Open-source software is being used more than ever, yet practices for sourcing the software are inefficient and vulnerabilities are pervasive, according to a report from supply-chain automation provider Sonatype.

The number of open-source component download requests increased to 31 billion in 2015 from 17 billion in 2014, according to the report, which looked at supply chain practices at 3,000 development organizations and software component analyses of 25,000 applications.

“By failing to effectively manage their software supply chain, we have found that software development organizations are taking on significant technical debt that is completely avoidable. Hours invested managing service interruptions and security breaches could otherwise be spent adding value for their companies and customers,” said Wayne Jackson, CEO of Sonatype.

The report found that 10,000 new component versions are introduced daily across development ecosystems, and that older components (those older than three years) are 3x more likely to contain vulnerabilities.

In a March 2016 report, Forrester analysts wrote: “Every component brings benefits as well as risks, and you must manage those risks by selecting the best components and suppliers and by making sure delivery teams use only the latest, most secure versions of selected components.”

New functional language Verve has zero dependencies
Tadeu Zagallo, a software engineer at Facebook, wanted to have some fun, so he has written a functional language called Verve. Last week, he announced its arrival and availability via open source.

His goal, as stated in his blog, is to create a more approachable functional language by combining familiar concepts from other functional and object-oriented languages.

Zagallo said that everything in Verve is an expression, citing the example of assigning an IF expression to a variable, and that there is no support for explicit returns. In Verve, the return value of a function is the result of the last expression in its body.

The blog detailed five pieces of the implementation: Parser, Type Checker, Bytecode, Interpreter, and Garbage Collector. The code can be found on GitHub.

GE brings its Predix platform to Microsoft Azure
A partnership between GE and Microsoft will bring GE’s Predix platform for the “industrial internet” onto Microsoft’s Azure cloud, marking the first step in a broader collaboration between the companies. According to Microsoft’s announcement, made at its Worldwide Partner Conference, partnerships such as this will enable companies to “bridge the divide between the operational and information technologies that make up the Industrial Internet of Things.”

Azure will support the growth of the entire industrial IoT ecosystem by offering Predix customers access to the largest cloud footprint available today, along with data sovereignty, hybrid capabilities, and advanced developer and data services, Microsoft wrote in its announcement. In addition, GE and Microsoft plan to integrate Predix with Azure IoT Suite and Cortana Intelligence Suite along with Microsoft business applications, such as Office 365, Dynamics 365 and Power BI, in order to connect industrial data with business processes and analytics.

A developer preview is expected to be released toward the end of the year, and Predix on Azure is expected to be commercially available by mid-2017, the announcement said.

The announcement is available here.

About David Rubinstein

David Rubinstein is editor-in-chief of SD Times.