C004 — Fix Availability for Vulnerable Open Source Components — The claim is almost certainly correct (95-99%) as stated, but very likely misleading (80-90%) because fix availability does not equal fix practicality.
Contents
Summary
Claim: 95% of vulnerable open source components consumed by downstream projects have a known fix available that has not been applied.
Bottom Line: Sonatype's report confirms that 94.9% of vulnerable components have a newer, non-vulnerable version available. However, Moderne's independent analysis of 1,307 Java dependencies shows that only 30% of fixes are simple patch bumps, 50% require minor version upgrades, and 10% require major version upgrades. Combined with the finding that 80% of enterprise dependencies remain unmanaged and 13% of Log4j downloads are still vulnerable 3+ years after a non-breaking fix, the 95% figure significantly overstates how actionable the available fixes are.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Hypotheses
| ID |
Label |
Status |
| H1 |
|
— |
| H2 |
|
— |
| H3 |
|
— |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
H1 |
0 |
0 |
| S02 |
H2 |
0 |
0 |
| S03 |
H3 |
0 |
0 |
| S04 |
H1 |
0 |
0 |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC002 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC003 |
https://github.com/ossf/scorecard |
High |
High |
| SRC004 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
Medium |
High |
| SRC005 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC006 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC007 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC008 |
https://www.moderne.ai/blog/security-dependency-updates-unma |
Medium |
High |
| SRC009 |
https://konvu.com/compare/semgrep-vs-codeql |
Medium |
High |
| SRC010 |
https://arxiv.org/html/2605.07900v1 |
High |
High |
| SRC011 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC012 |
https://openssf.org/blog/2024/01/31/maintainer-motivations-c |
High |
High |
| SRC013 |
https://link.springer.com/article/10.1007/s10664-023-10369-w |
High |
Medium |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Robust |
| Source agreement |
Medium |
Revisit Triggers
- [data_update] Sonatype publishes the 2025 State of the Software Supply Chain report with updated fix-availability figures
- [study] Moderne or another vendor publishes fix-difficulty data for ecosystems beyond Java
- [event] The Log4j vulnerable download percentage drops below 5%, suggesting remediation inertia is finally resolving
- [policy] A package registry (npm, PyPI, Maven Central) implements mandatory vulnerability warnings or download blocks
← Back to run overview