The Linux Foundation in collaboration with the Laboratory for Innovation Science at Harvard and multiple providers of software composition analysis (SCA) published a study this week, that in addition to identifying the most widely used software packages, also shined a light on fundamental challenges the open source community needs to address.
Based on more than 12 million observations of software libraries, the “Census III of Free and Open Source Software – Application Libraries” report concludes that 96% of code bases are making use of some type of open source software, with the most widely used npm package being react.dom, react, lodash, axios and express.
Each package analyzed was ranked based on insights pulled from SCA tools provided by Black Duck, FOSSA, Snyk and Sonatype and additional manual audits of software conducted by volunteers.
In general, the report notes that the percentage of packages specific to a cloud service has increased and there has been a marked increase in the number of NuGet and Python packages. Additionally, the rate at which organizations migrate from Python 2 to Python 3 and adopt Rust to create memory-safe software is also steadily increasing.
However, the report notes that collecting accurate data remains a challenge because of a lack of standards for naming schemas.
More troubling still, the report also finds the majority of these packages are being maintained by a handful of contributors, which presents cybercriminals with a narrow set of primary account takeover targets that might result in malware being injected into these software components. On the pulse side, however, that narrow base of contributors also tends to make it more challenging for a new contributor that no one has vetted to add insecure code to a project
Finally, the report also warns that access to legacy versions of packages makes it too easy for application developers using open-source software to download a package that contains known vulnerabilities that were addressed in a later release of that package.
David Wheeler, director of open-source supply chain security at the Linux Foundation, said none of these issues are likely to reduce reliance on open-source software. However, in an era where regulations concerning how software needs to be maintained and secure are becoming more stringent, there is still much work to be done.
The report, in fact, highlights which software packages might need the most help by including security ratings based on a framework developed by the Open Source Security Foundation (OpenSSF), an arm of the Linux Foundation specifically focused on open-source software security, noted Wheeler. The overall goal is to enable the open-source software community to better prioritize remediation efforts based on how widely a software package is used, he added.
In fact, those insights might motivate more enterprise IT organizations to contribute to specific projects that are clearly more critical to them than others, said Wheeler.
There, of course, may never be such a thing as perfect application security but at the very least the number of vectors that might be exploited can be sharply reduced once the open-source community understands where best to focus the efforts of the coalition of the willing that wants to help make a real difference.
