Sonatype has released its latest State of the Software Supply Chain report, which delves into how to define better software in a world full of choices and explores the far-reaching impact of artificial intelligence (AI) on software development; also examines open source supply , the intricate interplay between requirements and security.
The report tracks the growth of open source applications in the four major open source ecosystems: Java (Maven), JavaScript (npm), Python (PyPI), and .NET (NuGet Gallery). The number of available open source projects will grow by an average of 29% between 2022 and 2023. In 2023, open source projects released an average of 15 available versions, and specific ecosystems in different open source registries averaged 10 to 22 versions. This means 1-2 new versions are released every month, for a total of 60 million new versions released in the observed ecosystem.
Every ecosystem tested showed consistent project growth, with an average year-over-year growth rate of 29%.
But as the supply of open source components continues to grow, demand has not kept pace. The growth rate of downloads has gradually declined over the past two years. The average growth rate in 2023 is 33%, which is a significant decrease from the 73% growth rate in 2021.
Meanwhile, open source software security concerns show no signs of slowing down. As of September 2023, the research team has discovered a total of 245,032 malware packages, which is twice the total of previous years. One in eight open source downloads has a known risk, and 23% of Log4j downloads still have critical vulnerabilities.
Active maintenance of open source projects is also becoming less and less. Research shows that nearly one in five (18.6%) projects ceased maintenance last year, impacting the Java and JavaScript ecosystem. Only 11% of open source projects are actually actively maintained. Despite these flaws, Sonatype says that nearly 96% of component downloads with known vulnerabilities can be avoided by choosing a vulnerability-free version.
In terms of AI in software development, 97% of DevOps and SecOps leaders surveyed said they currently use AI to some extent in their workflows, with most using two or more tools daily. Last year, adoption of AI and ML components in enterprise environments increased by 135%.
The research also found a disconnect between how secure companies think they are and what they actually are. 67% of companies say they are confident that their systems do not contain code from vulnerable libraries, yet 10% have experienced security breaches due to vulnerable components this year. 39% of companies can discover vulnerabilities in 1 to 7 days, 29% take more than a week, and 28% take less than a day.
See the full report for more details .