Today, the Eclipse Foundation released the results of our security audit for the Eclipse Kuksa project. Findings from the audit have been addressed in the latest version source code of Kuksa available from https://github.com/eclipse-kuksa/kuksa-databroker. Please note that the repository has changed locations recently, so update your links.
One of the recent Eclipse Foundation projects, Eclipse Kuksa aims to provide shared building blocks for the Software Defined Vehicles(SDV) that can be shared across the industry. The main feature of Kuksa is abstracting vehicle data and interfaces to a common format, which was the main scope of the audit.
The audit covered the databroker and the Python client; it consisted of static analysis, manual code review and dynamic analysis with fuzzing.
The findings include two crashes and some shortcomings in permission verification paths. While addressing these issues, the Kuksa team decided to deprecate the sdv.databroker API, which is implicated in a significant portion of the findings: the API is now disabled by default and can be enabled by a specific option at the start of the databroker.
Check the full report for more information at https://ostif.org/wp-content/uploads/2024/05/Kuksaaudit1.2.pdf
This was our fifth open source project security audit, and this was completed by Quarkslab. Like our four previous audits, this initiative was done in partnership with the Open Source Technology Improvement Fund (OSTIF) and was made possible due to the funding the Eclipse Foundation received from the Alpha-Omega Project.
Impartial security audits like this play an important role in securing the open source software supply chain. Keep an eye on our blog for more security audit announcements in the future.
Get Involved
- Get started with Eclipse Kuksa https://github.com/eclipse-kuksa/kuksa-databroker and learn how you can contribute to the project.
- Learn more about the new Open Regulatory Compliance Working Group, a working group that is forming to address the multifaceted challenges of cybersecurity in the open source ecosystem and to demonstrate our commitment to cooperation with and implementation of the CRA.