The state of open source security report: 78% of vulnerabilities are found in indirect dependencies

by ·

Snyk today released The state of open source security report 2019, a well-known company that provides security services for open source projects. In order to better understand the security status of the open source domain and how Snyk can make the security of the open source world better, Snyk has issued a 2019 report on the status of open source security through statistics and analysis of a large amount of data.

Take a look at the key data provided by the report, which includes a total of six aspects.

Open source adoption

  • Growth in indexed packages, 2017 to 2018
    • Maven Central – 102%
    • PyPI – 40%
    • npm – 37%
    • NuGet – 26%
    • RubyGems – 5.6%
  • npm reported 304 billion downloads for 2018
  • 78% of vulnerabilities are found in indirect dependencies

Known vulnerabilities

  • 88% growth in application vulnerabilities over two years
  • In 2018, vulnerabilities for npm grew by 47%. Maven Central and PHP Packagist disclosures grew by 27% and 56% respectively
  • In 2018, we tracked over 4 times more vulnerabilities found in RHEL, Debian and Ubuntu as compared to 2017

Known vulnerabilities in docker images

  • Each of the top ten most popular default docker images contains at least 30 vulnerable system libraries
  • 44% of scanned docker images can fix known vulnerabilities by updating their base image tag

Vulnerability identification

  • 37% of open source developers don’t implement any sort of security testing during CI and 54% of developers don’t do any docker image security testings
  • The median time from when a vulnerability was added to an open source package until it was fixed was over 2 years

Who’s responsible for open source security?

  • 81% of users feel developers are responsible for open source security
  • 68% of users feel that developers should own the security responsibility of their docker container images
  • Only three in ten open source maintainers consider themselves to have high security knowledge

Snyk stats

  • In the second half of 2018 alone, Snyk opened more than 70,000 Pull Requests for its users to remediate vulnerabilities in their projects
  • CVE/NVD and public vulnerability databases miss many vulnerabilities, only accounting for 60% of the vulnerabilities Snyk tracks
  • In 2018 alone, 500 vulnerabilities were disclosed by Snyk’s proprietary dedicated research team

You can the full report here.

Tags: