A new report out today from Sonatype Inc. has revealed that open-source software adoption is at a multitrillion-request scale, with ecosystems such as JavaScript and Python leading the charge.

The details come from Sonatype’s 10th Annual State of the Software Supply Chain report, based on data from more than 7 million open-source projects, which found that open-source consumption has exploded, with estimates placing this year’s downloads at over 6.6 trillion. Open-source components were found to now make up to 90% of modern software applications, ushering in unprecedented innovation and complex challenges for the software supply chain.

The massive growth in requests led the findings, with JavaScript (npm) leading the list with 4.5 trillion requests — up 70% year-over-year — followed by Python (PyPI) with 530 billion package requests — up 87% year-over-year. The growth is attributed to artificial intelligence and cloud adoption, alongside an increase in spam and malicious packages.

The rise in open-source popularity also conversely saw a massive increase in security threats. Sonatype identified 512,847 malicious packages in the last year, up a whopping 156% year-over-year. The report warns that the rise of open-source malware is now a critical challenge, one complicated by traditional security tools often being unable to detect these “next-generation attacks.”

Persistent vulnerabilities also get a look in. The report noted that 95% of vulnerable OSS components had newer, secure versions available, yet organizations failed to update them. The report highlights that 13% of Log4j downloads still include vulnerable versions, almost three years after the vulnerability was publicly exposed.

Vulnerabilities were also found to take longer to fix, with some critical vulnerabilities taking over 500 days to address in 2024. The delay is noted as pointing to capacity strain on open-source maintainers.

While tools are available to reduce risks, not all companies were found to be using them, with low adoption rates for software bills of materials. SBOM is a detailed, structured list of all components, libraries and dependencies in a software application, providing transparency and traceability to help identify and mitigate security risks. The report found that only 60,000 SBOMs were published in the last 12 months, versus nearly 7 million open-source components being released during the same period.

In a similar vein, the report also notes that many organizations continue to be complacent in their risk mitigation. An estimated 80% of application dependencies have not been upgraded for over a year, even though safer alternatives are often available, suggesting that it’s not just a lack of awareness but an operational challenge that’s leaving software vulnerable.

Tyler Warden, senior vice president of product at Sonatype, and Brian Fox, co-founder and chief technology officer, spoke with theCUBE, SiliconANGLE Media’s livestreaming studio, in March, when they discussed the growing importance of SBOM in protecting software supply chains.

Image: SiliconANGLE/Ideogram