Skip to content

Commit

Permalink
blog: External audit summary (#2919)
Browse files Browse the repository at this point in the history
* blog: External audit summary

Signed-off-by: Stewart X Addison <sxa@redhat.com>
  • Loading branch information
sxa authored Jun 18, 2024
1 parent cacda7a commit fca6640
Showing 1 changed file with 55 additions and 0 deletions.
55 changes: 55 additions & 0 deletions content/blog/external_audit/index.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
title: External audit of Temurin build and distribution processes
date: "2024-06-17T17:00:00+00:00"
author: pmc
description:
tags:
- temurin
- security
---
## Introduction

Last year, the Eclipse Foundation engaged the
[Open Source Technology Improvement Fund](https://ostif.org/) to
perform an independent audit of the build and distribution processes for
Eclipse Temurin. This was done by the cybersecurity research and consulting
firm [Trail of Bits](https://www.trailofbits.com/).

## Motivation

The work done as part of this audit is consistent with other
[software supply-chain security work](https://adoptium.net/docs/slsa/) which
the Adoptium team are already doing with Temurin, such as the work to
attain
[SLSA build level 3 compliance](https://adoptium.net/blog/2024/01/slsabuild3-temurin/)
as well as other work to
[harden the security](https://adoptium.net/docs/secure-software/) of parts of the project, so it
was a natural next step to have an external team look at our build and
distribution processes to identify areas for improvement.

## Semgrep static analysis

As part of this collaboration with Trail of Bits we have also implemented
the open-source static analysis tool
[Semgrep](https://github.com/adoptium/infrastructure/issues/3371#issuecomment-1976959833)
in our repositories as an additional automated check on each PR to ensure
that the types of findings from the audit are identified before being merged
into our codebase if they occur in the future.

## Status of the audit

The audit and subsequent remediation work from it are now complete. The
[report from Trail of bits](https://ostif.org/wp-content/uploads/2024/06/Temurin-Final-Report.pdf)
is now available, and a document with our
[response and list of remediation actions](https://adoptium.net/pdf/temurin-audit-response.pdf) is also available.

## Conclusion

This has been a very productive collaboration for the Adoptium team. Thanks go to the OpenSSF’s
Alpha-Omega project that provided funding to help Adoptium and other Eclipse Foundation projects
improve their security, the Foundation itself for providing this opportunity to Adoptium, and the
Adoptium project members that worked on achieving the resolutions.

An exercise such as this could be very useful for other projects out there.
A list of others that Trail of Bits have been involved with can be seen on
[their publication page](https://github.com/trailofbits/publications).

0 comments on commit fca6640

Please sign in to comment.