From 42b43925386ca65281c81daae199536eef0553c4 Mon Sep 17 00:00:00 2001 From: svrnm Date: Thu, 18 Jul 2024 14:22:24 -0400 Subject: [PATCH 1/3] Add blog post for the security audit results Signed-off-by: svrnm --- .../en/blog/2024/security-audit-results.md | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 content/en/blog/2024/security-audit-results.md diff --git a/content/en/blog/2024/security-audit-results.md b/content/en/blog/2024/security-audit-results.md new file mode 100644 index 000000000000..d33b63124864 --- /dev/null +++ b/content/en/blog/2024/security-audit-results.md @@ -0,0 +1,46 @@ +--- +title: OpenTelemetry Security Audit Published +linkTitle: Security Audit Results +date: 2024-07-22 +author: >- + [Author1 Name](https://github.com/author1_GH_ID) (Organization Name 1), + [AuthorX Name](https://github.com/authorX_GH_ID) (Organization Name X) +issue: +sig: GC +--- + +Thousands of organizations and millions of users around the world rely on +[OpenTelemetry](/) as part of their observability toolkit. To this end, it is +our responsibility as a project to ensure our code is safe, secure, and +performant. In conjunction with [OSTIF](https://ostif.org/) and +[7ASecurity](https://7asecurity.com/), and the support of the +[Cloud Native Computing Foundation](https://www.cncf.io/), we recently engaged +upon a security audit of the OpenTelemetry Collector and four SDKs – Go, Java, +C#, and Python. + +We are pleased to announce the publication of this audit, as well as its +results. Two CVEs were identified and remediated prior to the publication of +this audit (see +[CVE-2024-36129](https://nvd.nist.gov/vuln/detail/CVE-2024-36129) for +information on both) in the OpenTelemetry Collector, and five hardening +recommendations were made. Overall, the results of the audit are very positive, +with the auditors noting the high quality of source code and the security best +practices that the project is following. + +The conclusion of this audit marks an important milestone on our journey towards +the next stage of maturity in the CNCF, graduation. We’ll have more to share on +that in the coming months. The OpenTelemetry Governance Committee and Security +SIG would also like to personally commend the contributors and maintainers of +OpenTelemetry for their high-quality work over the years. + +Finally, we would like to thank the following individuals and groups: + +- SIG Security +- SIG Collector +- 7ASecurity +- OSTIF + +You can read more about the audit on the +[OSTIF](https://www.ostif.org/otel-audit-complete/) and 7A Security blogs, or +read the +[full report](https://7asecurity.com/reports/pentest-report-opentelemetry.pdf). From 5a7ee2a3cdda64b08759c20e1edfb602dc2727ca Mon Sep 17 00:00:00 2001 From: svrnm Date: Mon, 22 Jul 2024 11:20:33 +0200 Subject: [PATCH 2/3] add austin as author Signed-off-by: svrnm --- content/en/blog/2024/security-audit-results.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/content/en/blog/2024/security-audit-results.md b/content/en/blog/2024/security-audit-results.md index d33b63124864..d5fa4bd91998 100644 --- a/content/en/blog/2024/security-audit-results.md +++ b/content/en/blog/2024/security-audit-results.md @@ -2,9 +2,7 @@ title: OpenTelemetry Security Audit Published linkTitle: Security Audit Results date: 2024-07-22 -author: >- - [Author1 Name](https://github.com/author1_GH_ID) (Organization Name 1), - [AuthorX Name](https://github.com/authorX_GH_ID) (Organization Name X) +author: '[Austin Parker](https://github.com/austinlparker)' issue: sig: GC --- From ba570e40fc6a0ebde793af75f4165f58b416e37e Mon Sep 17 00:00:00 2001 From: opentelemetrybot <107717825+opentelemetrybot@users.noreply.github.com> Date: Mon, 22 Jul 2024 14:21:46 +0000 Subject: [PATCH 3/3] Results from /fix:all --- static/refcache.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/static/refcache.json b/static/refcache.json index 7849556a4b2e..1967509278e6 100644 --- a/static/refcache.json +++ b/static/refcache.json @@ -51,6 +51,10 @@ "StatusCode": 206, "LastSeen": "2024-06-04T17:29:49.77219755+02:00" }, + "https://7asecurity.com/reports/pentest-report-opentelemetry.pdf": { + "StatusCode": 206, + "LastSeen": "2024-07-22T14:20:49.972502516Z" + }, "https://access.redhat.com/products/ansible-tower-red-hat": { "StatusCode": 200, "LastSeen": "2024-01-18T08:05:55.59597-05:00" @@ -9727,6 +9731,10 @@ "StatusCode": 200, "LastSeen": "2024-01-18T19:55:46.046387-05:00" }, + "https://www.ostif.org/otel-audit-complete/": { + "StatusCode": 200, + "LastSeen": "2024-07-22T14:20:47.739450411Z" + }, "https://www.otelbin.io/": { "StatusCode": 200, "LastSeen": "2024-01-30T16:14:44.039011-05:00"