Carding 4 Carders
Professional
Sonatype, a company specializing in protection against attacks that manipulate the substitution of software components and dependencies (supply chain), has published the results of a study (PDF, 62 pages) of problems with dependencies and maintenance of open projects in Java, JavaScript, Python and .The .NET framework provided in the Maven Central, NPM, PyPl, and Nuget repositories. During the year, the number of projects in tracked open ecosystems increased by an average of 29%. The number of downloads of packages from the repositories under consideration increased by 33% in 2023, but for comparison, the number of downloads increased by 73% in 2021.
Malicious activity in repositories has significantly increased : since the beginning of the year, 245,000 malicious packages have been identified and the number of recorded attacks aimed at spoofing dependencies has doubled.
Many projects continue to use vulnerable versions, for example, 23% of downloads of the Log4j Java package are still versions with critical vulnerabilities fixed in 2021. In the Maven Central repository, about 12% of all downloads come from components containing known vulnerabilities. On average, for all repositories, the percentage of downloads of old versions of packages that are classified as risky (for example, with uncorrected vulnerabilities) is 20% (in 80% of cases, the current version is downloaded). In 96% of cases, downloading components with vulnerabilities could be avoided by choosing versions where the problem has already been fixed.
High-quality project support is also a significant problem in maintaining security. There are big problems with this in the ecosystems for Java and JavaScript languages: over the past year, support for every fifth project (18.6%) submitted to Maven Central and NPM and maintained in the previous year was discontinued. Of the 1.176 million analyzed projects present in the Maven, NPM, PyPl, and Nuget repositories, only 11% (118 thousand) continue to be actively maintained.
The study also included a survey of 621 professional developers from various companies. 67% of respondents believe that their applications do not use vulnerable libraries, 10% have experienced security incidents caused by vulnerabilities in open source software over the past 12 months, and 20% find it difficult to answer. 28% of companies detect the presence of vulnerable components within 1 day after disclosing vulnerability data, 39% - from 1 to 7 days, and 29% - more than a week.
Malicious activity in repositories has significantly increased : since the beginning of the year, 245,000 malicious packages have been identified and the number of recorded attacks aimed at spoofing dependencies has doubled.
Many projects continue to use vulnerable versions, for example, 23% of downloads of the Log4j Java package are still versions with critical vulnerabilities fixed in 2021. In the Maven Central repository, about 12% of all downloads come from components containing known vulnerabilities. On average, for all repositories, the percentage of downloads of old versions of packages that are classified as risky (for example, with uncorrected vulnerabilities) is 20% (in 80% of cases, the current version is downloaded). In 96% of cases, downloading components with vulnerabilities could be avoided by choosing versions where the problem has already been fixed.
High-quality project support is also a significant problem in maintaining security. There are big problems with this in the ecosystems for Java and JavaScript languages: over the past year, support for every fifth project (18.6%) submitted to Maven Central and NPM and maintained in the previous year was discontinued. Of the 1.176 million analyzed projects present in the Maven, NPM, PyPl, and Nuget repositories, only 11% (118 thousand) continue to be actively maintained.
The study also included a survey of 621 professional developers from various companies. 67% of respondents believe that their applications do not use vulnerable libraries, 10% have experienced security incidents caused by vulnerabilities in open source software over the past 12 months, and 20% find it difficult to answer. 28% of companies detect the presence of vulnerable components within 1 day after disclosing vulnerability data, 39% - from 1 to 7 days, and 29% - more than a week.
