About the Analysis

The authors have taken great care to present statistically significant sample sizes with regard to component versions, downloads, vulnerability counts, and other data surfaced in this year's report. While Sonatype has direct access to primary data for Java, JavaScript, Python, .NET, and other component formats, we also reference third-party data sources as documented. Further, Sonatype's research analyzed scan data from 185,000 anonymized, validated applications.


Each year, the State of the Software Supply Chain report is a labor of love. It is produced to shed light on the patterns and practices associated with open source, development and the evolution of software supply chain management practices.

The report is made possible thanks to a tremendous effort put forth by many team members at Sonatype, including Alex Aklson, PhD, Alexis Del Duke, Alli VanKanegan, Andrew Yorra, Audra Davis-Hurst, Ax Sharma, Bill Healey, Brian Fox, Bruce Mayhew, Eddie Knight, Elissa Walters, Ember DeBoer, Ilkka Turunen, Juan Morales, Katy Hiller, Leina Sanchez, Luke McBride, Maury Cupitt, Mike Hansen, Mitun Zavery, Nicole Lavella, Phil Snare, Stephen Magill, PhD, Steve Poole, Tara Condon, Tiffany Jennings, Todd Baseden and Vlad Drobinin, PhD.

We would also like to offer thanks for contributions, big and small, and for sharing perspectives with our many colleagues across the DevOps and open source development community.

Another very special thank you goes out to Alli VanKanegan, who created the incredible design for this year's report.

About Sonatype

Sonatype is the software supply chain management company. We empower developers and security professionals with intelligent tools to innovate more securely at scale. Our platform addresses every element of an organization's entire software development life cycle, including third-party open source code, first-party source code, infrastructure as code, and containerized code. Sonatype identifies critical security vulnerabilities and code quality issues and reports results directly to developers when they can most effectively fix them. This helps organizations develop consistently high-quality, secure software which fully meets their business needs and those of their end-customers and partners. More than 2,000 organizations, including 70% of the Fortune 100, and 15 million software developers already rely on our tools and guidance to help them deliver and maintain exceptional and secure software.


8161 Maple Lawn Blvd #250,
Fulton, MD 20759
United States of America

Tyson's, Virginia Office

8281 Greensboro Drive #630,
McLean, VA 22102
United States of America

European Office

168 Shoreditch High Street,
E1 6HU London
United Kingdom

APAC Office

60 Martin Place Level 1,
Sydney, NSW 2000,