News and Notes from the Makers of Nexus | Sonatype Blog

Introducing our 9th annual State of the Software Supply Chain report

Written by Aaron Linskens | October 03, 2023

Striving for excellence is an ongoing journey marked by the relentless pursuit of innovation, efficiency, and a focus on the essential contributors: the developers. Our 9th annual State of the Software Supply Chain report dives into our extensive research and highlights how superior tools and high-quality open source components enhance developer productivity. These elements are pivotal for enhancing security, product quality, and driving the creation of better software.

This year's report delves into defining better software in a world of choices and exploring the profound influence of artificial intelligence (AI) on software development. Additionally, it examines the intricate interplay of open source supply, demand, and security, sheds light on the global measures undertaken by governments to combat cybersecurity risks, and much more.

Trends in open source software supply, demand, and security

In recent years, open source supply has experienced remarkable growth. Numerous new projects have been released across different ecosystems, indicating the ongoing wave of innovation. Notably, each monitored ecosystem has exhibited a consistent project growth rate, averaging an impressive 29% year-over-year. Such statistics demonstrate the sustained momentum and evolution of this thriving landscape.

Demand is decelerating

As the supply of open source components continues to increase, their consumption is failing to match the pace. Over the past two years, the rate of download growth has been progressively declining. In 2023, the average growth rate stands at 33%, a substantial decrease from the remarkable 73% year-over-year growth in 2021.

Major security problems still abound

As of September 2023, our tools have caught over 245,000 malicious packages — a very concerning number. This alarming figure represents twice as many software supply chain attacks in a single year as were found in all previous years combined. Vulnerabilities persist, with 23% of Log4j downloads still being of critically vulnerable versions, despite fixes available for almost two years. And, in 2022, we saw that 12% of downloads, roughly 1 in 8 of all components served by Maven Central, contained a known security vulnerability.

Open source projects are seeing less active maintenance

An essential aspect of open source project quality and health is maintenance. For example, maintained projects have a slightly lower incidence of vulnerability, among other positive characteristics. However, our research reveals concerning trends like nearly 1 in 5 projects stopped being maintained last year, affecting both Java and JavaScript ecosystems.

Effective dependency management and component upgrades

Our research consistently highlights that nearly 96% of component downloads with known vulnerabilities could be avoided by selecting a non-vulnerable version. This year, we investigate how organizations can optimize their approach to component upgrades. For example, staying current with component versions is crucial for security, performance, and reliability.

But how often is too often?

We employ a component scoring algorithm that categorizes versions into zones, ranging from optimal to reactive. Surprisingly, 80% of downloads are of the best available versions, but the remaining 20% fall into the borderline and worst categories, posing potential risks.

Software supply chain maturity - peer insights

Perception often differs from reality when it comes to software supply chain maturity. Respondents tend to self-assess their progress differently from reality. While there's growing awareness of open source risk and improved dependency upgrade decisions, a disconnect still exists between perceived maturity and actual practices.

The image below shows eight different graphs based on the different software supply chain maturity themes. For each theme, we scored the self-assessment responses from 1 to 5, corresponding to stages of software supply chain maturity.

You can find full details in our report, but a couple of interesting insights stand out. First, respondents indicated the demand for software bills of materials (SBOMs) is on the rise, with reported security benefits. However, overall there's a notable gap between self-reported maturity levels and actual implementation, highlighting a need for better alignment between perception and reality.

Increased global regulations

In the last year, the majority of documented guidance and regulations have stemmed from the United States (US) and the European Union (EU), but it's become evident that ensuring the security of the digital realm is a global endeavor. Countries such as Canada, Japan, Australia, and Germany have recognized this urgency and have aligned themselves with the efforts led by the US and EU. We explore the actions different regions are taking to combat what the European Union Agency for Cybersecurity (ENISA) has identified as the foremost emerging threat — compromised software supply chains.

AI in software development

What role do AI and machine learning (ML) play in assisting developers, and what challenges do AI practitioners face in developing AI products? Our research and analysis looked to answer these two questions in this year's report. Through a survey of 800 software development and application security professionals, we share the trends and challenges practitioners see in their environments. 97% of DevOps and SecOps leaders surveyed said they currently employ AI to some degree in their workflows, most using two or more tools daily.

Learn more in the 9th annual report

Our 9th annual State of the Software Supply Chain report also illustrates how we navigate a software world that's in constant evolution.

From a surge in open source projects to the prominent role AI and ML play today, the software industry's heartbeat lies in innovation, efficiency, and security. But, as with any journey, there are challenges. The disconnect between perception and reality, the persistence of vulnerabilities, and the declining rate of project maintenance all underline the importance of continuous learning, adaptation, and proactive measures. While our findings shed light on current trends, they also serve as a beacon, guiding organizations toward creating safer, more efficient, and innovative software solutions for tomorrow.

Insights to shape a better software supply chain future are just a click away.