A study published by Endor Labs found that nearly 95% of all vulnerabilities are found in transitive dependencies (open source code packages that are indirectly pulled into the project rather than picked by the developer) It has been.
“In this environment, open source software is the backbone of the critical infrastructure, but even seasoned developers and executives are surprised to learn that 80% of the code in modern applications comes from existing OSS. often,” said co-founder and CEO Varun Badhwar. of Endor Labs. “It’s a huge arena, but it’s been largely overlooked. This first report from Station 9 reveals the depth of the problem in this area and the need for substantial solutions. Open Source Code For reuse to reach its full potential, we need to move security to the top of our priority list.”
- The problem isn’t just the widespread use of existing open source code in new applications.it’s just a small sampling Of these software dependencies, they are chosen by the developers actually involved. The rest are “transitive” or indirect dependencies, which are automatically pulled into the codebase.
- The majority (95%) of all vulnerabilities are found in transitive dependencies in the real world, so developers should assess the true impact of these issues or whether they are reachable is very difficult.
- 50% of the most used Census II packages were not released in 2022 and 30% had a recent release before 2018. These can cause serious security and operational problems in the future.
- If you upgrade to the latest version of a package, you have a 32% chance of having a known vulnerability.