State of Software Supply Chain Report

The growth of open source software raises concerns about supply chain security, but well-maintained packages offer advantages. Developers balance upgrade urgency and consumption trends with insights from peers on SBOMs and management. Meanwhile, open source and supply chain regulations increase, as do AI/ML tools assisting developers, despite challenges for AI practitioners.

Sonatype published its State of Software Supply Chain report recently, which analyzed more than 1.2 million open source projects and uncovered some eye opening facts. Report found an 18% reduction in the number of actively maintained open source projects when compared to last year. This was a sharp decline when you consider the number dipped from 29% last year to just 11% this year.

Some new projects which were not initially maintained are now being actively maintained. Want to learn more interesting statistics from the State of Software Supply Chain report? Read on to find interesting statistics from the state of software supply chain report.

Table of Contents

7 Key Takeaways From State of Software Supply Chain Report

1. Most Open Source Projects Are Not Actively Maintained

2. Programming Languages Do Have An Impact

3. Vulnerability Detection Speed Varies

4. Vulnerable Libraries Are Rarely Used

5. AI Powered Software Components are Here

6. Open Source Downloads Growth Have Subsided

7. Efficient Patch and Bug FIxing

7 Key Takeaways From State of Software Supply Chain Report

Here are seven key takeaways from the state of software supply chain report.

1.  Most Open Source Projects Are Not Actively Maintained

Probably the biggest surprise from the State of Software Supply Chain report is that only 11% of all open source projects are actively maintained. Last year only 39% of open source projects were actively maintained, a worrying decline. This is due to lack of time and interest, outdated projects, and conflicts among developers. Open source developers must unite despite differences to improve the open source community, or things will worsen.

2.  Programming Languages Do Have An Impact

The open source project maintenance rate varies from programming language to programming language. For instance, 18.6% OF Java based open source projects are no longer being maintained. This was not the case last year as all these projects were actively maintained back in 2022.

Python and .NET open source projects have different active maintenance rates compared to Java. The bigger and more active the open source community, the easier to maintain projects. Smaller, less active communities make open source project maintenance harder.

3.  Vulnerability Detection Speed Varies

Not just with programming languages and frameworks, the pace at which businesses can detect security flaws also fluctuates. 39% of businesses detected vulnerabilities in open source projects in one to seven days while it took 29% of businesses more than a week to identify those vulnerabilities in open source projects. 28% of them found the vulnerabilities in less than a day. The same trend continues with mitigation. 39% of businesses took more than seven days to mitigate the risk.

4.  Vulnerable Libraries Are Rarely Used

Businesses are good at avoiding known vulnerabilities and that shows from their choice of libraries. More than two-third (67%) of survey respondents said that they do not believe that their applications are using vulnerable libraries. Only 10% of businesses experienced a data breach last year due to a vulnerability in open source software or malicious libraries. Since most businesses are using cheap dedicated servers to run these applications, the risk of data breaches is much lower as compared to migrating the workloads to the cloud.

This shows that awareness around using secure libraries for app development is growing. The state of software supply chain report also shed light on the importance of good data. According to the report, using good data can save you twice as much time on fixing vulnerabilities and performing component upgrades.

5.  AI Powered Software Components are Here

Artificial intelligence can be a godsend for software developers. It can help you write cleaner code by following the best practices, identify and fix bugs in code to prevent any software issues and help you develop a more personalized user experience with your software.

According to the State of Software Supply Chain report, there has been a whopping 135% increase in machine learning and AI powered software components in corporate environments as compared to last year. This trend will not die anytime soon as AI becomes even more ingrained into the software development lifecycle.

6.  Open Source Downloads Growth Have Subsided

The pace at which the open source industry as a whole, and open source download in particular, were growing is slowing down. A closer inspection of the number of open source downloads each year can tell you that it has been on the downward trend for the past two years.

The rising security concerns coupled with poor maintenance and growing corporate usage are some of the reasons behind this dip in demand for open source technologies. The same trend can be seen in cheap dedicated server hosting. Open source community must look to fix the prevalent issues in order to bring open source back on track.

7.  Efficient Patch and Bug FIxing

If there is one area where open source software projects excels at, it is releasing patches and fixing bugs before they can be exploited by threat actors. The research from State of Software Supply Chain shows that almost all (96%) of downloaded releases which are prone to security vulnerabilities have a fixed version already available. Only 12.5% of open source downloads had a known risk.

This clearly shows two things. One, the rate of open source downloads that have a known vulnerability is much lower. Secondly, the process of fixing bugs and releasing patches is swift as a result all vulnerabilities are patched before being exploited by cybercrimminals.

What did you learn from the State of Software Supply Chain report? Share it with us in the comments section below.

Leave a Comment