


Eclipse Jetty Security Audit Has Been Completed
We’re proud to share that the Eclipse Foundation has completed the security audit for Eclipse Jetty, one of the world’s most widely deployed web server and servlet containers. All users are encouraged to upgrade to versions containing changes addressing all conclusions of the audit: Eclipse Jetty 12.0.0
, 11.0.16
, 10.0.16
, and 9.4.53
.

Eclipse Foundation Publishes Results of Eclipse JKube Security Audit
Today, the Eclipse Foundation released the results of our security audit for Eclipse JKube, a collection of tools for building Java applications that can be deployed to a cloud environment. Findings from the audit have been addressed in the 1.13 release leading to a new feature.
Eclipse Foundation Publishes Results of Equinox p2 Security Audit
Over the past year, the Eclipse Foundation has made securing the open source software supply chain a priority. By growing our security team and laying the groundwork for the Cyber Risk Initiative, we’ve made strides to improve the security posture of our open source projects.
Today, we’re taking another step forward with the completion of the security audit for Equinox p2, the provisioning component of the Eclipse IDE.
New SLSA++ Survey Reveals Real-World Developer Approaches to Software Supply Chain Security
Answering even basic questions about software supply chain security has been surprisingly hard. For instance, how widespread are the different practices associated with software supply chain security? And do software professionals view these practices as useful or not? Easy or hard? To help answer these and related questions, Chainguard, the Eclipse Foundation, the Rust Foundation, and the Open Source Security Foundation (OpenSSF) partnered to field a software supply chain security survey. The questions were primarily, but not exclusively, derived from the security requirements associated with the Supply-chain Levels for Software Artifacts (SLSA) supply chain integrity framework version 0.1 (the version when the survey was conducted), hence SLSA++.
March 2023 Update on Security improvements at the Eclipse Foundation
Thanks to financial support from the OpenSSF’s Alpha-Omega project, the Eclipse Foundation is glad to have made significant improvements in the last couple of months.

Shell Hole: How Advanced Prompts are Putting Software Developers at Risk
Advanced shell prompts, such as those provided by theme engines like oh-my-zsh and oh-my-posh, have become increasingly popular among software developers due to their convenience, versatility, and customizability. However, the use of plugins that are executed outside of any sandbox and have full access to the developer shell environment, presents significant security risks, especially for Open Source Software developers.
Update on Security improvements at the Eclipse Foundation
Thanks to financial support from the OpenSSF’s Alpha-Omega project, the Eclipse Foundation is glad to have made significant improvements in the last couple of months. Our previous analysis helped us prioritize work area where improvements would be the most significant. Let’s see where we are today.
Open Source Software Supply Chain Security starts with developers
Open Source Software Supply Chain is at risk: threat actors are shifting target to amplify the blast radius of their attacks and as such increasing their return on investment. Over the past 3 years, we’ve witnessed an astonishing 742% average annual increase in Software Supply Chain attacks. To make it worse, the attack surface of the supply chain is wide. Covering it all requires a deep scrutinity of many factors. However, there is a simple thing, easy, and free, that every open source developer should do right now: activate multi factor authentication (also known as two factor authentication) on all development related accounts.

Enforcing HTTPS on the Eclipse Marketplace
As stewards of the Eclipse Marketplace, the Eclispe Foundation is responsible for providing a safe place for the Eclipse IDE users to download their plugins. While the Eclipse Marketplace does not host or transmit the plugins bits, it provides links to (p2) repositories containing them. Until today, there was no restriction on those links.
Beginning December 15, 2022, the Eclipse Marketplace will no longer support links to repositories over plain HTTP. The goal is to protect users of the Eclipse Marketplace from the main risk of plain HTTP links: man-in-the-middle (MITM) attacks.