Skip to main content

Results of Sigstore and slf4j Security Audits Including 1 High Risk Vulnerability Found and Fixed

By July 18, 2022October 24th, 2022Blog, Sigstore
Security Audit Results for sigstore and slf4j

By: Amir Montazery, OSTIF

We’re excited to report the results of two security audits, one for Sigstore and one for slf4j. Sigstore is a new system for signing, verifying and protecting software; and has quickly grown into a premier tool for securing the software supply chain. Simple Logging Facade for Java, slf4j, is identified in the Harvard Census II results as one of the most widely-deployed logging frameworks. The security and supply chain reviews were facilitated by Open Source Technology Improvement Fund and carried out by Include Security.

The goal of security audits is to find vulnerabilities so they can be fixed before attackers exploit them, as well as to identify opportunities to harden a project’s implementation and processes to counter vulnerabilities in the future. The Sigstore and slf4j teams demonstrated a strong commitment to improving security posture by requesting independent review and actively participating in the audit process. 

Sigstore Security Audit

The results of the Sigstore security audit are three findings (1 High Risk, 2 Low Risk), fuzzing improvements, and a documented threat model. The high-risk finding along with one of the low-risk findings identified through this security audit have already been fixed and validated. See the Sigstore Security Audit Full Report.

slf4j Security Audit

Upon review, it was found that slf4j has a very small attack surface area and does not support post-processing of logging messages that may be cause for security concern, such as the log4j vulnerabilities published in 2021. The results of the security audit are three (1 Low Risk, 2 Informational) findings, a documented threat model, and a Supply Chain Security review against SLSA. All findings identified through this security audit have been fixed and validated. See the slf4j Security Audit Full Report.

For more information about the audits visit the OSTIF website. The OpenSSF supports work like these security audits to make the open source software supply chain more secure. Proactive security audits go a long way in detecting and fixing vulnerabilities before attackers can exploit them. Everyone around the world depends on OSS, and security audits play an important role in securing the open source ecosystem.

This post represents the views of the authors & does not necessarily reflect those of all OpenSSF members.