"Transitive Dependencies Account for 95% of Bugs"

Security researchers at Endor Labs have discovered that nearly all open source vulnerabilities (95%) are found in transitive or indirect dependencies.  The researchers noted that developers increasingly favor open source as a way to accelerate time to market.  However, only a small number (5%) of these so-called software dependencies are actually chosen by DevOps teams.  Most are automatically pulled into the codebase, known as transitive/indirect dependencies.  The researchers stated that this can add extra risk if they’re not all mapped, with any associated bugs remediated.  The CEO of Endor Labs said that in this environment, open source software is the backbone of our critical infrastructure, but even veteran developers and executives are often surprised to learn 80% of the code in modern applications comes from existing OSS.  The researchers noted that this is a vast arena, yet it’s been largely overlooked.  The researchers stated that even if developers use the latest version of open source packages, there’s a 32% chance it will contain vulnerabilities.  A separate report from Sonatype released earlier in 2022 claimed that transitive dependencies accounted for six out of every seven bugs affecting open source projects over the past year.

Infosecurity reports: "Transitive Dependencies Account for 95% of Bugs"