One in eight open source downloads have known and avoidable risks

This year has seen twice as many software supply chain attacks as 2019-2022 combined and one in eight open source downloads today pose known and avoidable risks.

The latest State of the Software Supply Chain Report from Sonatype, which logged 245,032 malicious packages in 2023, also shows that 96 percent of vulnerabilities are still avoidable.

The report says 2.1 billion OSS downloads with known vulnerabilities in 2023 could have been avoided because a better, fixed version was available -- the exact same percentage as in 2022. For every suboptimal component upgrade made, there are typically 10 superior versions available.

In addition, analysis of 1,176,407 open source projects across four major ecosystems and saw an 18 percent decline in 'actively maintained' open source projects. A finding which demonstrates the importance of constant vigilance from consumers in tracking the health of dependencies over time.

"A lot of maintainers are very diligent -- Big Tech companies go out of their way to hire talented people to maintain libraries they rely on," says Brian Fox, CTO at Sonatype. "Our industry needs to direct its efforts towards the right place. The fact that there's been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers on becoming better decision-makers, and giving them access to the right tools. The goal is to help developers be more intentional about downloading open source software from projects with the most maintainers and the healthiest ecosystem of contributors. This will not only create safer software, but also recoup nearly two weeks of wasted developer time each year."

The study also finds that 67 percent of respondents say they feel confident that their applications don't rely on known vulnerable libraries. However, nearly 10 percent of respondents report their organizations have suffered security breaches due to open source vulnerabilities in the last 12 months.

It's concerning that 39 percent of organizations discover vulnerabilities only within one to seven days, 29 percent take over a week to become aware and just 28 percent discover within one day. When it comes to mitigation 36.2 percent of respondents require over a week to fix vulnerabilities.

The use of AI/ML components in software development has increased by 135 percent in less than a year, largely owing to the massive efficiencies the technology affords software developers, in addition to how quickly AI/ML components can be integrated into software development workflows. That said, developers and organizations still face significant challenges in developing their own AI products.

You can get the full report from the Sonatype site.

Photo Credit: Novelo/Shutterstock