[I] Distribution Operations Have No Audit Logging (tooling-trusted-releases)

Mon, 30 Mar 2026 18:35:04 -0700 


asf-tooling opened a new issue, #983:
URL: https://github.com/apache/tooling-trusted-releases/issues/983

   **ASVS Level(s):** [L2-only]
   
   **Description:**
   
   ### Summary
   The entire distributions.py writer module has no calls to 
`append_to_audit_log()`. Distribution operations include recording package 
uploads to platforms like Maven/PyPI/npm, automating GitHub Actions workflows, 
and deleting distribution records—all security-critical supply chain 
operations. An attacker with committee access could record fake distributions, 
trigger malicious distribution workflows, or delete distribution records with 
zero audit trail.
   
   ### Details
   **Affected Files and Lines:**
   - `atr/storage/writers/distributions.py` - Entire file without audit logging
   
   All distribution lifecycle operations lack audit trails, making forensic 
investigation and compliance verification impossible.
   
   ### Recommended Remediation
   Add audit logging to all distribution operations:
   
   ```python
   # In automate()
   self.__write_as.append_to_audit_log(
       operation='distribution_automate',
       release_key=release_key,
       platform=platform
   )
   
   # In record()
   self.__write_as.append_to_audit_log(
       operation='distribution_record',
       release_key=release_key,
       platform=platform,
       package=package,
       version=version
   )
   
   # In delete_distribution()
   self.__write_as.append_to_audit_log(
       operation='distribution_delete',
       distribution_id=distribution_id,
       release_key=distribution.release_key
   )
   ```
   
   Add `self.__write_as.append_to_audit_log()` calls after database commits 
with context including asf_uid, release_key, platform, package, and version.
   
   ### Acceptance Criteria
   - [ ] Audit logging added to automate()
   - [ ] Audit logging added to record()
   - [ ] Audit logging added to delete_distribution()
   - [ ] All operations captured
   - [ ] Context information included
   - [ ] Unit test verifying the fix
   
   ### References
   - Source reports: L2:16.1.1.md
   - Related findings: FINDING-019
   - ASVS sections: 16.1.1
   
   ### Priority
   High
   
   ---
   
   ---
   
   **Triage notes:** look at all atr/storage/writers; balance info with spam


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to