WhiteSource found that 85% of open-source vulnerabilities are disclosed and have a fix already available. However, it notes that some users are not aware of these fixes because only 84% of known open-source bugs make it to the National Vulnerability Database (NVD).
"Information about vulnerabilities is not published in one centralized location, rather scattered across hundreds of resources, and sometimes poorly indexed – often making searching for specific data a challenge," it notes.
Despite lauding GitHub's effort, WhiteSource points out that developers could be inundated by the higher volume of bugs being found.
"Our concern is that, while these tools will help to report vulnerability issues in a proper manner, they will probably only aggravate the issue with software developers who are already struggling to keep up with the increased rate," WhiteSource notes.
WhiteSource also looked at the share of vulnerabilities found across top programming languages. The highest share of vulnerable code was written in C with a 30% share, which was down from 47% a decade ago. The company notes that C's high percentage is likely to be because there's so much code written in it.
Code written in PHP on the other hand was responsible for 27% of security bugs, up from 15% 10 years ago, despite PHP becoming less popular among developers.
By contrast Python code was only responsible for 5% of bugs, down from 6% 10 years ago.
The most common types of security flaws in 2019 were cross-site scripting, improper input validation, buffer errors, out-of-bounds reads, and information exposure.