WhiteSource after by more than 650 developers conducted a survey, and NVD (Nartional Vulnerability Database), security bulletins, vulnerabilities database through peer review, issue tracker and other channels to collect the data from finishing released a research report. The report shows that the number of open-source software vulnerabilities disclosed in 2019 had ballooned to more than 6,000, an increase of nearly 50%.
Fortunately, 85 percent of the vulnerabilities have been disclosed, and provides the appropriate fixes.
However, the report also pointed out that, unfortunately, ultimately only 84% of the known open source loopholes in the NVD. And information about the vulnerability is not concentrated in one location release, but scattered in hundreds of resources. Therefore, once the indexing incorrect situation occurs, it will make searching for specific data becomes increasingly difficult.
The report also open source vulnerability is not in the 45% originally reported to the NVD, many vulnerabilities are reported in a few months after the release of other channels in the NVD. All open source reported vulnerabilities in addition to the NVD, only 29% were eventually registered in the book.
In addition, the researchers also loopholes in 2019 ranked first seven programming languages were compared, and compared with the last decade the number. It was found that these types of languages, the historical basis of the best C language accounted for the highest percentage of vulnerabilities. The relative number of vulnerabilities PHP also increased significantly, but there is no indication that its popularity has the same upgrade. The Python, despite the popularity of the language in the open source community continues to rise, but the percentage of vulnerabilities are still relatively low.
If on the other hand, the report also takes into account the common vulnerability scoring system (Common Vulnerability Scoring System, CVSS) is a measure of data priority trap best standards. CVSS in the past few years has been updated several times in order to achieve as provide support to all organizations and industry objective measurable criteria. However, in the process, it also changed the definition of high severity vulnerability. For example, is that this means that after at CVSS v2 vulnerability was designated as 7.6, in CVSS v3.0 standard could be set at 9.8, which means that the team will be faced with more high seriousness of the problem . Now, more than 55% of users have a high severity or seriousness of the problem.
The report predicts that in 2020, the number of open-source software vulnerabilities will continue to grow. But in the meantime, some of the plans for the open-source security systems are constantly advancing.
Finally, the authors also concluded that "the most important point is that the list of open source projects have mentioned vulnerabilities does not mean that they are not safe. It only means that as a user open source project, you need to understand the security risks and make sure to keep up to date open source dependencies. "
The full report Address: https://resources.whitesourcesoftware.com/research-reports/the-state-of-open-source-vulnerabilties-2020