Sonatype’s annual analysis highlights a decline in open source project maintenance and reveals that 1 in 8 downloads carry known risks.
A recent report highlights significant challenges in the open source software landscape, revealing that only a small fraction of projects are actively maintained. Sonatype’s 9th Annual State of the Software Supply Chain report, released on October 3, analyzed nearly 1.2 million open source projects across major ecosystems and found that just 11% were receiving active maintenance. This represents an 18% decline compared to the previous year.
The report, which includes data from JavaScript (NPM), Java (Maven), Python (PyPI), .NET (NuGet), and some Go projects, reveals a troubling trend. It notes that 18.6% of Java and JavaScript projects that were actively maintained in 2022 are no longer receiving updates. This decline in active maintenance raises concerns about the longevity and reliability of many open source projects.
Sonatype’s findings also underscore the importance of consistent maintenance for software security. Projects that are regularly updated are more likely to adhere to critical security best practices compared to their unmaintained counterparts. The report incorporates data from over 400 billion Maven Central downloads and survey responses from 621 engineering professionals, offering a comprehensive view of current trends.
Additional insights from the report include that 67% of surveyed professionals did not believe their applications relied on libraries with known vulnerabilities, although nearly 10% reported experiencing security breaches due to open source vulnerabilities within the past year. The report also highlights that the time taken to discover and mitigate vulnerabilities varies significantly, with 39% of organizations taking more than a week to address issues.
Moreover, the use of AI and machine learning components in corporate environments has surged by 135% over the last year, reflecting a growing trend in technology adoption. Despite this, one in eight open source downloads was found to have a known risk, although 96% of these vulnerable releases had a fixed version available.
Overall, the report indicates a slowdown in the rate of growth in open source consumption over the past two years, signaling a need for improved maintenance practices and more robust security measures in the open source community.