WhiteSource conducted a survey of more than 650 developers, collected data from channels such as NVD, security bulletins, peer-reviewed vulnerability databases, and issue trackers, and then published a research report. The report shows that the number of open-source software vulnerabilities exposed in 2019 has surged to more than 6000, an increase of nearly 50% year-on-year.
Thankfully, 85% of the vulnerabilities have been disclosed and corresponding fixes have been provided. However, the report also states that, unfortunately, only 84% of known open source vulnerabilities end up in NVD. And the information about the vulnerabilities is not released in one place but scattered across hundreds of resources. Therefore, once the indexing is not correct, it becomes more difficult to search for specific data.
In addition, the researchers compared the top seven programming languages with vulnerabilities in 2019 and compared them with the number of past ten years. It turns out that of these languages, the C language with the best historical foundation has the highest percentage of vulnerabilities. The number of relative vulnerabilities in PHP has also increased significantly. On the Python side, although the language’s popularity in the open-source community continues to rise, its percentage of vulnerabilities is still relatively low.
On the other hand, the report also considers whether the data of the Common Vulnerability Scoring System (CVSS) is the best standard for measuring the priority of trapping. CVSS has been updated several times over the past few years with a view to reaching objective and measurable standards that can support all organizations and industries. In the process, however, it also changed the definition of high-severity vulnerabilities. For example, this means that the vulnerability previously designated as 7.6 under CVSS v2 may be set to 9.8 under the CVSS v3.0 standard, which also means that the team will face more high-severity issues.