From fca6640c5235e938dfa260089a319e4633e3451b Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Tue, 18 Jun 2024 15:10:17 +0100 Subject: [PATCH] blog: External audit summary (#2919) * blog: External audit summary Signed-off-by: Stewart X Addison --- content/blog/external_audit/index.md | 55 ++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 content/blog/external_audit/index.md diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md new file mode 100644 index 000000000..122c58659 --- /dev/null +++ b/content/blog/external_audit/index.md @@ -0,0 +1,55 @@ +--- +title: External audit of Temurin build and distribution processes +date: "2024-06-17T17:00:00+00:00" +author: pmc +description: +tags: + - temurin + - security +--- +## Introduction + +Last year, the Eclipse Foundation engaged the +[Open Source Technology Improvement Fund](https://ostif.org/) to +perform an independent audit of the build and distribution processes for +Eclipse Temurin. This was done by the cybersecurity research and consulting +firm [Trail of Bits](https://www.trailofbits.com/). + +## Motivation + +The work done as part of this audit is consistent with other +[software supply-chain security work](https://adoptium.net/docs/slsa/) which +the Adoptium team are already doing with Temurin, such as the work to +attain +[SLSA build level 3 compliance](https://adoptium.net/blog/2024/01/slsabuild3-temurin/) +as well as other work to +[harden the security](https://adoptium.net/docs/secure-software/) of parts of the project, so it +was a natural next step to have an external team look at our build and +distribution processes to identify areas for improvement. + +## Semgrep static analysis + +As part of this collaboration with Trail of Bits we have also implemented +the open-source static analysis tool +[Semgrep](https://github.com/adoptium/infrastructure/issues/3371#issuecomment-1976959833) +in our repositories as an additional automated check on each PR to ensure +that the types of findings from the audit are identified before being merged +into our codebase if they occur in the future. + +## Status of the audit + +The audit and subsequent remediation work from it are now complete. The +[report from Trail of bits](https://ostif.org/wp-content/uploads/2024/06/Temurin-Final-Report.pdf) +is now available, and a document with our +[response and list of remediation actions](https://adoptium.net/pdf/temurin-audit-response.pdf) is also available. + +## Conclusion + +This has been a very productive collaboration for the Adoptium team. Thanks go to the OpenSSF’s +Alpha-Omega project that provided funding to help Adoptium and other Eclipse Foundation projects +improve their security, the Foundation itself for providing this opportunity to Adoptium, and the +Adoptium project members that worked on achieving the resolutions. + +An exercise such as this could be very useful for other projects out there. +A list of others that Trail of Bits have been involved with can be seen on +[their publication page](https://github.com/trailofbits/publications).