Developers continue to download risky open-source packages
The task of mitigating the threat posed by both malicious and vulnerable packages should fall to the consumers of packages as well, not just with the repository managers. Unfortunately, data shows that users continue to download risky packages at high rates.
According to Sonatype’s data collected from its software supply chain management tools as well as from the Maven repository for Java components which the company runs, 12% of component downloads in 2022 and 10% in 2023 were for versions with a known vulnerability. Over a third of those had a critical vulnerability and another 30% had a high severity flaw. What’s more alarming is that 96% of those vulnerable downloads could have been avoided as the consumed components had updated versions available that did not have vulnerabilities.
“The increase of critically vulnerable components being consumed could be due to the fact that these vulnerabilities are found and reported primarily in more popular and widely adopted open-source software,” the Sonatype researchers said. “Popularity begets more attention from good and bad actors, resulting in increased likelihood of a critical issue being present. It’s also worth noting that these more popular components have an official disclosure process to communicate through. Meaning, on average, these critical vulnerabilities should be the ones that are most noticed. But, as we’ve seen with the vulnerable version of Log4j, ‘knowing’ is only half the batter. Organizations have to care, and they have to have an automated way to address this issue.”
Open-source maintenance quality is uneven, dropping
Component developers must do their part too to respond to reports and patch flaws as quickly as possible, and the quality of this process varies widely across the ecosystem. In fact, Sonatype has seen an increase in the number of projects that are no longer being maintained by their creators.
In 2020, the Open Source Security Foundation (OpenSSF) released a new system of scoring projects, called Scorecard, based on their adoption of security best practices. According to the data, over 24,000 projects that were listed as maintained in 2021 across the Java and JavaScript ecosystems no longer qualified as maintained in 2022 based on commit and issue tracking activity.
Another important metric that is tracked is called “code review” and refers to the practice of reviewing pull requests before committing them to the project. This is the practice most highly associated with good security outcomes, according to Sonatype, and it’s not widely adopted. In fact, over the past year the number of projects that used code review decreased by 15% overall, and by 8% when counting only projects that qualify as maintained.