Eclipse Foundation

The Sovereign Tech Agency is supporting work to enhance project infrastructure and security by strengthening the software supply chain in the Eclipse Foundation ecosystem. This includes integrating Software Bills of Materials (SBOMs) into build pipelines, which increases transparency of the components’ dependencies. Continuous vulnerability monitoring and optimized management processes will ensure swift mitigation of security risks, strengthening the resilience and sustainability across all projects at the Eclipse Foundation.

The Eclipse Foundation hosts key Java-based open source technologies like Eclipse IDE, Jakarta EE, Eclipse Jetty, and Eclipse GlassFish. The Eclipse IDE (Integrated Development Environment) supports approximately 10% of developers worldwide, while Jakarta EE powers enterprise-grade Java apps. Jetty, a high-performance web server, enables scalable solutions. The Eclipse Foundation also manages Eclipse Temurin, a secure OpenJDK distribution with over 20 million monthly downloads, and GlassFish, offering a cloud-native Jakarta EE implementation. Additionally, the Eclipse Software Defined Vehicle (SDV) working group fosters collaboration to develop standards for the software-defined vehicles platform, engaging with major European automotive manufacturers.

The projects at the Eclipse Foundation are foundational to many critical industries, supporting the development of a wide range of tools and applications. The webserver and container Eclipse Jetty is a vital component, with over 3,700 artifacts directly depending on it in the Maven Central repository. Similarly, Jakarta EE, a collection of Java APIs and specifications for enterprise application development, is integral to numerous projects, including Payara Server, WildFly, Apache TomEE, Spring Boot, and Hibernate. Its influence spans across diverse sectors, from banking and finance to healthcare and logistics.

Eclipse IDE serves as the core platform for development tools in many industries, including for Integrated Circuit/System-on-a-Chip manufacturers and industrial equipment companies like AMIQ EDA, NXP CodeWarrior, and Microchip Atmel Studio. This widespread adoption highlights the IDE’s role as a key enabler of innovation in embedded systems and hardware development.

Java has remained in the top 5 of programming languages for over 20 years, with critical applications in fields such as aerospace, medical devices, automotive systems, financial trading, and power grid control. Secure, open source Java distributions like Eclipse Temurin are necessary, to ensure reliability and safety-critical applications.

The Eclipse Foundation’s projects drive innovation and ensure the reliability of open-source technologies across industries, supporting systems where security and performance are crucial.

The Sovereign Tech Fund is commissioning work in two key initiatives aimed at improving security, transparency, and vulnerability management across Eclipse Foundation projects.

1. Software Bill of Materials (SBOM) Generation: The first initiative focuses on integrating SBOMs into the build pipelines of Eclipse Foundation projects. An SBOM lists all the components, dependencies, and metadata associated with software applications, providing greater transparency and security. The investment will support identifying the best SBOM tools for different project categories, updating build processes, and creating a central SBOM registry for all Eclipse Foundation projects. Additionally, SBOM generation support will be developed for Eclipse IDE products, ensuring that all users of the Eclipse IDE can create SBOMs for their projects and benefit from this crucial security measure.
2. Vulnerability Management Improvement: The second initiative aims to enhance the Eclipse Foundation’s vulnerability management processes. This includes implementing continuous vulnerability monitoring solutions to identify issues in project dependencies quickly, even after software releases. The initiative will also focus on educating developers and maintainers on best practices for triaging and remediating vulnerabilities. Investment in new tooling, such as vulnerability scanners and management platforms, will help automate and streamline the process of addressing security risks across Eclipse Foundation projects.

These efforts are designed to improve the overall security, enhance the integrity of projects, and ensure the long-term sustainability and reliability of the ecosystem.