Skip Navigation
Resources Blog Introducing our 8th annual State of the Software Supply ...

Introducing our 8th annual State of the Software Supply Chain

The software supply chain has definitely been in all corners of the news this year, including finance, government, and technology. Although the focus is on security concerns, better supply chain management has benefits beyond preventing downtime and data breaches.

The observations presented in our 8th annual State of the Software Supply Chain report dig deeper as we continue our tradition of sharing management insights around the use of open source code in your software development life cycle (SDLC). The provided data highlights how better software supply chain management also saves money, improves morale, and accelerates innovation.

Key findings

  • The supply of open source continues to grow at an impressive rate, as do security concerns. There has been a 742% average annual increase in software supply chain attacks over the past 3 years:

Graph showing the intense growth of supply chain attacks since 2019

  • About 6 out of every 7 project vulnerabilities come from a specific type of software dependency known as a "transitive" dependency. We look at data-driven selections of the best projects and even the best versions of your projects.

  • Open source project maintainers are not the primary source of security risk, it's open source consumers. Our data show a monthly average of 3.4 billion downloads of vulnerable software where a fixed version is available.

  • More mature software supply chain management survey respondents were 2.7x more likely to report higher job satisfaction:

Bar graph of job satisfaction and mature management values

  • Development teams can cut expensive and tedious upgrade tasks in half by discerning the right dependency and when to upgrade.

Development perspectives

Sonatype experts and data researchers looked through both public and proprietary data sources to illustrate and address trends in supply chain management. We looked at:

  • Ongoing growth of the software supply chain itself and regulatory responses by governments around the world. 

  • Poor security trends with recommendations for teams and the industry

  • Improved insights from last year on choosing quality component projects and version upgrades

You can read this year’s full report by visiting, where you can see our overview of developer behaviors, better supply chain management, and recommendations for more mature development practices.

We'll also publish more background and analysis around the report to this blog in the weeks and months ahead.

Picture of Stephen Magill

Written by Stephen Magill

Stephen Magill is Vice President of Product Innovation at Sonatype. He’s the former CEO of MuseDev, a software company acquired by Sonatype, and is dedicated to helping developers write their best code through code quality automation.Stephen is a world-recognized expert on program analysis and was previously a principal scientist at Galois. Among his other accomplishments, he earned his Ph.D and M.S in CS from Carnegie Melon and serves on the University of Tulsa Industry Advisory Board.