Dependency problems increase for open-source components
The average software application depends on more than 500 open source libraries and components, up 77% from 298 dependencies in two years, highlighting the difficulty of tracking the vulnerabilities in every software component, according to a new report from software management firm Synopsys.
In its “Open Source Security and Risk Analysis” (OSSRA) report, the company states it found that 98% of applications used open source and that open source libraries and components made up more than 75% of the code in the average software application. Most applications, 84%, had at least one vulnerability — the typical application had 158 vulnerabilities — and 60% of applications had at least one high-severity issue.
The data underscores that modern software applications have a dependency problem, says Tim Mackey, principal security strategist with Synopsys.
“We need to find a way to get [unpatched vulnerabilities] under control because we are headed in the wrong direction,” he says. “This sort of complexity breeds fragility because complexity means that the developer teams don’t necessarily have an understanding of the way that code is behaving today, and whenever that happens, then there might be corner cases where they might get bit.”
Open source dependencies have become an increasing problem, especially for JavaScript application frameworks, which — because of the language’s approach to software architecture — tend to rely on an order of magnitude more components. In an analysis of more than 45,000 active repositories last year, for example, GitHub found that while the average JavaScript application has 10 direct dependencies, those components rely on other libraries, which results in a tree of dependencies that grows to a massive 683 separate codebases. PHP applications typically have 70 dependencies and Ruby has 68, according to the GitHub report.
Synopsys found a similar number of dependencies. While the company did not break out the numbers by language or platform, the average application audited by the firm had 528 dependencies, according to Mackey.
“To fix an open source vulnerability, you first have to know the vulnerability is there,” the company states in the OSSRA report. “Pinpointing vulnerable open source depends on identifying and inventorying all open source you’re using.”
To read the complete article, visit Dark Reading.