Sonatype Releases 2016 State of the Software Supply Chain Report


New research reveals massive increase in open source component use, persistent defect rates, and further embrace of supply chain principles to accelerate software quality and security

Fulton, MD. - July 11, 2016 - Sonatype, the leader in software supply chain automation, today announced the release of its second annual State of the Software Supply Chain report. Based on the analysis of 31 billion download requests of open source software components from the Central Repository, which is managed by Sonatype, the report provides insight into the software supply chain practices from 3,000 development organizations and also includes software component analysis of 25,000 applications.

Key findings from the report include:

Supply and demand have never been greater

  • The number of open source component download requests increased dramatically to 31 billion in 2015 from 17 billion in 2014, an 82 percent increase year-over-year.
  • 10,000 new component versions are introduced daily across development ecosystems.

Component sourcing practices are inefficient and software vulnerabilities are pervasive

  • Enterprises download more than 229,000 components annually, but, on average only 5,000 component downloads are unique.
  • Open source components vary widely in terms of quality and 6.1 percent of downloads (1-in-16 components) include a known security defect.

Organizations struggle with vulnerable parts

  • Data from 25,000 applications demonstrates that 6.8 percent of components in use had at least one known security defect, revealing that downloads of poor quality components are making their way into production.
  • Parts age and grow stale quickly.  Older components (age 3+ years) used in applications are disproportionately less healthy and are three times more likely to contain vulnerabilities.

Industry is taking action

  • Top performing enterprises, federal regulators and industry associations have embraced the principles of software supply chain automation to improve the safety, quality and security of software.

“By failing to effectively manage their software supply chain, we have found that software development organizations are taking on significant technical debt that is completely avoidable. Hours invested managing service interruptions and security breaches could otherwise be spent adding value for their companies and customers,” said Wayne Jackson, CEO, Sonatype. “Through our research, we have found that high performance development organizations are accelerating software innovation, quality, and security by embracing the principles of supply chain management – including using fewer and better suppliers, using only the highest quality parts, and tracking the precise location of every component part used inside their software.”

“Open source and third-party commercial components enable organizations to deliver quickly by reducing the amount of code they have to write. Just as manufacturers have learned they have to monitor and manage their suppliers, application development and delivery pros are learning that they have to manage increasingly complex supply chains,” wrote analysts Kurt Bittner, Diego Lo Giudice, and Amy DeMartine in the March 2016 Forrester report entitled Boost Application Delivery Speed And Quality With Agile DevOps Practices.  “Every component brings benefits as well as risks, and you must manage those risks by selecting the best components and suppliers and by making sure delivery teams use only the latest, most secure versions of selected components.”

Additional Resources

About Sonatype

Last year developers requested 31 billion components from the Central Repository to manufacture the software applications that run the world. Additionally, with more than 100,000 installations, companies around the globe use Sonatype’s Nexus solutions to manage reusable components and improve the quality, speed and security of their software supply chains. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, Morgenthaler Ventures, Bay Partners and Goldman Sachs. For more information, visit:

Media Contact

Jennifer Edgerly
SpeakerBox Communications for Sonatype