[pull] master from google:master

projects/postcss/Dockerfile

@@ -0,0 +1,32 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder-javascript
+
+COPY build.sh $SRC/
+
+# PostCSS's default branch is `main`. Pin it explicitly so the integration
+# does not silently break if the default ever changes. The fuzzing harness
+# (`test/fuzzing/fuzz_parse.js`) and its dictionary live in this repo, so
+# they are picked up by the clone without a separate COPY step.
+RUN git clone --depth 1 -b main https://github.com/postcss/postcss
+
+# postcss-parser-tests is the upstream-maintained collection of CSS test
+# cases. We use its `cases/` directory as the seed corpus so the fuzzer
+# starts mutating from real, parser-shaped inputs.
+RUN git clone --depth 1 -b main https://github.com/postcss/postcss-parser-tests
+
+WORKDIR $SRC/postcss

projects/postcss/build.sh

@@ -0,0 +1,38 @@
+#!/bin/bash -eu
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Install runtime dependencies only. PostCSS's devDependencies pull in tools
+# that have peer-dep conflicts and are unrelated to the library's runtime
+# behavior, so we skip them.
+npm install --omit=dev --ignore-scripts --legacy-peer-deps
+npm install --save-dev --legacy-peer-deps @jazzer.js/core
+
+# Build a seed corpus from the upstream postcss-parser-tests CSS cases so
+# the fuzzer starts mutating from realistic, parser-shaped inputs rather
+# than from empty bytes.
+mkdir -p "$WORK/seed_corpus"
+cp "$SRC"/postcss-parser-tests/cases/*.css "$WORK/seed_corpus/"
+(cd "$WORK/seed_corpus" && zip -q -r "$OUT/fuzz_parse_seed_corpus.zip" .)
+
+# Ship the CSS dictionary alongside the fuzzer so libFuzzer can splice in
+# common CSS tokens during mutation. The dictionary lives in the upstream
+# postcss repo under test/fuzzing/, so it is already present in the clone.
+cp "$SRC/postcss/test/fuzzing/fuzz_parse.dict" "$OUT/fuzz_parse.dict"
+
+# Build Fuzzers. The harness lives upstream at test/fuzzing/fuzz_parse.js
+# and is supplied by the postcss clone above.
+compile_javascript_fuzzer postcss test/fuzzing/fuzz_parse.js -i postcss --sync

projects/postcss/project.yaml

@@ -0,0 +1,8 @@
+homepage: https://postcss.org/
+language: javascript
+primary_contact: "andrey@sitnik.es"
+main_repo: https://github.com/postcss/postcss
+fuzzing_engines:
+- libfuzzer
+sanitizers:
+- none

projects/zeek/Dockerfile

@@ -14,7 +14,7 @@
 #
 ################################################################################
 
-FROM gcr.io/oss-fuzz-base/base-builder
+FROM gcr.io/oss-fuzz-base/base-builder:ubuntu-24-04
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
         bison \

projects/zeek/build.sh

@@ -56,6 +56,10 @@ for f in ${fuzzers}; do
         done
 
         copy_lib ${f} libpcap
+        copy_lib ${f} libibverbs
+        copy_lib ${f} libdbus
+        copy_lib ${f} libnl-3
+        copy_lib ${f} libnl-route-3
         copy_lib ${f} libssl
         copy_lib ${f} libcrypto
         copy_lib ${f} libz
@@ -72,6 +76,12 @@ for f in ${fuzzers}; do
         # Make libzmq search for dependencies in $ORIGIN so it
         # has them available at runtime.
         patchelf --set-rpath '$ORIGIN' ${OUT}/lib/libzmq.so*
+
+        # Do the same for libpcap and libibverbs. libpcap depends
+        # on the latter and that one depends on libnl-3 and
+        # libnl-route-3.
+        patchelf --set-rpath '$ORIGIN' ${OUT}/lib/libpcap.so*
+        patchelf --set-rpath '$ORIGIN' ${OUT}/lib/libibverbs.so*
     fi
 
     patchelf --set-rpath '$ORIGIN/lib' ${OUT}/${fuzzer_exe}

projects/zeek/project.yaml

@@ -1,3 +1,4 @@
+base_os_version: ubuntu-24-04
 homepage: "https://www.zeek.org"
 language: c++
 primary_contact: "security@zeek.org"