OSTIF and Trail of Bits coordinated and executed a security audit of Eclipse JKube, an Eclipse Foundation project. Eclipse JKube is an assembly of plugins and libraries for building container images using Docker, JIB or S2I build strategies. The project escorts Java applications to Kubernetes and OpenShift by forcing through the tasks required to make an application cloud-native.

During the engagement a threat model was created, automated testing was introduced and run, and an evaluation of codebase maturity was performed. Testing efforts were concentrated on codebase review as well as the artifacts created by JKube when installing an application.

To perform their review Trail of Bits used static and dynamic testing on the code base and artifacts of the project, utilizing automated and manual processes. While only two findings were reported during the tenure of the engagement, there were several recommendations by Trail of Bits for JKube to increase its overall security. JKube’s codebase maturity indicates a generally healthy security environment and development. Suggestions for its improvement are expanded upon in the report. 

It is a good, holistic practice for open source projects to have third party security audits performed on a semi-regular basis. In this specific case of JKube, while the quantitative findings were low, the information gathered and tested for the threat model and codebase maturity was revealing. Audit results help projects determine what aspects of code can be investigated and improved upon, and to identify opportunities to harden a project’s implementation and processes to counter vulnerabilities in the future. 

OSTIF extends our gratitude to the Trail of Bits team, specifically Artur Cygan, Kelly Kaoudis and Emilio López for their hard work and final report. Further thanks go to the Eclipse JKube project team, notably Marc Nuri and Sun Tan for their time and contributions to the success of this project. Finally, we would like to thank the Eclipse Foundation for their funding of this work and continued support of open source security. 

You can read the full report HERE.

You can read the Eclipse Foundation’s blog about the engagement HERE.