The Linux Foundation’s Census of OSS app libraries helps prioritize security work
The Linux Foundation announced the final release of “Census II of Free and Open Source Software – Application Libraries,” which identifies more than one thousand of the most widely deployed open source application libraries. This study informs what open source packages, components and projects warrant proactive operations and security support.
The goal of the current study is to identify and measure which open source software is most widely deployed within applications developed by private and public organizations. The study allows for a more complete picture of free and open source software (FOSS) adoption by analyzing usage data provided by partner Software Composition Analysis (SCA) companies Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA and is based on their scans of codebases at thousands of companies.
“Understanding what FOSS packages are the most critical to society allows us to proactively support projects that warrant operations and security support,” said Brian Behlendorf, general manager at OpenSSF. “Open source software is the foundation upon which our day-to-day lives run, from our banking institutions to our schools and workplaces.”
Top 10 version-agnostic packages available on the npm package manager
Census II includes eight rankings of the 500 most used FOSS packages among those reported in the private usage data contributed by SCA partners. These include different slices of the data including versioned/version-agnostic, npm/non-npm package manager, and direct/direct and indirect package calls. For example, the top 10 version-agnostic packages available on the npm package manager that were called directly are:
- lodash
- react
- axios
- debug
- @babel/core
- express
- semver
- uuid
- react-dom
- jquery
“Our goal is to not only identify the most widely used FOSS but also provide an example of how the distributed nature of FOSS requires a multi-party effort to fully understand the value and security of the FOSS ecosystem. Only through data-sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come,” said Frank Nagle, Assistant Professor, Harvard Business School.
“With businesses increasingly dependent upon open source technologies, if those same businesses aren’t contributing back to the open source projects they depend upon, then they are increasing their business risk. That risk ranges from projects becoming orphaned and containing potentially vulnerable code, through to implementation changes that break existing applications. The only meaningful way to mitigate that risk comes from assigning resources to contribute back to the open source powering the business. After all, while there are millions of developers contributing to open source, there might just be only one developer working on something critical to your success,” said Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center.