OSTIF is proud to announce the publication of our fourteenth completed audit this year! 

In association with X41 D-Sec and go-tuf, OSTIF publishes another FOSS security audit after weeks of hard work and dedication. Go-tuf is used to securely run software update systems in Go as part of The Update Framework (“TUF”). 

The main priority of the audit was to review go-tuf’s source code, primarily completed by manual review. Fuzzers were mainly used for preliminary scoping of the source code. It is hypothesized by the X41 team that while it is possible to perform fuzz testing deeper in go-tuf, fuzzing efforts are best focused at detecting irregularities in implementations. During the process of code review performed by X41, one medium, one low, and four unranked vulnerabilities were identified. 

The medium criticality with two confirmed attack scenarios was classified as CWE 59, Improper Link Resolution Before File Access, which could allow a bad actor to place their own links into the repository. The low severity criticality was architectural, dealing with possible untied updates or metadata. 

OSTIF is grateful to our frequent collaborators, X41 D-sec, for their work and report on go-tuf. Furthermore, we express our gratitude toward the go-tuf team, particularly Joshua Lock and Radoslav Dimitrov. Thank you as well to CNCF for their funding and support of this audit. 

Feedback from go-tuf: “As part of the go-tuf community we were happy to see the results of the assessment and the overall quality of the report.”

With the completion of this audit and more, we hope to encourage further collaboration and successes in the FOSS security space.

Read the full report here: https://ostif.org/wp-content/uploads/2023/06/X41-go-tuf-Audit-2023-Final-Report-PUBLIC.pdf

Read X-41’s blog and announcement here: https://x41-dsec.de/news/2023/06/07/go-tuf/