feat: add hooks for additional EL evaluation methods by @florianGla in #994
• chore: upgrade to bazel 8 by @simonresch in #1001
• feat: add support for proto maps with enum values by @simonresch in #1006
• dependency updates by @simonresch in #1000
• feat: add jexl expression guidance hook by @florianGla in #1003
• feat: MVEL guidance hook by @simonresch in #1005
• feat: add ognl expression guidance hook by @florianGla in #1004
• feat: add xml parser guidance hook by @simonresch in #999
• feat: set mutator by @oetr in #955
• Mention Set in WithSize Javadoc & slightly improve test by @Marcono1234 in #1010
• refactor: improve readability of util function by @simonresch in #1011
• feat: add freemarker template injection guidance hook by @florianGla in #1007
• fix: properly instrument nested records by @oetr in #1009
• docs: document seed input sources for @fuzztest by @simonresch in #1012
• chore(deps): update maven deps by @simonresch in #1014

Full Changelog: v0.26.0...v0.27.0

What's Changed

• feat: add linux arm64 support by @simonresch in #973
• feat: add Finite annotation by @onionpsy in #969
• feat: add additional number annotations by @florianGla in #959
• feat: dedicated options for fuzzing duration & executions by @simonresch in #956
• fix: update regex for detecting intellij coverage agent by @florianGla in #961
• fix index out of bounds when mutating empty constructor arguments by @simonresch in #962
• fix: correct multiple method descriptors in builtin hooks by @simonresch in #967
• fix: support maxSize > 1000 in map mutator by @simonresch in #986
• fix: don't apply Bean factories for proto enums by @simonresch in #963
• fix: correct descriptors for String.split methods by @simonresch in #966
• docs: restructure and improve the docs by @oetr in #958
• docs: fix wrong Java class name in mutation framework docs by @Marcono1234 in #972
• docs: fix wrong corpus dir in README by @Marcono1234 in #970
• docs: document mutation annotation AppliesTo in Javadoc by @Marcono1234 in #974
• docs: add Javadoc to mutation annotations by @Marcono1234 in #976
• docs: add link to Bazel+JUnit example; improve description by @oetr in #965
• chore: fuzz them all by @oetr in #954
• chore: update protobuf to version 32.1 by @simonresch in #985
• chore(deps): update test maven deps by @renovate[bot] in #979
• chore: write list fuzz tests command output to stdout by @florianGla in #982
• chore: fix pom.xml for junit example project by @simonresch in #960

New Contributors

• @onionpsy made their first contribution in #969

Full Changelog: v0.25.1...v0.26.0

What's Changed

• chore: publish using Portal OSSRH Staging API by @oetr in #948
• docs: showcase the mutation framework in the readme by @oetr in #947
• fix(mutation): ensure maxSize >= size when using libfuzzer by @oetr in #952
• findings: add entry for aircompressor by @Marcono1234 in #953
• Update ASM dependencies to version 9.8 by @apache-hb in #950

New Contributors

• @apache-hb made their first contribution in #950

Full Changelog: v0.25.0...v0.25.1

What's Changed

• feat: add Unsafe array access sanitizer by @Marcono1234 in #932
• feat: add a path traversal sanitizer by @tballison in #915
• feat: add path traversal configuration using BugDetectors API by @oetr in #943
• breaking fix: make sure ConsumeIntegralInRange is always in range [min; max] by @oetr in #945. This change might invalidate some existing crash and corpus files.
• fix: clear last finding before starting a fuzzing run by @oetr in #944
• docs: fix incorrect annotation names by @Marcono1234 in #937
• docs: improve documentation by @Marcono1234 in #929
• chore: update pom.xml examples with correct version by @marklemay in #927
• chore: remove outdated CI workflow badge from README by @Marcono1234 in #946

New Contributors

• @tballison made their first contribution in #915
• @Marcono1234 made their first contribution in #929
• @marklemay made their first contribution in #927

Full Changelog: v0.24.0...v0.25.0

What's Changed

• chore(deps): bump com.google.protobuf:protobuf-java from 3.25.2 to 3.25.5 in /selffuzz by @dependabot in #910
• readme: remove obsolete note regarding the old license by @kyakdan in #923
• mutation: Add support for sealed classes by @fmeum in #922
• Fix Maven releases by @fmeum in #921
• Update rules_jvm_external to fix POM by @fmeum in #924

New Contributors

• @dependabot made their first contribution in #910

Full Changelog: v0.23.0...v0.24.0

What's Changed

• tests: Restore live output of java_fuzz_target_test by @fmeum in #875
• driver: Fix startup crash when fuzzing native libraries by @fmeum in #883
• Remove cifuzz references by @bertschneider in #892
• build: update toolchains_llvm dependency by @bertschneider in #897
• docs: update readme to inform about commercial offering by @jochil in #898
• doc: Add updated links to README by @HenrichN in #900
• Jazzer Pro by @kyakdan in #906
• Adjust license to clarify the usage within OSS-Fuzz by @serj in #909
• Change license back to Apache2 by @serj in #913
• Update macOS to 14 in the CI by @kyakdan in #914
• ci: Update softprops/action-gh-release to v2.2.0 in prerelease workflow by @zgtm in #916
• Fix prerelease pipeline by @zgtm in #917
• Fix maven deployment by @zgtm in #918

New Contributors

• @jochil made their first contribution in #898
• @HenrichN made their first contribution in #900
• @serj made their first contribution in #909

Full Changelog: v0.22.1...v0.23.0

What's Changed

• Feature: junit: The API of @DirectoryEntries and @DictionaryFile has changed compared to v0.22.0.

Full Changelog: v0.22.0...v0.22.1

What's Changed

• Breaking change: junit: The Lifecycle.PER_EXECUTION mode of @FuzzTest now provides a new test instance for each fuzz test, with support for TestInstancePostProcessor's (#867)
• Experimental feature (subject to change in a future version): junit: Dictionaries can be added to fuzz tests via @DirectoryEntries and @DictionaryFile (#862)
• Bugfix: Hooks can now also instrument classes on the extension classpath (#869)

Full Changelog: v0.21.1...v0.22.0