Companies are only aware of 17 percent of the open source components they use, according to a new analysis based on data from more than 100 open source audit initiatives done in 2021. This is a four percent increase over the previous year. Risks are also rising, according to Revenera’s State of the Software Supply Chain Report for 2022.
The number of the most serious issues (priority level P1) has increased by 6% since last year’s findings. Lower priority issues, on the other hand, have increased dramatically in the last year, with secondary priority (P2) and lowest risk (P3) issues increasing by 50% and 34%, respectively. This suggests that open source software is becoming more prevalent and that the average number of dependencies in popular ecosystems is dramatically expanding, broadening the risk surface.
An increasing number of stakeholders and legal requirements, such as the US government’s Executive Order on Improving the Nation’s Cybersecurity, are driving demand for software bills of material (SBOM). The number of items on an SBOM is also increasing; in 2021, the Revenera audit team discovered 12 percent more items, with 2,200 unearthed each audit project, up from 1,959 in 2020. In addition, it detected a new issue for every 11,500 lines of code reviewed, which is up 5% from 2020.
The research also predicts a 7% growth in binaries by 2020. Binaries are more sophisticated than source code, mixing IP from numerous sources and requiring many constituent files.