Open-Source Software Often Fails to Meet Integrity Standards
April 19, 2023

Open-source software (OSS) constitutes over 70% of all software, and a new report — What's in Your Open-Source Software? — compiled by the Lineaje's research arm, Lineaje Data Labs, uncovers the inherent risk and ease of software supply chain tampers in the Apache Software Foundation's most popular products and their dependencies.

Lineaje Data Labs analyzed 41,989 open-source components embedded in the top 44 popular projects of the Apache Software Foundation across its last three versions. The analysis revealed that 68% of dependencies are on non-Apache Software Foundation open-source projects. These dependencies make even Apache Software Foundation's integrity and inherent risk only as strong as the weakest component it embeds. With direct dependencies accounting for only 10%, the remaining 90% are transitive dependencies, which are not easily visible to developers selecting these packages. This creates an opaque and deep software supply chain invisible to developers.

"It's fascinating to note that although Apache is a large contributor to open-source software, a good portion of the software it relies on is non-Apache Software Foundation. This highlights the incredible diversity and complexity of the open-source community," said Manish Gaur, Head of Product Security at VMware after reviewing the research report.

The research reveals some additional insights about open-source software risk:

■ Extremely high inherent risk – 82% of components are inherently risky due to vulnerabilities, security issues, code quality or maintainability concerns.

■ Popularity of software does not indicate quality – Thus, choosing dependencies based on their popularity is not a reliable risk mitigation approach. Apache Software Foundation's eCharts is its most popular package and is also one of the riskiest, for example.

■ The mirage of patching vulnerabilities – While organizations drown in a sea of patches they must apply, the research uncovers that 64.2% of all vulnerabilities have no fixes available yet — so they cannot be patched. At the same time, due to the deep transitive nature of dependencies, another 25.8% of all vulnerabilities are not patchable by the organization deploying or including open-source software. Effectively, complete patching — if achieved — addresses only about 10% of the vulnerability exposure of an organization.

It is crucial to note that the most significant risk lies not in the vulnerabilities that are not patched, but in those for which no fixes exist. These vulnerabilities continue to exist and pose a persistent threat, regardless of other patches applied.

The ability to detect tampering of the software supply chain is directly linked to software integrity. Of the tens of thousands of open-source projects decomposed for the report, results showed:

■ Unknown components – While the majority of software assessed had high integrity attestable components, the research reveals that about 3% of all components had no known origin. These are deeply embedded in Apache Software Foundation software, and their origin and update mechanisms are opaque.

■ Dubious origin components – 5.3% of components failed a basic integrity check that the package published by developers matched the source code it claimed to be associated with. This kind of integrity check would have flagged both the recent 3CX compromise as well as the SolarWinds compromise.

"It's imperative that organizations today understand that open-source software has risks and is tamper-able, even if it is very popular or provided by an established brand," said Lineaje CEO and Co-founder Javed Hasan. "With more software being assembled than built, it's become more important than ever to have formal tools to discover software DNA."

Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.