A staggering 95% of all vulnerabilities are found in transitive dependencies – open source code packages that are not selected by developers, but indirectly pulled into projects, according to Endor Labs‘ first report from Station 9. The State Of Dependency Management offers an unprecedented view into the rampant but often unmonitored use of existing open source software in application development, and the dangers arising from this common practice.

The new report from Station 9 offers a comprehensive analysis of the complexities underlying the reliance on open source software, and reveals how traditional methods of vulnerability remediation require far greater examination.

The problem isn’t necessarily the widespread use of existing open source code in new applications; it is that only a small sampling of these software dependencies are actually selected by the developers involved. The rest are “transitive” or indirect dependencies automatically pulled into the codebase. This sets the stage for significant vulnerabilities, potential and identifiable, affecting both the worlds of security and development in equal measure.

Among other findings, the report reveals:

• The vast majority of all vulnerabilities, 95%, are indeed found in transitive dependencies, making it very difficult for developers to assess the true impact of these issues, or whether they’re even reachable.
• A comparison between the two most popular community initiatives to identify critical projects–Census II and OpenSSF Criticality Scores–reveals that determining criticality is far from simple. In fact, 75% of the packages in Census II have a Criticality Score of less than 0.64; organizations have to decide for themselves which open source projects are critical.
• Dependency confusion has been a major benefit to the bad guys in recent supply chain attacks, while the risk indicators covered in widely used initiatives typically can’t flag these attacks.
• Trouble ahead – 50% of the most used Census II packages didn’t have a release in 2022, and 30% had their latest release before 2018 – these can cause serious security and operational issues in the future.
• New does not mean secure – When upgrading to the latest version of a package, there’s still a 32% chance it will have known vulnerabilities.
• Reachability is the most important criteria when prioritizing; doing it on the basis of security metrics alone (such as CVSS scores) or ignoring vulnerabilities in test dependencies only reduces the likelihood of a vulnerability by 20%.

Dedicated to identifying vulnerabilities in the software supply chain and identifying potential solutions, Station 9 includes Georgios Gousios, who oversees software analysis, and Henrik Plate, who leads security research.