Sonatype Software Supply Chain Report Records 650 Percent Uptick in Some Supply Chain Attacks

Sonatype – a software developer for supply chain automation and security – rolled out its seventh annual “State of the Software Supply Chain Report,” noting continued “strong” demand growth in open-source supply and demand dynamics.

Of note, Sonatype logged a 650 percent Y2Y increase in supply chain attacks on “upstream public repositories.” This development, it noted, makes for a “fascinating dichotomy pertaining to the level of known vulnerabilities present in popular and non-popular project versions.” Sonatype also observed what it called a “fundamental disconnect between people’s subjective beliefs about software chain management practices and objective results.”

The report analyzed operational supply, demand and security trends associated with Java (Maven Central), JavaScript (npmjs), Python (PyPI) and .NET (nuget) ecosystems). Additional findings included:

  • Increases in supply (20 percent) and demand (73 percent), with the top four open-source ecosystems providing 2.2 trillion packages, containing more than 37 million versions of components.
  • Production apps using only 6 percent of available projects.
  • 29 percent of “popular” project versions containing at least one known security vulnerability, compared to 6.5 percent of “non-popular” versions.
  • Projects with a faster mean time to update containing 1.8X less vulnerabilities.
  • Software developers making “suboptimal” choices 69 percent of the time when updating third-party dependencies.
  • Automation saving organizations a projected $192,000 per year.

“This year’s State of the Software Supply Chain report demonstrates, yet again, how open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks,” said Matt Howard, EVP of Sonatype. “While developer demand for open source continues to grow exponentially, our research shows for the first time just how little of the overall supply is actually being utilized. Further, we now know that popular projects contain disproportionately more vulnerabilities. This stark reality highlights both a critical responsibility, and opportunity, for engineering leaders to embrace intelligent automation so they  can standardize on the best open-source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions.”

The report analyzed responses from 702 software engineering professionals across 100,000 production applications and four million component migrations made by developers over the past 12 months.