Security issue tracker
Bugzilla was the main reporting mechanism previously. In 2023, we moved the primary tracker to GitLab. The main reason for this move was the general migration from Bugzilla to other systems. We have also encountered situations of missing notifications for certain issues and projects not receiving the information. We also had a need for tooling that allows better control of the confidentiality of issues and the publication. Because of that, we decided to move the general security bug tracker to the Eclipse Foundation GitLab instance (now available at https://gitlab.eclipse.org/security/vulnerability-reports) together with a separate issue tracker for CVE assignments. We announced that to our projects in https://blogs.eclipse.org/post/marta-rybczynska/eclipse-foundation-default-security-tracker-moves and in the handbook update https://www.eclipse.org/projects/handbook/#vulnerability
Projects have started using the new tracker rapidly.
We notice several reports where one Eclipse project reports to another in a confidential way, which is a positive event. This allows one project to fix the issue and another to be in the loop to update their dependency when it is ready. When the work is done, the issue becomes public and accessible to everyone.
We have also launched a GitHub private advisories pilot, which has been applied in projects like Eclipse Californium, Jetty, Leshan, Vert-X, or Tractus-X. It has received mainly positive feedback. However, we notice that some fields in the CVE records are not automatically filled according to our needs. This is a subject we plan to work on in 2024.
Released vulnerabilities with fixes and mitigations,
Eclipse Foundation is also a CNA (CVE Numbering Authority), allowing the Foundation to assign CVEs directly, and it has been doing it for years. This year, the activity grew significantly; the Foundation’s CNA published 12 CVEs in 2023, compared to 6 in 2022.
In addition to that, projects have published 8 CVEs directly from GitHub. All of them had a fix or a mitigation ready at the moment of publication.
We have also reworked the page of assigned CVEs, which is available at https://www.eclipse.org/security/known/
Useful short links:
If you have found a potential vulnerability in one of Eclipse Foundation projects, you can report it at https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/new?issuable_template=new_vulnerability
Projects can ask for CVE entries at https://gitlab.eclipse.org/security/cve-assignement/-/issues/new?issuable_template=cve
Previous blog posts on security:
Learning about security: by example https://blogs.eclipse.org/post/marta-rybczynska/learning-about-security-example
Eclipse Mosquitto Security Audit Has Been Completed https://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-mosquitto-security-audit-has-been-completed
Eclipse Jetty Security Audit Has Been Completed https://blogs.eclipse.org/post/mika%C3%ABl-barbero/eclipse-jetty-security-audit-has-been-completed
