OSTIF is proud to share the results of our security audit of Temurin. Temurin is an open source project for building high performing Java runtime binaries. With the help of Trail of Bits and the Eclipse Foundation, this project will continue to securely support users who develop Java codes across a wide range of platforms.

Audit Process:

Using automated and manual methods, the Trail of Bits audit team performed static and dynamic testing on the source code of the project, which falls under the top-level Adoptium project. Using guidance from project goals outlined in the report, manual review focused on authentication, authorization, and access controls, as well as potential for command injection and other injection bugs. Static analysis, which utilized Semgrep rules, sought Java and Kotlin code quality issues, verification of software authenticity, and connections to HTTP/HTTPS endpoints. 

Audit Results:

  • 19 Findings with a Security Impact
    • 8 High
    • 1 Medium
    • 9 Low/Informational
    • 1 Undetermined
  • Custom Fix and General Code Quality Recommendations
  • Compiler Mitigation Steps

Third-party security audits don’t just create quantitative results but also result in documentation, insights, and recommendations that help project maintainers plan future security as well as releases and life cycles. As the security of a single project can affect the overall security of the ecosystem it’s tied to, it’s important to contribute to efforts to help secure projects under the larger umbrella of Adoptium.

The Temurin team has take the following steps:

  • 73% of reported issues have been resolved or partially resolved by the Temurin team as of publication
  • Provided Fix Review Results detailing their response to the Audit Report

Thank you to the individuals and groups that made this engagement possible:

  • Temurin maintainers and community
  • Trail of Bits- Ander Helsing, Sam Alws, Matt Schwager, and Jeff Braswell
  • The Eclipse Foundation

You can read the Audit Report HERE

Read the Temurin Audit Response HERE

You can read Adoptium’s Blog HERE

You can read Eclipse Foundation’s Blog HERE

Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, contact [email protected].