Developers are continuing to download risky open-source packages at a concerning rate, highlighting the need for improved security practices within the software supply chain. Data from Sonatype, a software supply chain management tools provider, reveals that in 2022, 12% of component downloads were for versions with known vulnerabilities. This figure decreased slightly to 10% in 2023. Among these downloads, over a third contained critical vulnerabilities, while another 30% had high severity flaws. Surprisingly, 96% of these vulnerable downloads could have been avoided if developers had chosen updated versions of the components that were free from vulnerabilities.
The researchers at Sonatype attribute the rise in critically vulnerable components to the fact that these vulnerabilities are primarily found and reported in more popular and widely adopted open-source software. The increased attention these popular components receive from both good and bad actors raises the probability of critical issues being present. Additionally, popular components typically have an official disclosure process through which vulnerabilities can be communicated. Therefore, it is expected that critical vulnerabilities in these components should be the most noticed. However, merely identifying vulnerabilities is only half the battle. Organizations must also take action and have an automated way to address these issues.
It is crucial for consumers of open-source packages to take responsibility in mitigating the risks associated with these packages. While repository managers play a significant role in ensuring the security of packages, users must also make informed choices when downloading components. As demonstrated by the data, developers continue to download risky packages despite the availability of updated versions without vulnerabilities. This highlights the need for increased awareness and education regarding package security within the developer community.
The quality of open-source maintenance is also an area of concern. Developers and maintainers of components must respond promptly to reports of vulnerabilities and patch any flaws. However, Sonatype has observed a worrisome trend of increasing numbers of projects that are no longer being maintained by their creators. In 2022, over 24,000 projects across the Java and JavaScript ecosystems no longer met the criteria for being maintained based on commit and issue tracking activity. This decline in active maintenance raises concerns about the overall security and stability of these projects.
One metric used to assess the security practices of open-source projects is called “code review.” Code review involves reviewing pull requests before they are merged into a project. According to Sonatype, code review is highly associated with good security outcomes but is not widely adopted. In the past year, there has been an overall decrease of 15% in the number of projects implementing code review. When considering only projects that qualify as maintained, the decrease in code review adoption is 8%. This decline in code review practices further emphasizes the need for developers to prioritize security in their software development workflows.
To address these challenges, it is essential for developers, maintainers, and repository managers to work together to improve security practices within the open-source ecosystem. Developers must stay informed about the latest vulnerabilities and actively choose the most secure versions of components. Component maintainers should prioritize promptly addressing and patching vulnerabilities in their projects. Repository managers should provide tools and resources to help users make informed decisions about the packages they download. Additionally, improved education and awareness campaigns on package security should be conducted to ensure that developers are equipped with the knowledge and resources to prioritize security in their software development processes.
By taking a collaborative and proactive approach, the open-source community can work towards reducing the risks associated with downloading and using open-source packages. With increased attention and efforts towards package security, developers can create a safer and more secure software supply chain for all.