In a recent report (The Dark Reality of Open Source – Through the Lens of Threat and Vulnerability Management), RiskSense examined 50 open source software projects and found that the number of Common Vulnerabilities and Exposures (CVEs) rose from 421 in 2018 to 968 in 2019.
A significant rise in increases was seen in the GitLab and Jenkins projects, as well as Magento, an e-commerce platform. GitLab’s vulnerabilities, according to the report, increased from 40 to 198 from 2018 to 2019, Jenkins jumped from 120 to 329 CVEs, while Magento went from zero to 137. Other projects, including Hive, Puppet, and Red Hat OpenShift, showed a decreased number of CVEs in the same time frame.
Note that the report intentionally excluded Linux and its derivatives from examination, saying, “While Linux vulnerabilities are obviously significant, they have been well documented in other analysis, and our goal was to focus on more recent, smaller projects.”
The report also noted that in certain cases vulnerabilities take a long time to be added to the U.S. National Vulnerability Database (NVD), which is a critical resource for recording vulnerabilities that also includes security checklist resources, known software flaws, and impact metrics. According to the report, “The NVD lag observed in the OSS dataset was exceptionally high, with the average lag being 54 days.” The longest observed delay (recorded for a critical PostgreSQL vulnerability) was 1,817 days. Such latency in reporting critical issues can undermine trust in a project’s openness and transparency.
The full report is available from RiskSense.
Comments