The 9th Edition of Sonatype’s State of the Software Supply Chain underlines that even though improvements were made on "the security of the software supply chain problem", there is still a long way to go, given that 96% of all vulnerable downloads were avoidable. Besides following the trends of previous editions, the report zooms in on the novelties of the first post-pandemic year: regulatory changes and the rapid adoption of Generative AI.
Open Source Supply and Demand
The supply side of open source is seeing a resurgence as new open-source projects have been published at a steady average rhythm of 15% in recent years. This is still far from its peak in 2019.
On the other end of the spectrum, open-source consumption is decelerating. In 2023, the average download rate is sitting at the same average growth rate from last year: 33%. This starkly compares to the all-time high of 73% year-after-year (YoY) growth from 2021.
Looking at the projects for the year for each ecosystem individually:
- Java - expected to reach 1 Trillion requests, a 25% YoY estimated growth
- Javascript - expected to reach 2.1 Trillion requests, a 32% estimated growth
- Python - expected to reach 261 Billion requests, a 31% estimated growth
- .Net - expected to reach 162 Billion requests, a 43% estimated growth
Open source security concerns are now higher than ever. Until September, when this report was written, 245,032 malicious packages were discovered. That means that in 2023, there were twice as many supply chain attacks as the cumulative numbers in the previous four years.
According to a joint consortium of national operators - including CISA, NSA, and NCSC - attackers are exploiting older well-known vulnerabilities much more frequently than zero-day vulnerabilities. The report points out that even though zero days are a reason to worry about, 96% of vulnerable open-source downloads have a non-vulnerable available fix.
The report emphasizes that two years after Log4Shell, 25% of the users are still downloading a vulnerable version, a slight decrease from 29% of vulnerable downloads in December 2021.
Open Source Security Practices
Based on OpenSSF’s scorecard started in 2020, the report checks how the monitored projects evolved during this year, focusing on the Java and JavaScript ecosystems. According to the report, 18.6% of the projects no longer qualify as maintained. Comparing the two ecosystems, the report points out that, in general, Java projects score better than JavaScript ones:
Overall, the scores of the maintained projects increased during the year, with those of the Java ecosystem seeing positive changes while JavaScript saw negative ones. This section of the report concludes by explaining the importance of a well-maintained project and stressing that the difference in the quality of the project needs to be followed over time, not only when choosing the library.
Modernizing Open Source Dependency Management
The report states that the average Java application uses 148 dependencies, with around ten releases occurring annually. That means that the developer not only makes the initial selection of those libraries but has to track an average of 1,500 dependency changes throughout a year, given that out of 36.4% of Maven Central's monthly vulnerable downloads, 96% were avoidable (a fixed version was available for the given libraries). The report emphasizes that "Open source consumers are not paying attention."
The report further explores the reasoning for the above data, asking, "Why do developers fail to escape the dependency hell?" Among the findings is the complex web of dependencies of an average Java application: 150 dependencies with an average of 10 yearly releases. That translates into 1,500 supply chain events to be tracked for any Java project, on top of needing to initially choose the libraries.
Software Supply Chain Maturity
The report acknowledges the rapid and significant changes in the software supply chain in the last decade, underlining the rise of Generative AI and regulatory initiatives globally in the last year.
Drawing from industry survey data, the report highlights an increasing focus on open-source risk within software development. The report highlighted a 9.8% increase in adopting integrated tooling, embedding risk information directly into continuous integration processes. Simultaneously, there's a heightened awareness of open source risk, with more engineering teams prioritizing it. Although there have been improvements in handling dependency upgrades, the survey pointed out ongoing challenges in software supply chain practices. Despite the rising awareness, organizations still face hurdles in implementing effective measures, underlining the need for stronger organizational support and robust tools.
This is mirrored also in the increasing demand for Software Bills of Materials (SBOMs), which are comprehensive inventories detailing software components. Notably, 53% of the respondents pointed out that they are now generating an SBOM for every application, even higher in the case of larger enterprises.
Establishment and Expansion of Software Supply Chain Regulations and Standards
The report states that the joining of new countries (Germany, Australia, Japan, Canada, and others) to the main promoters of regulation in cyberspace (the EU and the US), but also the push for global partnerships underlines the pressing need to safeguard the digital realm.
The report also points to the prominent changes coming from these countries. For the US, this includes the US National Security Strategy, the Securing Open Source Software Act, the FED’s Cybersecurity in Medical Devices, and the SEC’s new regulation.
Across the Atlantic, in the EU, the most important changes are the Cyber Resilience Act, the Product Liability Directive, and the Network and Information Security Directive.
AI in Software Development
According to the report, over the past year, the adoption of AI and ML tools has more than doubled in the enterprise world (the tools range from classical machine learning to hugging face transformers). From the perspective of the software supply chain, the report emphasizes the "burden" on the data scientists' shoulders: out of more than 300,000 available models, the selection process hinges on evaluating parameter size, input context window, version suitability, and embeddings, with an emphasis on meeting licensing criteria and upholding security protocols.
Another potential risk mentioned is using a model with the license "shadowed", a model released by an organization under a non-commercial license that is fine-tuned and further released under a more permissive license.
The overlap of the rapid adoption of Generative AI and regulatory changes against a backdrop of increasing open-source consumption and security concerns resulted in an even more complex landscape. As the industry grapples with these multifaceted issues, the report emphasizes the crucial need for continued vigilance, robust security practices, and proactive dependency management to navigate the evolving digital terrain where humans are still the decision-makers.