SRC006 — https://www.sonatype.com/state-of-the-software-supply-chain/2024/risk¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.sonatype.com/state-of-the-software-supply-chain/2024/risk |
| Authors | Sonatype, in partnership with Tidelift, CHAOSS Project |
| Date | 2024 |
Content Summary¶
Sonatype's 2024 report on open source risk. Reports that 95% of vulnerable component downloads had a fixed non-vulnerable version available (down from 96% in 2022-2023). 13% of Log4j downloads still vulnerable nearly 3 years after fix availability. 80% of enterprise dependencies were unmanaged and remained outdated. Foundation-supported projects resolve vulnerabilities 45% faster.
Reliability: Medium¶
Vendor report from a company selling supply chain security tools, but with transparent methodology and 10 years of consistent data collection.
Relevance: High¶
Primary source for the 95% fix-availability claim with detailed methodology and historical comparison.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Definition of 'fix available' is 'at least one newer, non-vulnerable version' which may include versions with breaking changes. |
| Measurement | Some concerns | Measures whether a newer non-vulnerable version exists, not whether it is a drop-in replacement. |
| Selective Reporting | Some concerns | Emphasizes the 95% figure without prominently discussing that many fixes require major version upgrades. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | High risk | Sonatype sells the exact tools (Nexus Lifecycle) that address the dependency management problems this report highlights. |