From 7fe569cfdc71c0ae228cf7ade5fac7110000ce80 Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Mon, 10 Jun 2024 14:42:27 +0100 Subject: [PATCH 01/10] blog: External audit summary Signed-off-by: Stewart X Addison --- content/blog/external_audit/index.md | 50 ++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 content/blog/external_audit/index.md diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md new file mode 100644 index 000000000..41f4bd2d6 --- /dev/null +++ b/content/blog/external_audit/index.md @@ -0,0 +1,50 @@ +--- +title: External audit of Temurin build and distribution processes +date: "2024-06-17T17:00:00+00:00" +author: sxa +description: +tags: + - temurin + - security +--- +## Introduction + +Last year, the Eclipse Foundation engaged the +[Open Source Technology Improvement Fund](https://ostif.org/) in order to +perform an independent audit of the build and distribution processes for +Eclipse Temurin. This was done by the cybersecurity research and consulting +firm [Trail of Bits](https://www.trailofbits.com/) + +## Motivation + +The work done as part of this auditis consistent with other software supply-chain security work which +the Adoptium team are already doing with Temurin, such as the work to +attain +[SLSA build level 3 compliance](https://adoptium.net/en-GB/blog/2024/01/slsabuild3-temurin/) +as well as other work to harden the security of parts of the project, so it +was a natural next step to have an external team look at our build and +distribution processes to identify areas for improvement. + +## semgrep static analysis + +As part of this collaboration with Trail of Bits we have also implemented +the open-source static analysis tool +[semgrep](https://github.com/adoptium/infrastructure/issues/3371#issuecomment-1976959833) +in our repositories as an additional automated check on each PR to ensure +that the types of findings from the audit are identified before being merged +into our codebase if they occur in the future. + +## Status of the audit + +The audit and subsequent remediation work from it are now complete. The +[report from Trail of bits](https://ostif.org/wp-content/uploads/2024/06/Temurin-Final-Report.pdf) +is now available, and a document with our +[response and list of remediation actions](https://adoptium.net/pdf/temurin-audit-response.pdf) is also available. + +## Conclusion + +This has been a very productive collaboration for the Adoptium team, and an +exercise such as this could be very useful for other projects out there. +A list of others that Trail of Bits have been involved with can be seen on +[their publication page](https://github.com/trailofbits/publications). + From 97aabf356a0aeb96fccac90fd265ba84a1326cd2 Mon Sep 17 00:00:00 2001 From: Stewart X Addison Date: Mon, 17 Jun 2024 11:28:05 +0100 Subject: [PATCH 02/10] Remove erroneous blank line at end of file Signed-off-by: Stewart X Addison --- content/blog/external_audit/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index 41f4bd2d6..b45ed8400 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -47,4 +47,3 @@ This has been a very productive collaboration for the Adoptium team, and an exercise such as this could be very useful for other projects out there. A list of others that Trail of Bits have been involved with can be seen on [their publication page](https://github.com/trailofbits/publications). - From 40122a5b36700a5d2024eb935c4ddbdf403c0781 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 17 Jun 2024 11:29:21 +0100 Subject: [PATCH 03/10] Update content/blog/external_audit/index.md Co-authored-by: Tim Ellison --- content/blog/external_audit/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index b45ed8400..7db0853f9 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -1,7 +1,7 @@ --- title: External audit of Temurin build and distribution processes date: "2024-06-17T17:00:00+00:00" -author: sxa +author: pmc description: tags: - temurin From 8fd5a4501ecb8a9570d3caa793129f48c8fe4dbc Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 17 Jun 2024 11:29:49 +0100 Subject: [PATCH 04/10] Update content/blog/external_audit/index.md Co-authored-by: Tim Ellison --- content/blog/external_audit/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index 7db0853f9..ec6cf7bea 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -17,7 +17,8 @@ firm [Trail of Bits](https://www.trailofbits.com/) ## Motivation -The work done as part of this auditis consistent with other software supply-chain security work which +The work done as part of this audit is consistent with other +[software supply-chain security work](https://adoptium.net/docs/slsa/) which the Adoptium team are already doing with Temurin, such as the work to attain [SLSA build level 3 compliance](https://adoptium.net/en-GB/blog/2024/01/slsabuild3-temurin/) From 69450b168d0ad0df77f1f8f4899b646728921afb Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 17 Jun 2024 11:30:00 +0100 Subject: [PATCH 05/10] Update content/blog/external_audit/index.md Co-authored-by: Tim Ellison --- content/blog/external_audit/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index ec6cf7bea..6ad885102 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -26,7 +26,7 @@ as well as other work to harden the security of parts of the project, so it was a natural next step to have an external team look at our build and distribution processes to identify areas for improvement. -## semgrep static analysis +## Semgrep static analysis As part of this collaboration with Trail of Bits we have also implemented the open-source static analysis tool From 97d220c2e20464e958729e19d3006f311df45a48 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 17 Jun 2024 11:32:08 +0100 Subject: [PATCH 06/10] Update content/blog/external_audit/index.md Co-authored-by: Tim Ellison --- content/blog/external_audit/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index 6ad885102..5de29be91 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -22,7 +22,8 @@ The work done as part of this audit is consistent with other the Adoptium team are already doing with Temurin, such as the work to attain [SLSA build level 3 compliance](https://adoptium.net/en-GB/blog/2024/01/slsabuild3-temurin/) -as well as other work to harden the security of parts of the project, so it +as well as other work to +[harden the security](https://adoptium.net/docs/secure-software/) of parts of the project, so it was a natural next step to have an external team look at our build and distribution processes to identify areas for improvement. From 12bfa76d016d9c5c27e5156c31d160d5bcf106c1 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 17 Jun 2024 11:32:21 +0100 Subject: [PATCH 07/10] Update content/blog/external_audit/index.md Co-authored-by: Tim Ellison --- content/blog/external_audit/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index 5de29be91..e42fd5892 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -10,10 +10,10 @@ tags: ## Introduction Last year, the Eclipse Foundation engaged the -[Open Source Technology Improvement Fund](https://ostif.org/) in order to +[Open Source Technology Improvement Fund](https://ostif.org/) to perform an independent audit of the build and distribution processes for Eclipse Temurin. This was done by the cybersecurity research and consulting -firm [Trail of Bits](https://www.trailofbits.com/) +firm [Trail of Bits](https://www.trailofbits.com/). ## Motivation From 864bbf0cf5d91627358901af2e979978bc1a235d Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 17 Jun 2024 11:32:38 +0100 Subject: [PATCH 08/10] Update content/blog/external_audit/index.md Co-authored-by: Tim Ellison --- content/blog/external_audit/index.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index e42fd5892..330026df4 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -45,7 +45,11 @@ is now available, and a document with our ## Conclusion -This has been a very productive collaboration for the Adoptium team, and an -exercise such as this could be very useful for other projects out there. +This has been a very productive collaboration for the Adoptium team. Thanks go to the OpenSSF’s +Alpha-Omega project that provided funding to help Adoptium and other Eclipse Foundation projects +improve their security, the Foundation itself for providing this opportunity to Adoptium, and the +Adoptium project members that worked on achieving the resolutions. + +An exercise such as this could be very useful for other projects out there. A list of others that Trail of Bits have been involved with can be seen on [their publication page](https://github.com/trailofbits/publications). From 409ed142f3c39f463d8cb8cce4231f044f699596 Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 17 Jun 2024 11:33:14 +0100 Subject: [PATCH 09/10] Update content/blog/external_audit/index.md Co-authored-by: Tim Ellison --- content/blog/external_audit/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index 330026df4..7519520ae 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -31,7 +31,7 @@ distribution processes to identify areas for improvement. As part of this collaboration with Trail of Bits we have also implemented the open-source static analysis tool -[semgrep](https://github.com/adoptium/infrastructure/issues/3371#issuecomment-1976959833) +[Semgrep](https://github.com/adoptium/infrastructure/issues/3371#issuecomment-1976959833) in our repositories as an additional automated check on each PR to ensure that the types of findings from the audit are identified before being merged into our codebase if they occur in the future. From e6ce9f9520254e0250b5d52be6875f01f0280b0b Mon Sep 17 00:00:00 2001 From: Stewart X Addison <6487691+sxa@users.noreply.github.com> Date: Mon, 17 Jun 2024 11:41:04 +0100 Subject: [PATCH 10/10] Update content/blog/external_audit/index.md Co-authored-by: Tim Ellison --- content/blog/external_audit/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/blog/external_audit/index.md b/content/blog/external_audit/index.md index 7519520ae..122c58659 100644 --- a/content/blog/external_audit/index.md +++ b/content/blog/external_audit/index.md @@ -21,7 +21,7 @@ The work done as part of this audit is consistent with other [software supply-chain security work](https://adoptium.net/docs/slsa/) which the Adoptium team are already doing with Temurin, such as the work to attain -[SLSA build level 3 compliance](https://adoptium.net/en-GB/blog/2024/01/slsabuild3-temurin/) +[SLSA build level 3 compliance](https://adoptium.net/blog/2024/01/slsabuild3-temurin/) as well as other work to [harden the security](https://adoptium.net/docs/secure-software/) of parts of the project, so it was a natural next step to have an external team look at our build and