New versions of open-source components are being released every day at an overwhelming and alarming pace. According to the open-source governance company Sonatype, approximately 20,000 component updates are made per day, making it near impossible for teams to manually manage dependencies. In addition, open-source projects that are impacted by attacks are difficult to detect because they look very similar to regular open-source contributions.
To help solve this problem, Sonatype has been developing the next-generation of its Nexus Intelligence research engine that automatically detects counterfeit and malicious code injections into open-source software supply chains.
“While stopping malicious attacks is critical, what people don’t always recognize as just as important, is the inherent risk associated with each update to a new version of a component. Or, the risk of not updating,” said Brian Fox, CTO of Sonatype. ”Whether you’re concerned about malicious attacks or the quality of the release you’re updating to, we’re working on providing a proactive level of risk protection.”
The company explained that in the last two years, it has found more than 20 instances of adversaries publishing malicious code into public open-source and container repository. These attacks targeted cryptocurrency and private ssh keys, resulted in inserted backdoors, and targeted patches to alter proprietary code.
The updated engine is designed to provide real-time monitoring into open-source projects, and identify abnormal behavior and suspicious patterns.
“By combining a new type of behavioral analysis with machine learning and proprietary data, Nexus Intelligence now recognizes when new releases of an OSS project demonstrate heightened risk attributes,” said Fox. “Infused with this new type of intelligence, the Nexus Platform is enabling innovative policy controls to protect organizations from emergent supply chain threats.”
In addition to its detection capabilities, Nexus Intelligence collects real-time metadata pertaining to the quality of new component version releases, such as the new iOS release which experienced a buggy launch, for example. Developers will be able to see the integrity of an update and scale dependency management with greater ease.
The first iteration of the engine will focus on commit behaviors and patterns of npm components and creators. The company plans to expand to additional languages over time.