Nearly 95% of all vulnerabilities are found in transitive dependencies – open source code packages not selected by developers, but indirectly pulled into projects, according to research presented by Endor Labs.
“In this environment, open source software is the backbone of our critical infrastructure, but even veteran developers and executives are often surprised to learn 80% of the code in modern applications comes from existing OSS,” says Varun Badhwar, co-founder and CEO of Endor Labs. “This is a huge arena, yet it’s been largely overlooked. This first report from Station 9 makes clear the depth of the problems in this area, and the need for substantive solutions. If the reuse of open source code is to live up to its potential, then security needs to move to the top of the priority list.”
- The problem isn’t necessarily the widespread use of existing open source code in new applications; it is that only a small sampling of these software dependencies are actually selected by the developers involved. The rest are “transitive” or indirect dependencies automatically pulled into the codebase.
- The vast majority of all vulnerabilities, 95%, are indeed found in transitive dependencies, making it very difficult for developers to assess the true impact of these issues, or whether they’re even reachable.
- 50% of the most used Census II packages didn’t have a release in 2022, and 30% had their latest release before 2018; these can cause serious security and operational issues in the future.
- When upgrading to the latest version of a package, there’s still a 32% chance it will have known vulnerabilities.