Shulou(Shulou.com)11/24 Report--

CTOnews.com, October 6 (Xinhua) Software provider Sonatype recently released a report on the State of the Software supply chain in 2023, claiming to "deeply explore how to define better software in a world full of choices, explore the far-reaching impact of AI on software development, study the complex interaction between open source supply, demand and security, and clarify the measures taken by regulators to deal with network security risks."

CTOnews.com learned from the Sonatype report that it believes that "open source projects have experienced significant growth in recent years, indicating an ongoing wave of industry innovation."

It is reported that the report tracks the growth of open source applications in four open source ecosystems: Java (Maven), JavaScript (npm), Python (PyPI) and .NET (NuGet Gallery). Between 2022 and 2023, the number of open source projects increased by an average of 29%.

In the year of ▲ source Sonatype2023, open source projects released an average of 15 versions available, and an average of 10 to 22 versions were available for specific ecosystems in different open source registries. This means that 1-2 new versions are released every month, and a total of 60 million new versions have been released in the observed ecosystem.

However, Sonatype also pointed out that although open source projects are gradually increasing, the number of users "has not kept pace." the average growth rate of users of open source projects was 33% in 2023, down sharply from 73% in 2021.

In terms of security, the software provider believes that the security problems of open source projects show no "signs of slowing down". As of September 2023, the research team had found 245032 malicious software packages, twice as many as in previous years. There are known risks to open source downloads of 1Accord 8, and 23% of Log4j downloads still have serious vulnerabilities.

▲ source Sonatype in terms of maintenance of open source projects, Sonatype believes that the "maintenance participation" of related open source projects is becoming less and less. Last year, nearly 1/5 (18.6%) of projects stopped maintenance, affecting the Java and JavaScript ecosystems. Only 11% of open source projects are actually actively maintained. Despite these flaws, the software company says that nearly 96% of component downloads with known vulnerabilities can be avoided by selecting a "bug-free version."

In terms of software supply chain maturity, the demand for software bill of materials is increasing, and the "security advantage" of related software is becoming more and more prominent. However, considering that there is a significant gap between the self-reported maturity level of software vendors and the software maturity level assessed by third parties, Sonatype believes that it is necessary to evaluate the maturity of each software supply chain in a neutral third-party way.

▲ source Sonatype in terms of AI, 97% of DevOps and SecOps leaders surveyed said they currently use artificial intelligence in their workflows to some extent, and most people use two or more tools a day. Last year, the adoption of AI and ML components in the enterprise environment increased by 135%.

▲ drawing Source Sonatype reference

Introducing our 9th annual State of the Software Supply Chain report-Sonatype

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.