Number of open source vulnerabilities surged in 2019

The number of disclosed open source software vulnerabilities in 2019 reached over 6000, up from just over 4,000 in 2018, a new WhiteSource report says.

“This can be attributed to the rise in awareness to open source security following the widespread adoption of open source components and the massive growth of the open source community over the past few years, along with the media attention directed at recent data breaches,” the company noted.

Discovery, disclosure and listing

WhiteSource has surveyed over 650 developers, collected data from the National Vulnerability Database (NVD), security advisories, peer-reviewed vulnerability databases, issue trackers and more, and has found that:

• Over 85% of open source security vulnerabilities are disclosed with a fix already available
• Only 84% of known open source vulnerabilities eventually appear in the NVD, some of them months after their disclosure elsewhere
• C still has the highest percentage of vulnerabilities (30%) due to the high volume of code written in this language. It is followed by PHP (27%) and Java (15%).

Python’s rise in popularity hasn’t been followed by a rise of percentage of vulnerabilities, whether that’s a result of secure coding practices and not lax security research for Python projects is unknown.

The nature of the vulnerabilities

The most common security weaknesses (CWEs) in 2019 were cross-site scripting flaws (XSS), followed by improper input validation vulnerabilities and buffer errors:

The 2019 top 5 list differs minimally from the list of the year before – in 2018, buffer errors were second on the list and improper input validation bugs third, while the rest of it is the same.

“What’s concerning is that the most common CWE’s are due to simple code errors and imprecise coding, that all developers could avoid by sticking to fairly basic coding standards,” the researchers pointed out.

“While they are not in the top five, it’s interesting that CWE-352 — Cross-Site Request Forgery (CSRF), has emerged in the top 10 CWEs this year, and that CWE-89 — SQL Injection, re-emerged after it wasn’t one of the top CWE’s since 2015. This might be due to an increase in the volume of open source web projects developed, and it might indicate that web vulnerabilities are on the rise and something we should be mindful of when coding.”