We are excited to announce that the Eclipse Foundation Security Team has conducted a Rapid Security Review of Eclipse SysON, the first review of our new initiative.
A Rapid Security Review is a lightweight security assessment designed to help projects strengthen their overall security posture. It provides an easy to use framework comprising checks from a wide variety of topics, such as: security automation and tooling, secure development practices, incident preparedness, monitoring and visibility, security policies and project setup.
Currently in incubation, Eclipse SysON is an open source, web-based tool for editing SysML v2 models. It offers a user-friendly interface with a suite of editors that allow users to create, modify, and visualize different aspects of system models with ease.
The project successfully met the vast majority of our checks, indicating a solid foundational security posture. Notable strengths included consistent contributions activity during the past year, great responsiveness in adopting new self-service features, effective dependency management and active use of Github’s built-in security tools. The project also showed a proactive approach to risk mitigation by leveraging comprehensive static analysis tools and following a well-established release policy focused on long-term maintainability. In addition, the project demonstrated a strong commitment to transparency, security and operational maturity by being among the first to adopt SBOM generation and upload to our DependencyTrack instance.
While the project’s overall security posture is strong, we identified some areas where further improvements could further enhance its resilience. These include reviewing inactive committers with implicit membership to the project security team, updating the security policy file to include detailed information about the vulnerability reporting process, enforcing stricter security standards for Github Actions workflows and publicly listing all artifact publishing locations.
The project team was highly receptive to our security recommendations and demonstrated a clear commitment to continuous improvement. They expressed their intent to address all identified issues in the near future, reinforcing their proactive approach to security and dedication to maintaining a strong and resilient codebase.
The EF Security Team will be conducting Rapid Security Reviews with the goal of providing guidance and clear, practical steps maintainers can take to improve security in meaningful ways. Whilst we maintain a queue for these reviews and welcome projects that want to volunteer for a review, we strongly encourage projects to start with a self-assessment, using our review framework which can be found in the Security Handbook.
