Welcome to Snyk’s annual State of Open Source Security report 2019.

This report is split into several posts:

Or download our lovely handcrafted pdf report which contains all of this information and more in one place.

DOWNLOAD THE STATE OF OPEN SOURCE SECURITY REPORT 2019!

A vulnerability is a vulnerability, whether known or not. The key difference between the two is the likelihood of an attacker to be aware of this vulnerability, and try to exploit it. Therefore, the better known the vulnerability is, the more urgent it is to deal with it.

A known vulnerability might have a CVE ID associated with it as part of a responsible disclosure, or it might just be disclosed on the internet or stored in open databases. These are all types of known vulnerabilities that you should prioritize eliminating as they have a higher chance of being attacked in production. After these, vulnerabilities that are captured in closed vulnerability databases or even shared in the dark web should be considered.

Vulnerabilities are found at an increasing pace, nearly doubling in the last 2 years

Today, we’re witnessing an increase in the number of vulnerabilities reported across many of the ecosystems that we track, including PHP Packagist, Maven Central Repository, Golang, npm, NuGet, RubyGems, and PyPI.

In 2017, we saw a 43% increase of vulnerabilities reported across all registries, and in 2018 the vulnerability count grew by a further 33%.

When examining the five different ecosystems: PHP, Java, JavaScript, Python and Go, we see an increasing trend in the number of vulnerabilities disclosed across all of them since 2014.

We may see further growth in numbers from 2018 due to undisclosed vulnerabilities that will only be publicized later this year, further amplifying the direction of this trend.

In 2018, new disclosures for npm grew by 47%, and Maven Central grew by 27%

In 2018 vulnerabilities disclosed for PHP Packagist grew by a staggering 56%, and for Maven Central, disclosures increased by 27%. Although Golang is a smaller ecosystem, it has growing security research and reported 52% new vulnerabilities in 2018 over 2017.

Looking back at the data from 2014 in Snyk’s vulnerability database, we see a strong overall increase in the number of vulnerabilities across the board.

Today, we track 1766 vulnerabilities in the Maven Central Repository, 1268 in npm, 746 in PHP Packagist, 807 in PyPI, and 94 in Golang.

Since 2014, the number of vulnerabilities in the Snyk database has increased by an astonishing 371%, with npm vulnerabilities increasing by an incredible 954% and Maven Central vulnerabilities increasing by 346%.

Since 2014, the number of vulnerabilities in Snyk’s database for npm grew by 954% and for Maven Central by 346%

When we look at vulnerability severity for application libraries disclosed over the last three years across all language ecosystems, 2018 shows a smaller number of high vulnerabilities as compared to the previous year.

However, an interesting insight for both 2017 and 2018 is that there were more high severity vulnerabilities than medium or low vulnerabilities as compared to 2016.

In 2018, the Snyk Security research team responsibly disclosed many instances of a vulnerability dubbed Zip Slip, a widespread arbitrary file overwrite critical vulnerability. It can be exploited using a specially crafted archive that holds directory traversal filenames and typically results in remote command execution.

It was discovered and responsibly disclosed by the Snyk Security team ahead of a public disclosure on 5th June 2018, and affects thousands of projects, including ones from HP, Amazon, Apache, Pivotal, and many others.

The research that spanned various ecosystems uncovered tens of vulnerabilities in libraries such as Apache Ant, adm-zip, SharpCompress and others used by thousands of projects for Java, npm, NuGet, Go, .NET, Ruby, Python and C++. Almost half of them were found to be of high severity.

When we discovered the first instance of the Zip Slip vulnerability in a big project, it was very exciting. It was our eureka moment, but when we discovered that every other application had a vulnerable implementation, we were extremely surprised. We realised that this vulnerability wasn’t just affecting a few apps, but loads of projects across ecosystems. — Danny Grander, Snyk CSO

It is common for security teams to keep track of, and to react to, new vulnerabilities as they are disclosed through the National Vulnerabilities Database (NVD), or other public CVE repositories.

However, a good number of security vulnerabilities are discovered and fixed in non-official channels such as through informal communication between maintainers and their users in an issue tracker.

The Snyk database is carefully curated by an internal security analysts team, and tracks vulnerabilities not included in these official sources but mentioned in public locations such as forums or release notes. Using Snyk’s DB as a barometer, we see it uncovers 67% more vulnerabilities than public databases.

In addition to comprehensiveness, CVEs and public databases are often slow to add vulnerabilities. If we look at npm as an example, vulnerabilities only show up in npm audit an average of 92 days after they are captured in Snyk’s DB, and lag behind 72% of the time.

These gaps indicate the CVE system and public open source databases are not currently coping with the pace and volume of open source software vulnerabilities. These mechanisms should be reevaluated, and security conscious organisations should seek out commercial databases for timely and broad coverage.

Continue reading:

DOWNLOAD THE STATE OF OPEN SOURCE SECURITY REPORT 2019!