Introduction
Last year, the Eclipse Foundation engaged the Open Source Technology Improvement Fund to perform an independent audit of the build and distribution processes for Eclipse Temurin. This was done by the cybersecurity research and consulting firm Trail of Bits.
Motivation
The work done as part of this audit is consistent with other software supply-chain security work which the Adoptium team are already doing with Temurin, such as the work to attain SLSA build level 3 compliance as well as other work to harden the security of parts of the project, so it was a natural next step to have an external team look at our build and distribution processes to identify areas for improvement.
Semgrep static analysis
As part of this collaboration with Trail of Bits we have also implemented the open-source static analysis tool Semgrep in our repositories as an additional automated check on each PR to ensure that the types of findings from the audit are identified before being merged into our codebase if they occur in the future.
Status of the audit
The audit and subsequent remediation work from it are now complete. The report from Trail of bits is now available, and a document with our response and list of remediation actions is also available.
Conclusion
This has been a very productive collaboration for the Adoptium team. Thanks go to the OpenSSF’s Alpha-Omega project that provided funding to help Adoptium and other Eclipse Foundation projects improve their security, the Foundation itself for providing this opportunity to Adoptium, and the Adoptium project members that worked on achieving the resolutions.
An exercise such as this could be very useful for other projects out there. A list of others that Trail of Bits have been involved with can be seen on their publication page.
