Lineaje report reveals open source vulnerabilities rise

Lineaje has released a report highlighting vulnerabilities in global software supply chains, focusing on the dependencies of open-source components.

The report, titled "Crossing Boundaries: Breaking Trust," was compiled by Lineaje AI Labs and analysed over seven million open-source packages. It revealed that over 95% of security vulnerabilities originate from open-source package dependencies, with a significant proportion having no known fixes. This finding underscores a critical concern for organisations relying on such software.

According to the report, more than one-third of open-source contributions come from the United States, followed by 13% from Russia, with Canada, the United Kingdom, and China also contributing smaller percentages. This distribution introduces geopolitical risks that organisations must consider, especially given the increasing incidence of nation-state cyberattacks.

Microsoft has estimated that its customers encounter 600 million cyberattacks daily, with nation-state attackers responsible for a significant percentage. The source of code has become crucial for national and economic security as software plays an increasingly vital role in various systems.

In the United States, 20% of open-source contributions are made anonymously, more than twice the rate of Russia and three times that of China. Globally, 5-8% of all open-source components are of dubious origin or tampered with, often contributed anonymously, posing potential risks of hidden malware or backdoors.

Geopolitical tensions make excluding all adversarial nations from critical software contributions a considerable challenge. Industries such as defence, water, electricity, banking, and retail face significant software maintenance issues due to contributions from multiple countries.

The Lineaje report further highlights that 70% of open-source components are poorly maintained or unmaintained, and over half of all vulnerabilities have no known fixes. Surprisingly, unmaintained components are less vulnerable than well-maintained ones, which change more frequently and thus pose greater risks.

Open-source projects often contain layers of dependencies, complicating risk assessment and remediation efforts. More than 15% of open-source components exist in multiple versions within a single application, contributing to these challenges.

The diversity of coding languages also introduces risks. A typical mid-sized application can involve 1.4 million lines of code across 139 languages, increasing the use of risky memory-unsafe languages.

Team sizes impact the risk levels of open-source projects, with both very small and very large teams delivering more risky packages compared to mid-sized teams. Small teams with under ten members provide 330% more risky projects, while larger teams exceed 40% more risk.

Javed Hasan, CEO and co-founder of Lineaje, stated, "Open-source software is a complex web of dependencies originating from around the world, often extending 30 levels deep or more. This latest Lineaje AI Labs research proves that organisations are completely blind when it comes to understanding the true composition of their open-source code and its origins, putting them at serious risk."

Manish Gaur, Director of Product Security at VMWare by Broadcom, commented, "Open-source projects enable industry-transforming product innovation for entrepreneurs, government agencies, and companies around the world. However, with great innovation comes even greater risks, but that doesn't mean the risks aren't worth taking."