When you think of important open-source projects you almost certainly recall Linux, the Apache Web Server, LibreOffice, and so on. And, that’s true. These are vital, but beneath these are the critical software libraries that empower hundreds of thousands of other programs. These are far less well known. That’s why the Harvard Laboratory for Innovation Science (LISH) and the Linux Foundation‘s Open Source Security Foundation (OpenSSF), recently put together a comprehensive survey, Census II of Free and Open Source Software – Application Libraries, of these under-the-hood critical programs.
This is the second such study. The first, 2020’s “Vulnerabilities in the Core,’ a preliminary report and Census II of open-source software, focused on the lower level critical operating system libraries and utilities. This new report aggregates data from over half a million observations of free and open-source (FOSS) libraries used in production applications at thousands of companies.
The data for this report came from the Software Composition Analysis (SCA) scans of codebases of thousands of companies. This data was provided by Snyk, the Synopsys Cybersecurity Research Center (CyRC), and FOSSA.
The purpose of this, besides simply wanting to know what were indeed the most popular, open-source application libraries, packages, and components, is to help secure these projects. Until you know that’s important, you can’t know what you need to secure first.
For example, the heretofore relatively unknown log4j logging package became a massive security problem when the Log4Shell zero-day was revealed. Jen