It is estimated that Free and Open Source Software (FOSS) constitutes nearly 80-90% of any given piece of modern software. All sectors (public/private/tech/non-tech) have heavy reliance on software. It is imperative then to ensure health and security of open source software.
Linux Foundation founded the Core Infrastructure Initiative (CII) back in 2014. CII members provided funding and support for FOSS projects critical to global information infrastructure. In 2015, CII conducted Census I project to identify which software packages in the Linux distribution were the most critical to the kernel’s operation and security. A more recent Census II report provides a more complete picture of FOSS usage by analyzing usage data provided by partner Software Composition Analysis (SCA) companies.
Here are the key goals of Census II project:
- Identify the most commonly used free and open source software components in production applications
- Examine for potential vulnerabilities in these projects due to:
- Widespread use of outdated versions
- Understaffed projects
- Known security vulnerabilities
- Use this information to prioritize investments / resources to support the security and health of FOSS projects
The preliminary results are available in the form of two lists as below:
- Ten most used packages – Given the current popularity of JavaScript, it is no wonder that all these ten most used packages are JS ones. Refer to Appendix A.
- Ten most used non-JavaScript packages – This list was prepared since the first one contained mostly JavaScript packages. However, the second list experiences a similar problem as Java packages dominate all others. Refer to Appendix B.
We used ThreatWatch to assess these most used open source projects for vulnerabilities and our observations are as follows:
- Top 10 most used packages (mostly npm / JS)
- Top 10 non-JS most used packages (mostly maven / Java)
- Over 40 vulnerabilities were discovered
- Around 40 of these vulnerabilities were severe or above
- Top packages with most vulnerabilities were: logback-core, slf4j
If we relook at the key goals of CII, it is important to note that Free and Open Source Software (FOSS) projects are examined for potential vulnerabilities due to:
- Widespread use of outdated versions
- Known security vulnerabilities.
By adding ThreatWatch to your CI/CD DevOps pipeline, you can address the above two points as below:
- Generate a Software Bill of Materials report. It is important to note that there are regulations planned in the US which would require all industries in public/private sector to provide a Software Bill of Materials to delineate the composition of their software systems.
- Identify any outdated versions being used
- Generate detailed report of security vulnerabilities in FOSS component used along with exploit/patch/remediation information.
In addition ThreatWatch is extremely developer friendly and will allow you to:
- Study Software Composition Analysis (SCA) for your software and identify an license compliance issues
- Fail the build (and CI/CD DevOps pipeline) for any policy violations
- Identify any secrets embedded in your code.
For more details, write to us at info@threatwatch.io
Appendix A – Ten most used packages
- async: For writing asynchronous JavaScript.
- inherits: For implementing inheritance.
- isarray: Array testing for older browsers.
- kind-of: Get the native type designation of a JavaScript value.
- lodash: A utility library.
- minimist: For parsing argument options.
- natives: Provides access to Node.js’s native JavaScript modules.
- qs: A query string parsing and stringifying library.
- readable-stream: Node.js core streams module.
- string_decoder: Node-core string_decoder module.
Appendix B – Ten most used non-JavaScript packages
- com.fasterxml.jackson.core:jackson-core: Part of Jackson, a JSON processor.
- com.fasterxml.jackson.core:jackson-databind: A data-binding package for Jackson (2.x).
- com.google.guava:guava: Google core libraries for Java.
- commons-codec: Apache Commons-Codec encoding software.
- commons-io: A library of utilities for IO operations.
- httpcomponents-client: Low-level Java components focused on HTTP.
- httpcomponents-core: Low-level Java components focused on HTTP.
- logback-core: A Java logging framework.
- org.apache.commons:commons-lang3: A package of Java utility classes.
- slf4j: A Java logging framework abstraction.