Build Room by Sonatype

Open Claw vs. Spring: What AI-Created Software Actually Looks Like

AI coding assistants are helping developers build software faster, but they're also introducing more open source dependencies than many teams realize. In this episode, Sonatype Field CTO Ilkka Turunen compares the Spring framework, a traditional open source project, with Open Claw, an AI-developed project. Tune in to see 3D dependency visualizations depicting how AI-assisted development is creating larger, deeper, and more complex software supply chains.

 

Frequently Asked Questions

Why does AI increase the number of software dependencies?

AI coding assistants often recommend existing open source packages instead of generating every capability from scratch. Because those packages include their own transitive dependencies, AI-assisted development can rapidly expand an application's software bill of materials (SBOM), increasing the overall size and complexity of the software supply chain.

What are transitive dependencies?

Transitive dependencies are libraries that your direct dependencies require to function. While developers may intentionally select only a small number of packages, those packages often introduce hundreds of additional components automatically, significantly expanding the software supply chain.

What is a software dependency tree?

A software dependency tree is a visual representation of all the open source libraries an application relies on, including both direct dependencies selected by developers and the transitive dependencies those libraries introduce. It helps organizations understand the full scope of their software supply chain and identify potential areas of risk.

Why do larger dependency trees increase software supply chain risk?

Every open source component represents software that must be evaluated for vulnerabilities, malicious packages, licensing, maintenance, and policy compliance. As dependency trees grow larger, organizations have more components to monitor and secure, increasing the potential attack surface.

How can organizations secure AI-generated code?

Organizations can secure AI-generated code by giving AI coding assistants access to trusted, real-time dependency intelligence and enforcing software supply chain policies throughout development. Rather than relying solely on post-build scanning, organizations should help developers and AI choose secure, well-maintained, and policy-compliant open source components from the start. Sonatype enables this approach through AI Software Composition Analysis (AI SCA), combining trusted open source intelligence, policy enforcement, and automated dependency management to help organizations reduce software supply chain risk while accelerating AI-powered software development.