Today, the Eclipse Foundation released the results of our security audit for the Eclipse Temurin project. Findings from the audit have been addressed in the latest versioned source code of Eclipse Adoptium and Eclipse Temurin, available in various repositories at https://github.com/adoptium .
Eclipse Temurin is a part of the Eclipse Adoptium project. The Eclipse Temurin project provides code and processes that support the building of runtime binaries and associated technologies for general use across the Java ecosystem. Runtimes released by the Adoptium project count millions of downloads, so security of build scripts is critical for a large number of users.
The audit concentrated on areas like: the usage of secure HTTPS downloads, authenticity and integrity guarantees, state-of-the-art use of cryptography, hardcoded or otherwise exposed secrets or tokens.
Auditors worked closely with the project team to understand the code and provide feedback on the improvements. The report includes 19 findings with security implications and additional annexes with suggestions for code quality improvements. The high severity issues included:
- Possible code injection
- Software download and installation missing verification
- Disabled host verification
All security issues have been solved, by fixing the code, changes in the configuration and other means.
Check the full report and the Adoptium project response for more information and details of findings and fixes.
This was our sixth open source project security audit, and this was completed by Trail of Bits. Like our four previous audits, this initiative was done in partnership with the Open Source Technology Improvement Fund (OSTIF) and was made possible due to the funding the Eclipse Foundation received from the Alpha-Omega Project.
Impartial security audits like this play an important role in securing the open source software supply chain. Keep an eye on our blog for more security audit announcements in the future.
Get Involved
- Get started with Eclipse Adoptium and Eclipse Temurin https://adoptium.net/contributing/ and learn how you can contribute to the project.
- Learn more about the new Open Regulatory Compliance Working Group, a working group that is forming to address the multifaceted challenges of cybersecurity in the open source ecosystem and to demonstrate our commitment to cooperation with and implementation of the CRA.
