caffeine: Initial integration

[ben-manes]

Caffeine Cache is the successor to Google Guava's Cache. It had 250M downloads from Maven Central in 2024.

I have tested this locally based on your documented steps.

/cc @cpovirk

[github-actions]

ben-manes is integrating a new project:
- Main repo: https://github.com/ben-manes/caffeine.git
- Criticality score: 0.64521

[DonggeLiu]

Thanks @ben-manes!
Is there any chance that you could help us maintain the fuzz target in caffeine repo?
OSS-Fuzz finds this easier to update it, thanks!

[ben-manes]

I have fuzzing in a github action. The ossf scorecard doesn’t like that, fwiw.

[DonggeLiu]

I have fuzzing in a github action. The ossf scorecard doesn’t like that, fwiw.

Ah sorry, I meant relocating file caffeinespecfuzzer.java from this PR to the caffeine repo only [1].
We are more than happy to run fuzzing for your project : )

This makes updating/adding fuzz targets a lot easier, without having to go through OSS-Fuzz PRs.
Let me know if that makes sense.

[ben-manes]

Unfortunately I think it wouldn't provide you a benefit because the docker file would remain in this repository.

The first run failed because the external Java version was used (classfile 61, aka jdk 17) despite the project setting itself to java 21. Forcing it to compile at a minimal version passed the CI run. It more likely that something might cause us to upgrade before new fuzzers are added.

I think fuzzing is a nice technique but is not very applicable for this Java library, a bounded hash table. Those cases are well covered by extensive tests. This particular case is parsing a string input for configuration which was a good fit, but otherwise I can't think of anything helpful.

So reluctantly I think this is probably best. If scorecards accepted the project CI running it directly then I wouldn't bother you about it.