Dependencies in open-source packages are ripe with the potential to contain vulnerabilities. It’s one thing to try to manage that when you know what those dependencies are, but what about the ones that you’re less aware of?  

Only 18% of respondents to a joint survey conducted by Snyk and the Linux Foundation said they are confident of the controls they have for indirect dependencies, otherwise known as transitive dependencies. 

According to the report, there is an average of 49 vulnerabilities per project, and 18 to 20 of those are indirect, or about 40%. 

To get a better understanding, take a look at the real-life example of Log4j. The report states that 79% of the projects affected by Log4Shell contain the vulnerability more than once, and 60% of instances are found in indirect dependencies. 

Further complicating the matter is that detecting and fixing those indirect vulnerabilities is more difficult than remediating direct vulnerabilities. 

In addition, only 49% of organizations surveyed have a security policy in place for open source usage. This includes 27% of medium to large companies, which shows that it’s not just a problem for smaller companies with limited resources. 

According to the report, vulnerabilities are taking longer and longer to fix as time goes on, increasing from 49 days in 2018 to 110 days in 2021. 

Despite all the worry around open-source software and vulnerabilities that have been concerning software development teams these past few years, things seem to be looking up. Seventy-two percent of respondents predict that open-source software security will improve by the end of 2022 as a result of vendors adding increased intelligence to their tools.