We are already deep into Q1 2020, and we thought it would be a good time to take a look at some of the data we’ve already gathered this year to learn about the new open source security vulnerabilities published in February, what we should look out for, and how the community is addressing the newest challenges.

Our research team took a deep dive into the WhiteSource database to learn about the new open source security vulnerabilities published in February so that we could provide you with an updated overview of the latest open source security vulnerabilities out there. The WhiteSource vulnerability database continuously aggregates data about open source vulnerabilities from multiple sources including the National Vulnerability Database (NVD), and additional publicly available, peer-reviewed security advisories and issue trackers in the open source and security communities.

February saw nearly 650 new open source security vulnerabilities published. Over 10% of them were published on community resources outside of the NVD, on various open source community forums, advisories, and issue-trackers. Considering the decentralized nature of the open source community, these figures should come as no surprise. While the NVD database is often the go-to for security experts and developers looking for information about security vulnerabilities, it doesn’t include all of the security vulnerabilities published. Many issues that are reported in various public open source resources aren’t immediately added to the CVE, and can often be added to weeks, months or even years since their initial publication. That’s why when addressing open source security, it’s important to cover multiple community resources, and not rely solely on the NVD.

Open Source Vulnerabilities Severity Breakdown in February

Beyond the overall number of newly published open source security vulnerabilities in February, we also wanted to look at their severity scores.

Looking at the severity distribution of the CVSS v3 scores for new open source security vulnerabilities in February, we found that 58% were either critical or high-severity. With the increasingly rising number of security alerts that development teams are required to address, this distribution is particularly concerning. Teams often look to severity scores to prioritize which issues to address first, and if nearly 60% of all open source security vulnerabilities are scored high and critical, addressing them all is a challenge.

It’s important to remember that while a vulnerability’s severity score should certainly be taken into consideration, there are additional factors that weigh in when attempting to figure out which security vulnerabilities require our immediate attention. Prioritization of open source security vulnerabilities should also include how much actual risk a vulnerability poses to your systems and projects, and how a vulnerable open source component impacts your code.

Top Open Source CWE’s in February

Another aspect that we wanted to take a closer look at in order to better understand which strategies to adopt when addressing open source security is the types of open source vulnerabilities published this month.

The top CWE this month is CWE-79, otherwise known as XSS (cross-site scripting). An XSS vulnerability occurs when an attacker is able to inject malicious script into a web page. This type of attack allows a hacker to access a wide variety of user information, like session tokens, cookies, and potentially any other type of information that the user provided to a presumably trustworthy website.

Number five in February’s top open source CWE’s list is CWE-74, which is the “parent” of CWE-79 (XSS), and therefore more abstracted. CWE-74 describes a general Injection weakness, not necessarily a script, and not necessarily related to a web page or site. CWE-74 occurs as a result of lack of input sanitation of a special element, like a comment section in a blog post, a URL, user authentication, or files parser. This CWE-74 can only be associated with a vulnerability if the vulnerability can’t be linked to one of its many children, for example, XSS, SQL Injection, Command Injection, Code Injection, and others.

Programming Languages and New Open Source Vulnerabilities in February

Since open source security starts with secure coding, we also wanted to check which programming languages saw the most open source vulnerabilities published in February.