1 in 10 open source components downloaded in 2018 had a known security vulnerability

This year’s Sonatype report reveals the best practices exhibited by exemplary open source software projects and commercial application development teams. As in years past, it also examines the rapidly expanding supply and continued exponential growth in consumption of open source components.

For the fifth anniversary report, Sonatype collaborated with Gene Kim from IT Revolution, and Dr. Stephen Magill from Galois and MuseDev. Together with Sonatype, the researchers objectively examined and empirically documented, release patterns and cybersecurity hygiene practices across 36,000 open source project teams and 3.7 million open source releases.

Adversaries are increasingly targeting open source components

• 71% increase in open source related breaches over the past five years
• 24% of organisations confirmed or suspected an OSS related breach
• 15 events highlighting a new attack pattern for malicious code injection within open source software supply chains

Supply and demand of OSS components at an all-time high

• 146 billion download requests of Java components in 2018, representing 68% year over year growth
• 21,448 new open source releases available to developers each day
• 313,000 average annual OSS downloads across 12,000 enterprises studies, where 8.8% of the downloads were known to be vulnerable

Attributes of the top open source projects

This year’s State of the Software Supply Chain Report report identifies the top 295 open source projects that demonstrated the following attributes:

• 18x faster at updating dependencies
• 6.8x better at releasing components where all dependencies are up to date
• 3.4x faster at remediating vulnerabilities
• 6x more popular
• 2x more frequent with their component releases
• 33% larger development team size
• 4x more likely to be managed by open source foundations than by commercial stewards

Exemplary development teams

The research teams also studied 12,000 commercial engineering teams and surveyed more than 6,200 developers. Their findings demonstrated that exemplary development teams were:

• 2.6x less likely to consider updating vulnerable components to be “painful”.
• 11x more likely to use some process to add a new dependency (e.g., evaluate, approve, standardize, etc.)
• 9.3x more likely to have a process to proactively remove problematic or unused dependencies
• 12x more likely to have automated tools to track, manage, and/or ensure policy. compliance of dependencies
• 6.2x more likely to use the latest version (or latest-N) of all of their dependencies.

“We have long advised organizations that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,” said Wayne Jackson, CEO of Sonatype.

“For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases were reduced by 55%.”