New Report Highlights Open Source Trends and Security Challenges

The Linux Foundation, in collaboration with the Laboratory for Innovation Science at Harvard, has unveiled a comprehensive study, “Census III of Free and Open Source Software – Application Libraries (Census III).” The report identifies the most widely used free and open-source software (FOSS) as application libraries and highlights the ongoing significance of collaboration within the open-source ecosystem.

Drawing on over 12 million observations of FOSS libraries across production applications at more than 10,000 companies, Census III is the most extensive study of its kind to date. It highlights critical trends shaping the open source landscape and offers a detailed examination of the ecosystem’s value and security challenges.

The study was conducted with support from Harvard University and leading Software Composition Analysis (SCA) organizations, including Black Duck, FOSSA, Snyk, and Sonatype. This collaboration represents a milestone in advancing open-source research, providing valuable insights into the security and development of open-source software.

Key Findings:

The report provides a detailed analysis of trends and challenges shaping the open source software (OSS) ecosystem, highlighting critical areas for attention and growth:

• The Rising Adoption of Cloud Service-Specific Packages: The use of cloud service-specific packages is increasing, with high-ranking components that did not rank in Census II.
• A Transition from Python 2 to Python 3: There is an ongoing transition from Python 2 to Python 3, demonstrating the challenges of transitioning to new versions of software with incompatibilities.
• The Dominance of Maven, NuGet, and Python Packages: Maven packages continue to be widely used and there is an increased prevalence of NuGet and Python packages
• An Increased Adoption of Rust Components: Use of components from Rust package repositories have increased considerably since Census II, signaling an industry response to memory safety vulnerabilities.
• Efforts to Standardize Naming Schemas: There are promising efforts to implement a standardized naming schema for software components which would improve supply chain security and future census efforts.
• Security Risks in Individual Developer Accounts: Many of the top packages are hosted under individual developer accounts, which often have fewer protections and less granularity than organizational accounts.
• The Persistence of Legacy Software: Legacy software persists in the open source space, making their security as important as their replacement packages.

Top-ranking OSS Packages Across Ecosystems

The study identified widely-used packages across different ecosystems:

• For npm (direct, version-agnostic), react-dom topped the list.
• For non-npm (direct, version-agnostic), the Maven package org.springframework.boot:spring-boot-starter-web ranked highest.
• For non-npm (direct & indirect, version-agnostic), the Go package github.com/googleapis/google-cloud-go led usage.
• Log4j-core, a notable library due to previous vulnerabilities, ranked #51 in the non-npm, direct, version-agnostic category, underscoring its continued prevalence despite security concerns.

Concentration of Development Effort

Among the top 50 non-npm projects, 17% are maintained by a single developer and 40% by one or two developers, collectively accounting for over 80% of commits. This concentration reveals the reliance on a small number of contributors to sustain critical software, raising concerns about these projects’ long-term sustainability and security.

These findings stress the need for increased investment in open-source security, contributor support, and supply chain transparency to safeguard the future of the OSS ecosystem.