In 2023, there was an 18% decline in the number of open-source projects that are considered to be “actively maintained.” This is according to Sonatype’s Annual State of the Software Supply Chain Report.
The report claims that only 11% of open-source projects are actually actively maintained.
Despite these flaws, Sonatype still says that 96% of vulnerabilities are avoidable. There were 2.1 billion downloads of open-source software that had known vulnerabilities for which there was a newer version with the issue fixed.
“A lot of maintainers are very diligent – Big Tech companies go out of their way to hire talented people to maintain libraries they rely on,” said Brian Fox, CTO at Sonatype. “Our industry needs to direct its efforts towards the right place. The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers on becoming better decision-makers, and giving them access to the right tools. The goal is to help developers be more intentional about downloading open source software from projects with the most maintainers and the healthiest ecosystem of contributors. This will not only create safer software, but also recoup nearly two weeks of wasted developer time each year.”
The number of supply chain attacks continues to increase year-over-year. In 2023, there were twice as many attacks as the combined number from 2019-2022. This equates to 245,032 malicious packages, with one in eight open source downloads containing a known vulnerability.
Sonatype also said they found a disconnect between how secure companies think they are versus the reality. 67% say they are confident they don’t have code from vulnerable libraries in their systems, but 10% have suffered a security breach due to vulnerabile components this year.
And finally, the company found that 39% of companies find a vulnerability within one to seven days, 29% take over a week, and 28% take less than one day.