Sonatype, developer of friendly tools for software supply chain automation and security, released its seventh annual State of the Software Supply Chain Report that reveals continued strong growth in open source supply and demand dynamics. Further, with regard to open source security risks, the report found a 650 percent year over year increase in supply chain attacks aimed at upstream public repositories, and a fascinating dichotomy pertaining to the level of known vulnerabilities present in popular and non-popular project versions.
“While developer demand for open source continues to grow exponentially, our research shows for the first time just how little of the overall supply is actually being utilized. Further, we now know that popular projects contain disproportionately more vulnerabilities. This stark reality highlights both a critical responsibility, and opportunity, for engineering leaders to embrace intelligent automation so they can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions,” said Matt Howard, EVP of Sonatype.
Finally, based on survey responses collected from 702 software engineering professionals, the research observes a fundamental disconnect between people’s subjective beliefs about software chain management practices, and objective results as measured across 100,000 applications.
Key findings include:
Open source supply, demand, and security dynamics:
- Supply increased 20%. The top four open source ecosystems now contain a combined 37,451,682 different versions of components.
- Demand increased 73%. In 2021 developers around the world will download more than 2.2 trillion open source packages from the top four ecosystems.
- Attacks increased 650%. In 2021 the world witnessed an exponential increase in software supply chain attacks aimed at exploiting weaknesses in upstream open source ecosystems.
- Production apps utilise only 6% of available projects. Despite a huge available supply of open source projects, utilisation is concentrated in a surprisingly small number of popular projects.
- Popular projects are more vulnerable. 29% of popular project versions contain at least one known security vulnerability. Conversely, only 6.5% of non-popular project versions do so, suggesting that security researchers (blackhat and whitehat) are focused on the most utilised projects.
Projects with a faster mean time to update (MTTU) were found to be more secured. They were found to be 1.8 times less likely to have vulnerabilities. The report also revealed popularity is not a good predictor of security. Popular open source projects were 2.8 times more likely to contain vulnerabilities.
“There is a disconnect between subjective survey feedback and objective data. People believe they are doing a good job remediating defective components and indicate that they understand where risk resides. Objectively, research shows development teams lack structured guidance and frequently make suboptimal decisions with respect to software supply chain management,” the report noted.