The Data

Based on Lineaje AI Labs research the majority of vulnerabilities in open-source are not fixed by open source developers. Lineaje AI labs analyzed 121,443 open-source projects and discovered 118,573 vulnerabilities in them. The saving grace is that vulnerabilities are not evenly distributed across dependencies.

‍

The Implication

• Inherited Vulnerabilities: With packages being reused multiple times within a single project, a single compromised package must be patched multiple times for each instance of the component.
• Direct vs Transitive: The same dependency may exist as both a direct component and a transitive component necessitating different patching approaches.
  
• Reachability: The reuse of packages within a project can lead to intricate dependency chains. Reachability has to consider all possible usages of the same package.