Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

blog: External audit summary #2919

Merged
merged 10 commits into from
Jun 18, 2024
Merged

blog: External audit summary #2919

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
7fe569c
blog: External audit summary
sxa Jun 10, 2024
97aabf3
Remove erroneous blank line at end of file
sxa Jun 17, 2024
40122a5
Update content/blog/external_audit/index.md
sxa Jun 17, 2024
8fd5a45
Update content/blog/external_audit/index.md
sxa Jun 17, 2024
69450b1
Update content/blog/external_audit/index.md
sxa Jun 17, 2024
97d220c
Update content/blog/external_audit/index.md
sxa Jun 17, 2024
12bfa76
Update content/blog/external_audit/index.md
sxa Jun 17, 2024
864bbf0
Update content/blog/external_audit/index.md
sxa Jun 17, 2024
409ed14
Update content/blog/external_audit/index.md
sxa Jun 17, 2024
e6ce9f9
Update content/blog/external_audit/index.md
sxa Jun 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 55 additions & 0 deletions content/blog/external_audit/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
---
title: External audit of Temurin build and distribution processes
date: "2024-06-17T17:00:00+00:00"
author: pmc
description:
tags:
- temurin
- security
---
## Introduction

Last year, the Eclipse Foundation engaged the
[Open Source Technology Improvement Fund](https://ostif.org/) to
perform an independent audit of the build and distribution processes for
Eclipse Temurin. This was done by the cybersecurity research and consulting
firm [Trail of Bits](https://www.trailofbits.com/).

## Motivation

The work done as part of this audit is consistent with other
[software supply-chain security work](https://adoptium.net/docs/slsa/) which
the Adoptium team are already doing with Temurin, such as the work to
attain
[SLSA build level 3 compliance](https://adoptium.net/blog/2024/01/slsabuild3-temurin/)
as well as other work to
[harden the security](https://adoptium.net/docs/secure-software/) of parts of the project, so it
was a natural next step to have an external team look at our build and
distribution processes to identify areas for improvement.

## Semgrep static analysis

As part of this collaboration with Trail of Bits we have also implemented
the open-source static analysis tool
[Semgrep](https://github.com/adoptium/infrastructure/issues/3371#issuecomment-1976959833)
in our repositories as an additional automated check on each PR to ensure
that the types of findings from the audit are identified before being merged
into our codebase if they occur in the future.

## Status of the audit

The audit and subsequent remediation work from it are now complete. The
[report from Trail of bits](https://ostif.org/wp-content/uploads/2024/06/Temurin-Final-Report.pdf)
is now available, and a document with our
[response and list of remediation actions](https://adoptium.net/pdf/temurin-audit-response.pdf) is also available.

## Conclusion

This has been a very productive collaboration for the Adoptium team. Thanks go to the OpenSSF’s
Alpha-Omega project that provided funding to help Adoptium and other Eclipse Foundation projects
improve their security, the Foundation itself for providing this opportunity to Adoptium, and the
Adoptium project members that worked on achieving the resolutions.

An exercise such as this could be very useful for other projects out there.
A list of others that Trail of Bits have been involved with can be seen on
[their publication page](https://github.com/trailofbits/publications).
Loading