This month saw significant activity in efforts aimed to improve the security posture of Eclipse projects, with the successful completion of the following Rapid Security Reviews:
To streamline the review process, initial exploratory work has commenced on leveraging AI tooling to enhance data gathering and integrate all relevant information into a unified interface.
The SBOM Adoption initiative continued to advance this month through notable infrastructure, vulnerability alerting and implementation developments.
- The SBOM Registry was updated through the successful deployment of Dependency-Track 1.14 in the production environment.
- The staging environment for the SBOM Registry was successfully deployed, offering broader testing and validation capabilities to projects. Initial tests of using PIA for SBOM upload to the staging registry worked as expected.
- Development progressed on a data syncing mechanism for Dependency-Track data across environments.
- SBOM generation workflows across all Eclipse OpenVSX products have been consolidated into a single, unified workflow that supports the complete end-to-end process, from SBOM generation through to upload to sbom.eclipse.org
- Vulnerability alerting has been enabled for Eclipse OpenVSX products, enhancing proactive security monitoring and risk detection.
In response to the Trivy compromise, a coordinated incident response effort was initiated to assess potential impact, support affected projects, and provide clear, actionable guidance.
These activities were complemented by the publication of guidance materials tailored to both users and developers, capturing key recommendations and best practices derived from the response. Additional details can be found in the accompanying blog posts:
- Stop trusting mutable references: how Eclipse Foundation projects should harden GitHub Actions after the Trivy compromise
- Don't become the next Trivy: how to make your releases, tags, and automation resistant to compromise
- GitHub Actions dependencies were updated to ensure CI pipelines use current, secure versions, including major upgrades to Docker and artifact workflows (PR #621, PR #610, PR #607).
- All Python dependencies were updated ahead of the v1.3.0 release, including patches for vulnerabilities in werkzeug, rollup, and picomatch (PR #618, PR #606, PR #601, PR #624).
- Experimental support was added for uploading SBOMs to a Dependency-Track staging instance via the Project Identity Authority (PIA) (PR #613).
- HashiCorp Vault support was introduced as a secrets provider alongside Pass and Bitwarden backends (PR #540).
- Credential management via environment variables was added to support non-interactive and automated workflows (PR #593).
- A new --only-secrets flag enables restricting operations to secret updates, reducing risk during targeted changes (PR #620).
- Support for managing fork pull request approval policies was added at both repository and organization levels, enabling configurable enforcement for external contributors (PR #576).
- Visibility into auto-merge failures was improved by adding automated pull request comments when configuration issues occur (PR #603).
- Pre-Publication Scan Enforcement: Security scanning checks were fully enforced at publish time across the registry, covering blocklist filtering, secret scanning, YARA rules, ClamAV malware detection, and name squatting detection. Previously these checks ran but were non-blocking (PR #8450, Issue #8414).
- Synchronous Malware Detection: Malicious zip file checks were promoted from asynchronous background jobs to synchronous publish-time checks, ensuring publishers receive immediate rejection feedback and that extensions are correctly flagged as potentially malicious before becoming available (PR #1721).
- Scan Infrastructure Reliability: A duplicate scan job key constraint that caused scan failures was identified and resolved (PR #1657, Issue #1652). Scan concurrency was also capped to prevent resource exhaustion under load (PR #1654).
- Blocklist Updates: The malicious extension blocklist was updated over 10 times throughout the month, including the addition of glassworm-related extensions and others identified through ongoing threat monitoring.
- Token Expiration Policy: Access token expiration was introduced as a new security control, defaulting to a 90-day lifetime with configurable notification windows. This limits the risk window of compromised or abandoned credentials (PR #1513).
- Expiry Notifications: Email notifications were added to alert users both before and after their tokens expire, ensuring publishers are prompted to rotate credentials rather than leaving stale tokens active indefinitely (PR #1701).
- Production Rollout: Token expiry configuration was deployed to the production environment at the end of the month.
- Spring Boot Security Update: The Spring Boot framework was bumped to version 3.5.12, incorporating upstream security patches into the backend (PR #1714).
- Netty Network Security: The Netty dependency was updated from 4.2.7.Final to 4.2.12.Final, resolving network I/O vulnerabilities in the server's HTTP layer (PR #1724).
- XSS Protection: DOMPurify was updated from 3.2.4 to 3.3.2 in the web UI, strengthening sanitization of untrusted HTML and reducing cross-site scripting exposure (PR #1671).
- Archive Handling: The tar package received two successive security patch releases across both the CLI and web UI packages, addressing vulnerabilities in archive extraction (PR #1665, PR #1666, PR #1678, PR #1681).
- ReDoS Prevention: brace-expansion and picomatch were updated to patched versions that eliminate Regular Expression Denial of Service (ReDoS) exposure in path-matching logic (PR #1725, PR #1719, PR #1720).
- GitHub Actions Bulk Update: Seven GitHub Actions dependencies were updated to their latest major versions (PR #1710, PR #1660).
- Workflow Permission Scoping: Workflow permissions in EclipseFdn/open-vsx.org were audited and reduced in scope, removing overly broad CI bot permissions that were not required for the deployment workflow.
- Vulnerability Disclosure Endpoint: A /.well-known/security.txt file (RFC 9116) was added to the Open VSX registry, providing a standardized and publicly discoverable contact point for responsible vulnerability disclosure (PR #9021).
- Security Policy Update: The security policy in the core eclipse-openvsx/openvsx repository was revised to reflect current practices and contacts.