Sonatype’s 8th Annual State of the Software Supply Chain Report Finds 96% of Known-Vulnerable Open Source Downloads Are Avoidable

New Data Shows 1.2 Billion Known-Vulnerable Java Dependencies Are Consumed Each Month, Revealing Open Source Consumers As Primary Source of Risk

October 18, 2022 -- Las Vegas -- Sonatype, the pioneer of software supply chain management, today unveiled its eighth annual State of the Software Supply Chain Report at the DevOps Enterprise Summit. In addition to a massive surge in open source supply, demand, and malicious attacks, this year’s report found that 96% of open source Java downloads with known-vulnerabilities could have been avoided because a better version was available, but was ignored.

According to the report, this means 1.2 billion known-vulnerable dependencies that could be avoided are being downloaded every month, pointing to non-optimal consumption behaviors as the root of open source risk. This is in contrast to public discussion, which often associates security risk with open source maintainers. The report found open source maintainers to be, on average, efficient at delivering fixes to issues.

“This astonishing finding highlights how critical it is for engineering teams to continue education on open source risk and embrace intelligent automation to support their efforts. Humans are fallible, and the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritizing good software quality,” said Brian Fox, co-founder and CTO of Sonatype. “The good news is, this year’s report also shows ‘optimal’ dependency management is possible. Further, despite the continued attention on trying to ‘fix open source,’ the data shows that open source consumers can make changes immediately that will have a profound impact on their ability to remediate and respond to the next event.”

With more open source being consumed than ever before, attacks targeting the software supply chain have increased as well, both in frequency and complexity. This year’s research revealed a 633% year over year increase in malicious attacks aimed at open source in public repositories–equating to a 742% average yearly increase in software supply chain attacks since 2019.

This year’s report findings also unearthed a vast chasm between perceived security and reality in software development, challenging many commonly-held beliefs about effectively managing security risk. This includes: 

• Open source demand continues to grow, despite what self-reporting says - global open source consumption will surge to an estimated 3.1 trillion total requests.
• Know what open source your open source is using - transitive dependencies account for 6 out of every 7 vulnerabilities affecting open source projects. 
• Current quality metrics can’t predict the caliber of an open source project - We present a new type of score - The Sonatype Safety Rating, that uses machine learning alongside metrics to make a very accurate determination.
• Developer responsibilities managing third party dependencies are huge - the average Java application contains 148 dependencies (20 more than last year), and the average Java project updates 10 times a year–meaning developers are tasked with tracking intelligence on nearly 1,500 dependency changes per year - per application they work on.
• Automating software supply chain management saves time, money, and creates happier employees - software practitioners with higher levels of supply chain maturity correlated with being 2.7 times more likely to report a high level of job satisfaction.
• Organizations think they have their software supply chains under control, but the data disagrees - 68% of survey respondents were confident that their applications are not using known vulnerable libraries, but in a random sample of enterprise applications, 68% contained known vulnerabilities.
• Managers are overly optimistic about managing open source - Our survey showed an ongoing bias, in which managers report higher stages of maturity compared to what is reported by other roles.

“This year’s State of the Software Supply Chain report demonstrates how open source and software development is ever-evolving, and the imperative need to evolve with it,” Fox added. “Our research shows that the number of dependencies per open source project is growing, and that these dependencies are a critical driver of risk. Immature organizations expect their developers to stay on top of license compliance concerns, multiple project releases, dependency changes, and open source ecosystem knowledge along with their regular job responsibilities. This is in addition to external pressures like speed. It comes as no surprise that job satisfaction is heavily linked to the software supply chain practices maturity. This sobering reality demonstrates the immediate need for organizations to prioritize software supply management so that they can better deal with security risk, increase developer efficiency, and enable faster innovation.”

Sonatype’s eighth annual State of the Software Supply Chain Report blends a broad set of public and proprietary data and analysis, including dependency update patterns for more than 131 billion Maven Central downloads and thousands of open source projects, survey results from 662 engineering professionals, and the assessment of 185,000 key enterprise applications. This year’s report also analyzed operational supply, demand and security trends associated with the Java (Maven Central), JavaScript (npmjs), Python (PyPI), and .Net (nuget) ecosystems.

ABOUT SONATYPE
Sonatype is the software supply chain management company. We empower developers and security professionals with intelligent tools to innovate more securely at scale. Our platform addresses every element of an organization’s entire software development life cycle, including third-party open source code, first-party source code and containerized code. Sonatype identifies critical security vulnerabilities and code quality issues and reports results directly to developers when they can most effectively fix them. This helps organizations develop consistently high-quality, secure software which fully meets their business needs and those of their end-customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already rely on our tools and guidance to help them deliver and maintain exceptional and secure software.