Lineaje, a leader in software supply chain security management, released its new research report titled “What’s in Your Open-Source Software?” Compiled by the company’s research arm, Lineaje Data Labs, the report is a data-driven analysis into the integrity and reliability of open-source software (OSS), which now constitutes over 70% of all software. Focusing on the Apache Software Foundation as the gold standard of open-source software, the report uncovers the inherent risk and ease of software supply chain tampers in its most popular products and their dependencies. This inaugural installment of a series provides valuable insights into the often-opaque domain of OSS, shedding light on its integrity and implications for organizations’ security.

Lineaje Data Labs analyzed 41,989 open-source components embedded in the top 44 popular projects of the Apache Software Foundation across its last three versions. The analysis revealed that 68% of dependencies are on non-Apache Software Foundation open-source projects. These dependencies make even Apache Software Foundation’s integrity and inherent risk only as strong as the weakest component it embeds. With direct dependencies accounting for only 10%, the remaining 90% are transitive dependencies, which are not easily visible to developers selecting these packages. This creates an opaque and deep software supply chain invisible to developers.

The research reveals some additional insights about open-source software risk:

Extremely high inherent risk – 82% of components are inherently risky due to vulnerabilities, security issues, code quality or maintainability concerns.

Popularity of software does not indicate quality – Thus, choosing dependencies based on their popularity is not a reliable risk mitigation approach. Apache Software Foundation’s eCharts is its most popular package and is also one of the riskiest, for example.

The mirage of patching vulnerabilities – While organizations drown in a sea of patches they must apply, the research uncovers that 64.2% of all vulnerabilities have no fixes available yet — so they cannot be patched. At the same time, due to the deep transitive nature of dependencies, another 25.8% of all vulnerabilities are not patchable by the organization deploying or including open-source software. Effectively, complete patching — if achieved — addresses only about 10% of the vulnerability exposure of an organization.

“It’s imperative that organizations today understand that open-source software has risks and is tamper-able, even if it is very popular or provided by an established brand,” said Lineaje CEO and Co-founder Javed Hasan. “With more software being assembled than built, it’s become more important than ever to have formal tools to discover software DNA. Developers do not have X-ray vision to see inside a software component they include nor are most open-source selectors security experts. We must use software supply chain management tools like SBOM360 to continuously assess the dynamic, inherent risk and integrity of these software components that are built left of shift-left.”

Find out more at https://www.lineaje.com/