Open Source Supply

Software and the ability to produce it requires quality, security and availability–cornerstones of the information age. Software developers rely on the availability of quality components, frameworks, libraries, and pre-trained AI models that are available through central repositories. With software supply chain incidents, like Log4shell, continuing to make headlines, it would be understandable to feel a sense of unease and want to completely reexamine every element within the development lifecycle from security through to general management. Heightened scrutiny is driving governments, foundations, senior practitioners, and C-levels to push for greater transparency and shared responsibility across development sourcing methodologies and orchestrated responses to secure a better path forward.

Leveraging eight years of experience, the Software Supply Chain Report team has gathered and analyzed data that informs the type of outcomes that everyone involved in the software supply chain should take note of. At the epicenter of software supply chain management are the trends associated with open source adoption. The supply of open source continues to grow at double-digit rates and shows no signs of stopping anytime soon. Similarly, the volume of open source downloads is ever-accelerating, creating a massive increase in consumption. This equates to a perfect storm of potential threats that expands in scope, complexity, and impact.

There has been an astonishing
0
average annual increase in Software Supply Chain attacks over the past 3 years.
Key Finding
About
6 out of every 7
project vulnerabilities come from transitive dependencies.
Key Finding
"More mature software supply chain management equates to more job satisfaction."
Key Finding
1.2 billion vulnerable dependencies
are downloaded each month.
Key Finding
0
of known-vulnerable open source downloads are avoidable
Key Finding

Foreword

Enhancing software supply chain security is a priority issue for the open source community. Recent exploitations, from Log4j to crypto heists tied to open source repositories, have proven costly, not only in financial terms, but in terms of loss of trust. At the Linux Foundation (LF), we've engaged stakeholders across the open source ecosystem to build more trusted software supply chains, understanding that only through a coordinated effort to implement security best practices can we create the necessary foundations for more secure software. And within this landscape, Sonatype has been a reliable and trusted partner.

Among the important security initiatives at the LF include the formation of the Open Source Security Foundation, the hosting of recent Open Source Security Summits in North America, Europe, and Japan, the creation of free security-related training courses, such as how to use Sigstore and SLSA levels to secure software supply chains, as well as the engagement of executive leaders in government and enterprise. And in pursuing further research, highlighted by the formation of LF Research as a capability in 2021, we're actively engaged in supporting coordinated open source software security efforts through trusted data generation.

Current research on open source - including measuring supply and demand, identifying trends in contribution levels, and exploring security-related challenges and readiness - is a sought-after resource for the formation of open source strategy and guiding the implementation of best practices. Organizations like Sonatype are leading the much-needed empirical research effort to help answer critical questions around open source trends at a broad level, with an increasing focus on security. Recent research from the LF identifies the most widely used software applications (with the Laboratory of Innovation Science at Harvard), explores software bill of materials (SBOM) readiness, identifies gaps in organizational software development practices, and uncovers challenges facing the maintainer and committer community. And in the process of producing research, we know we can't operate on our own. It takes a community to build data-driven insights—the type that encourages development teams to apply sound and secure methodologies.

Sonatype's annual research reports are a vital part of the open source data and insights landscape, and this year's report is no exception. New data on dependency management, standards adoption, velocity, and yes - the efficacy of security metrics - including the Open Source Security Foundation Scorecard, will guide decision makers with increasing confidence. Sonatype's 8th Annual State of the Software Supply Chain is an important resource that will inform high-impact actions across the ecosystem, and empower all facets of the open source community to reach consensus on important issues. We at the Linux Foundation wholeheartedly support this work.

Hilary Carter
VP Research
The Linux Foundation