More than 75% of all vulnerabilities reside in indirect dependencies

JavaScript, Ruby, and Java are the ecosystems with most bugs in indirect dependencies.

The vast majority of security vulnerabilities in open-source projects reside in indirect dependencies rather than directly and first-hand loaded components.

"Aggregating the numbers from all ecosystems, we found more than three times as many vulnerabilities in indirect dependencies than we did direct dependencies," Alyssa Miller, Application Security Advocate at Snyk, told ZDNet in an interview discussing Snyk's State of Open Source Security for 2020 study.

The report looked at how vulnerabilities impacted the JavaScript (npm), Ruby (RubyGems), Java (MavenCentral), PHP (Packagist), and Python (PyPI) ecosystems.

Snyk said that 86% of the JavaScript security bugs, 81% of the Ruby bugs, and 74% of the Java ones impacted libraries that were dependencies of the primary components loaded inside a project.

snyk-indirect.png

Image: Snyk

Snyk argues that companies scanning their primary dependencies for security issues without exploring their full dependency tree multiple levels down would release or end up running products that were vulnerable to unforeseen bugs.

But while security bugs were prevalent in JavaScript, Ruby, and Java, it was not in PHP and Python, where the vast majority of bugs were in the direct dependencies (primary components). However, there's a reason for that.

"I honestly find it's more a matter of the development approach within ecosystems themselves," Miller told ZDNet.

"Java and Node.js projects, in particular, seem to leverage dependencies a lot heavier than other ecosystems. In particular, when you look at the sheer size of the Node.js ecosystem, packages building off or leveraging key functionality from other packages is very much the norm.

"Ask any Node developer, and they probably have a story of waiting for long periods to open a project while npm is trying to pull all the necessary dependencies," Miller added. "One of our favorite examples is an 80 line Java application that specifies 7 dependencies. When you walk the entire dependency tree, however, you find 59 sub-dependencies, and suddenly, the 80 lines of code turns into 740,000 lines.

"That 'stranger danger,' as we like to nickname it, is at the heart of some high profile breaches and a key cause of complexity in terms of software supply chain security," Miller said.

A few bugs had a large impact

But the Snyk team didn't just look at the location of these bugs in the open-source ecosystem, but also at what type of bugs they were.

Another interesting finding is that most of the new security flaws discovered in 2019 were cross-site scripting (XSS) bugs, but despite their high number, these impacted only a small portion of real-world projects.

Instead, two-dozen prototype pollution bugs had the biggest impact of all bugs discovered last year, affecting more than 115,000 different open source projects, and probably even more private ones.

Of these, the prototype pollution bugs in jQuery and LoDash had the biggest impact, as these frameworks are some of the most widely employed JavaScript development toolsets today.

snyk-vuln-impact-type.png

Image: Snyk

But the Snyk team also pointed to another quirck in their report, namely that "malicious packages" ranked as the second most common type of security issue they found in projects last year.

This refers to open-source libraries that have either been created to be malicious on purpose, or libraries where the developer account was hacked and the code poisoned.

According to Snyk, last year, hacked or malicious packages were the second most common source of security issues for the open-source ecosystem.

"The vast majority, over 87%, were from npm [JavaScript] packages," Miller told ZDNet.

Fewer security bugs last year, but no reason to celebrate

Furthermore, Snyk also noted a 20% drop in the number of bugs they discovered across all the five ecosystems they scanned.

snyk-vuln-2019.png

Image: Snyk

"It is hard to say for sure [why they dropped]," Miller said. "The perpetual security skeptic in me says this could just be part of the natural ebb and flow. However, on the optimistic side, we do see some key shifts in the community that could mean it's more than just a single year outlier.

"For instance, where we saw more Cross-Site Scripting (XSS) vulnerabilities reported than any other vulnerability type, they affected a small portion of the total projects we scanned for the year. That suggests that XSS is likely not impacting more heavily used and therefore matured projects meaning that we are potentially getting traction in secure coding techniques.

"Also, our survey showed that attitudes across the community are starting to see software security as a shared responsibility between developers and security teams (and even to some extent the operations teams)," Miller said.

"That improved cooperation could certainly be helping drive better awareness and tactical measures around secure code and secure use of open source packages.

"Having worked in security for 15 years, I'm certainly not ready to proclaim one year as a sign that things have taken a new direction, but you can bet it's a trend we'll continue to watch and see how things look over the coming months and the whole of 2020."

For additional insights into the general security state of the open-source community, Snyk's full report is available for download here.