Sonatype’s 8th Annual State of the Software Supply Chain

Las Vegas, Oct. 18, 2022 (GLOBE NEWSWIRE) — Sonatype, the pioneer of software supply chain management, today unveiled its eighth annual State of the Software Supply Chain Report at the DevOps Enterprise Summit. In addition to a massive surge in open source supply, demand, and malicious attacks, this year’s report found that 96% of open source Java downloads with known-vulnerabilities could have been avoided because a better version was available, but was ignored.

According to the report, this means 1.2 billion known-vulnerable dependencies that could be avoided are being downloaded every month, pointing to non-optimal consumption behaviors as the root of open source risk. This is in contrast to public discussion, which often associates security risk with open source maintainers. The report found open source maintainers to be, on average, efficient at delivering fixes to issues.

“This astonishing finding highlights how critical it is for engineering teams to continue education on open source risk and embrace intelligent automation to support their efforts. Humans are fallible, and the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritizing good software quality,” said Brian Fox, co-founder and CTO of Sonatype. “The good news is, this year’s report also shows ‘optimal’ dependency management is possible. Further, despite the continued attention on trying to ‘fix open source,’ the data shows that open source consumers can make changes immediately that will have a profound impact on their ability to remediate and respond to the next event.”

With more open source being consumed than ever before, attacks targeting the software supply chain have increased as well, both in frequency and complexity. This year’s research revealed a 633% year over year increase in malicious attacks aimed at open source in public repositories–equating to a 742% average yearly increase…