Companies are only aware of 17 percent of their open source components
A new report based on data from more than 100 open source audit projects conducted in 2021 finds that companies are only aware of 17 percent of the open source components they use, an increase of just four percent in the past year.
The 2022 State of the Software Supply Chain Report from Revenera also shows that risks are increasing.
Numbers of the most severe issues, priority level P1, have grown six percent over last year's findings. Lower priority issues, however, have surged, secondary priority issues (P2) and the lowest risk (P3) issues grew by 50 percent and 34 percent, respectively, over the past year. This indicates the growing prevalence of open source software and that the average number of dependencies is significantly increasing in popular ecosystems, broadening the risk surface.
"Companies have realized they need to secure the software supply chain, which is under attack -- as evidenced through vulnerabilities such as Log4Shell. All indications say bad actors are going to step up their exploits in the coming year," says Alex Rybak, director, product management at Revenera. "The use of third-party content and open source software will continue to increase. Organizations that invest in company-wide policies, continuous assessment, Software Composition Analysis solutions, and corporate compliance programs are best able to quickly respond to risks and customer requests."
Demand for software bills of material (SBOM) is growing too, driven by a broadening array of stakeholders and regulatory requirements, such as the US government's Executive Order on Improving the Nation's Cybersecurity. The number of items on an SBOM is growing too, the Revenera audit team has identified 12 percent more items in 2021 with 2,200 uncovered per audit project compared to 1,959 in 2020. Additionally it discovered a new issue for every 11,500 lines of code analyzed -- a five percent increase compared to 2020.
The report also finds a seven percent increase in binaries over 2020. Compared to source code, binaries are more complex, often combining IP from multiple sources and using many constituent files.
The full report is available from the Revenera site.