Use of vulnerable open source components has doubled over the last year despite their role in the high profile Equifax mega-breach.

Sonatype’s fourth annual Software Supply Chain Report, published on Tuesday (available here, registration required), revealed a 120 per cent rise in the use of vulnerable open source components over the last 12 months.

Click to enlarge

Miscreants have even started to inject (or mainline) vulnerabilities directly into open source projects, according to Sonatype, which cited 11 recent examples of this type of malfeasance in its study.

El Reg has reported on several such incidents including a code hack on open-source utility eslint-scope back in July.

Several of the problems listed by Sonatype involved messing around with NPM, a utility used by JavaScript projects to install dependencies.

The software tools firm estimated 1.3 million vulnerabilities in open source software components were not logged in the publicly maintained NVD database, meaning that no related CVE advisory exist. This, in turn, make bugs harder to triage.

Sonatype estimated the average enterprise downloads 170,000 open source components a year of which as many as one in eight are vulnerable in some way or another. This is becoming even more of a problem because the average time before a software vulnerability gets exploited is also dropping to as little as three days, according to Sonatype.

The time lag between vulnerability to exploit is shrinking fast

The Equifax breach last year was blamed on a long missed Apache Struts update. The oversight had monumental consequences. A debate on the security dependancies of software supply chains was spawned through the incident.

Vulnerable Apache Struts download rate barely affected by Equifax megabreach, reports Sonatype

These discussions are yet to shift things in the real world where organisations are still downloading vulnerable versions of the Apache Struts framework at much the same rate as before the Equifax data breach, at around 80,000 downloads per month.

Downloads of buggy versions of another popular web application framework called Spring were also little changed since a September 2017 vulnerability, Sonatype added. The 85,000 average in September 2017 has declined only 15 per cent to 72,000 over the last 12 months.

Sonatype's report was based on the analysis of a broad mix of open source (public) data and proprietary information collected by the software automation vendor. The firm unsurprisingly argued that applying automation across the software development lifecycle and introducing DevOps best practices can reduce breach exposure by helping to weed out vulnerable software components before they are put into production systems.

Derek Weeks, VP at Sonatype, said it was "discouraging" to see the percentage of vulnerable component downloads increasing whilst expressing sympathy for developers.

"Today, it is difficult for developers to know if they are downloading open source components with known vulnerabilities like Struts," Weeks told El Reg. "Free downloads of components take milliseconds and no information is actively passed to the developer during that effort about known vulnerabilities. It is the equivalent of shopping in a huge supermarket full of tasty products that have no food labels or expiration dates. Without data about component quality and security surfaced quickly to developers, they are effectively shopping blindfolded.

"In this day and age, manual research and reviews could not keep pace with the volume of open source component consumption," he added. ®