提炼文案:
文案原文:
在BlackDuck审计服务团队2020年审计的1500多个代码库中,有84%代码库包含至少一个公开开源漏洞——比2019年的75%增加了9%,成为自2017年以来的第二大增幅。同样,包含高风险开源漏洞的代码库百分比在2020年增长至60%,比2019年的49%大幅增加了11%。“高风险”表示该漏洞已被主动利用,且有已记录的概念验证漏洞利用程序,或已被归类为远程代码执行漏洞。2020年的审计中再次发现了2019年在代码库中发现的几个十大开源漏洞,并且所有这些漏洞的百分比均有显著增加。
100%的被审营销科技类公司—包括潜在客户生成、CRM和 交媒体—的代码库中都包含开源代码。95%的营销科技代码库中包含开源漏洞。71%的被审零售和电子商务代码库包含漏洞。超过60%的金融服务/金融科技和医疗保健行业代码库中包含开源漏洞。
BlackDuck审计服务团队发现,2020年的被审代码库中有65%包含存在许可证冲突的开源代码,比2019年略有减少。纵观存在许可证冲突的代码库,近四分之三与某个版本的“GNU通用公共许可证”存在冲突。26%的被审代码库使用了没有许可证或定制许可证的开源代码。使用定制开源代码许可证的代码库是否存在可能的IP和其他法律问题,需要评估后才能确定。
开源的可持续性在BlackDuck审计服务团队2020年审计的1,500多个代码库中,居然有91%使用了在过去两年中没有发生任何开发活动的开源依赖项,这意味着91%的被审代码库中包含在过去两年中没有进行过功能升级、代码优化和任何安全问题修复的依赖项。Black Duck审计服务团队2020年审计的代码库中,85% 的代码库含有至少四年未曾更新的开源依赖项。也就是 说,代码库使用的开源库并非最新版本,甚至经常是很 旧的版本。如前所述,开发团队显然难以维护开源依赖 项的时新性。
提炼文案:
文案原文:
Open source supply is accelerating. The top four open source ecosystems released a combined 6,302,733 new versions and introduced 723,570 brand new projects. Collectively, these communities now contain a combined 37,451,682 different versions of components, representing a 20% year over year (YoY) growth in global supply of open source.
Open source demand is exploding. In 2021 developers around the world will request more than 2.2 trillion open source packages from these same four ecosystems, representing a 73% YoY growth in developer downloads of open source components. Despite the growing volume of downloads, the percentage of available components utilized in production applications is shockingly low.
Supply chain attacks are increasing exponentially. In 2021 the world witnessed a 650% increase in software supply chain attacks, aimed at exploiting weaknesses in upstream open source ecosystems. For perspective, the same statistic was 430% in the 2020 version of the report.
Open source vulnerabilities are most pervasive in popular projects. 29% of popular projects contain at least one known security vulnerability. Conversely, only 6.5% of non-popular projects do so. This dichotomy suggests that the vast majority of security research (blackhat and whitehat) is focused on finding and reporting vulnerabilities in projects that are most commonly utilized.
提炼文案:
文案原文:
The Number of Open Source Vulnerabilities Continues to Rise. According to the WhiteSource database, aggregated from the NVD, dozens of security advisories, peer-reviewed vulnerability databases, and popular open source issue trackers, the number of published open source software vulnerabilities in 2020 rose once again, by over 50%
Open Source Vulnerabilities in 2020: Severity Breakdown
The fact that over 50% of new open source security vulnerabilities are rated high or critical doesn’t help security and development teams that rely on severity scores when considering which issues to address first.
Fixing all issues, or even “only” high and critical issues, is an unrealistic plan for teams that want to keep up with the rapid pace of development.
Organizations need to leverage prioritization and remedian tools that target the vulnerabilities that will most impact their systems and business if they want to manage their security debt wisely.
提炼文案:
文案原文:
Supply Chain Attacks Impact 62% of Organizations A combined 62 percent of respondents were impacted by at least one software supply chain attack during 2021, with 6 percent reporting the attacks as having a significant impact and 25 percent indicating a moderate impact.
More than half of respondents (54 percent) indicated that securing the software supply chain is a top or significant focus, while an additional 29 percent report that it is somewhat of a focus. This indicates that recent, high-profile attacks have put software supply chain security on the radar for the vast majority of organizations, while very few (3 percent) indicate that it is not a priority at all.
Open Source is the Top Container Security Challenge Developers incorporate a significant amount of open source software (OSS) in the containerized applications they build. As a result, the Security of OSS containers is ranked as the number one challenge by 24 percent of respondents with almost half (45 percent) ranking it among their top three challenges. Ranked next was Security of the code we write with 18 percent of respondents choosing that as their top container security challenge and Understanding full SBOM with 17 percent.
①国家信息安全漏洞 CNVD 共享平台(http://www.cnvd.org.cn/)、美国国家漏洞库(https://nvd.nist.go v/)、通用漏洞披露库(https://cve.mitre.org/)等
②CocoaPods4、Composer5、Go 6、Maven7、npm 8、Nuget9、 PyPI10、Rubygems11这 8 个主流的仓库作为研究对象
提炼文案:
提炼文案:
声明:本站部分文章及图片源自用户投稿,如本站任何资料有侵权请您尽早请联系jinwei@zod.com.cn进行处理,非常感谢!