Nearly all (95%) open source vulnerabilities are found in transitive or indirect dependencies, according to a new report from Endor Labs that highlights the challenges of remediation in these environments.
To better understand the security impact of dependencies in open source environments, Endor Labs analyzed the Census II report, described as containing a list of the most popular open source components used in apps today.
It took its description of 1833 packages and enriched it with data from other sources, including Libraries.io, Maven and Maven Central to compile the State of Dependency Management report.
Open source is increasingly favored by developers as a way to accelerate time to market.
However, as the report explained, only a small (5%) number of these so-called software dependencies are actually chosen by DevOps teams. Most are automatically pulled into the codebase – known as transitive/indirect dependencies.
This can add extra risk if they’re not all mapped, with any associated bugs remediated.
“In this environment, open source software is the backbone of our critical infrastructure – but even veteran developers and executives are often surprised to learn 80% of the code in modern applications comes from existing OSS,” said Varun Badhwar, co-founder and CEO of Endor Labs.
“This is a huge arena, yet it’s been largely overlooked. This first report from Station 9 makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open source code is to live up to its potential, then security needs to move to the top of the priority list.”
The report revealed that half (50%) of the packages listed in Census II didn’t even have a release in 2022 and 30% had their last update in 2018, making it more likely that they contain unfixed vulnerabilities.
Even if developers use the latest version of an open source packages there’s a 32% chance it will contain vulnerabilities, the report claimed.
It argued that “reachability” is the most important criteria for prioritizing transitive vulnerabilities, as this is a precursor for exploitation.
A separate report from Sonatype released earlier in 2022 claimed that transitive dependencies accounted for six out of every seven bugs affecting open source projects over the past year.