Skip to content

C003 — H4:

Contents

Statement: The figures are real but the 107% increase is primarily driven by growth in the CVE/vulnerability database (more vulnerabilities being catalogued) rather than codebases actually becoming less secure.

Supporting Evidence Would Show

  • Data showing the NVD/CVE database growing rapidly, with more CVEs published each year
  • Evidence that the vulnerability count increase correlates with database growth rather than new insecure code
  • Academic literature on vulnerability inflation in SCA scanning

Eliminating Evidence Would Show

  • Evidence that the increase is driven by codebases adding more dependencies, not just more CVEs being published
  • The OSSRA report controlling for CVE database growth in their analysis
  • Data showing the increase persists even when normalizing for the number of catalogued vulnerabilities

← Back to item overview