Supply Chain Security Audit

Previous Page: « Erlang Ecosystem Foundation CNA Next Page: Hex Vulnerability Handling »

Initiative

« Back to Initiative

Area

Supply Chain

Status

Planning

Sponsors

-

Funding

More Funding Required

Goals

Audit hex package manager, registry and integration into build tools such as rebar3, mix and gleam. (PenTest, Verification of Design, Code Audit)

Impact

By performing a comprehensive supply chain security audit of the Hex package manager, registry, and related build tools (rebar3, mix, and Gleam), this milestone will pinpoint structural vulnerabilities, validate the correctness of the underlying design, and ensure the robustness of code implementations. The in-depth review—spanning critical repositories like hexpm/hexpm, hexpm/specifications, hexpm/hex_core , and others — will generate a clear, actionable roadmap for remediation, reinforcing the security of not only the individual components but the broader Erlang and Elixir ecosystems. With findings addressed and the security posture hardened, future enhancements (such as Build Provenance, SBoMs, and streamlined Vulnerability Handling) can proceed from a stable, trustworthy foundation.

Deliverables

• Conducted Audit Reports on
  • hexpm/hexpm - Package Registry
  • hexpm/specifications - Hex Specification
  • hexpm/hex_core - Hex Client Implementation
  • hexpm/hex - Hex Elixir (mix) Integration
  • erlang/otp - Erlang VM / Language
  • erlang/rebar3 - rebar3 Build Tool
  • elixir-lang/elixir - Mix Build Tool
  • gleam-lang/gleam - Gleam Build Tool
• Remediation of findings

Previous Page: « Erlang Ecosystem Foundation CNA Next Page: Hex Vulnerability Handling »