A majority of developers never update a third party Open source libraries after including them in a code base, a new report was found.
Compiled by application security company Veracode, the report is based on an analysis of 13 million scans from over 86,000 repositories, with a total of over 301,000 unique open source libraries.
Based on its analysis, Veracode found that almost all of the repositories scanned include libraries with at least one vulnerability.
“The security of a library can change quickly, so keeping an up-to-date inventory of what’s in your application is crucial. We’ve found that once developers choose a library, they rarely update it. With suppliers facing the scrutiny of their supply chain security, there is simply no way to justify a ‘set it and forget it’ mentality, said Chris Eng, research director. at Veracode.
Veracode argues that since nearly all modern applications are built using open source third-party software, a single flaw in a library can quickly spill over into all applications using that code.
The report reveals that a good majority (92%) of vulnerabilities in open source libraries can be fixed with an update, most of them (69%) being only a minor update.
Moreover, even when an update results in additional updates, almost two-thirds of them will be only a minor version change and are unlikely to break the functionality of the most complex applications.
The report’s revelations add color to the recent US presidential decree that requires software nomenclature (SBOM) vendors providing software solutions to US government agencies, to ensure the security of the entire code base.
Eng emphasizes that it is essential for developers to keep libraries up to date and react quickly to new vulnerabilities as they are discovered to ensure security throughout the software supply chain.