The Data

Based on Lineaje AI Labs research the majority of vulnerabilities in open-source are not fixed by open source developers. Lineaje AI labs analyzed 121,443 open-source projects and discovered 118,573 vulnerabilities in them. The saving grace is that vulnerabilities are not evenly distributed across dependencies.

‍

The Implication

• Select well managed open-source dependencies that also have well managed open-source dependencies: The reputation of your direct open-source dependency matters little, if their supply chain consists of badly maintained components. Assess the entire supply chain, not just your direct dependency to ensure you ship secure software.
• Good innovators are not necessarily good maintainers: The most innovative projects are not always the most well maintained. It is highly likely that your open-source dependencies meet your innovation goals but fail miserably in meeting your software maintainability goals.