C004 — Fix Availability for Vulnerable Open Source Components — Assessment¶
Contents¶
Sonatype's report confirms that 94.9% of vulnerable components have a newer, non-vulnerable version available. However, Moderne's independent analysis of 1,307 Java dependencies shows that only 30% of fixes are simple patch bumps, 50% require minor version upgrades, and 10% require major version upgrades. Combined with the finding that 80% of enterprise dependencies remain unmanaged and 13% of Log4j downloads are still vulnerable 3+ years after a non-breaking fix, the 95% figure significantly overstates how actionable the available fixes are.
Evidence Synthesis¶
Evidence quality: Robust — The 94.9% figure is confirmed from two sections of the Sonatype report (the risk section and the 10-year retrospective). The Moderne analysis provides rigorous quantitative data on upgrade difficulty (1,307 vulnerabilities analyzed). Both sources are directly relevant and provide actionable data.
Source agreement: Medium — Sources agree that approximately 95% of vulnerable components have a fix available. However, the Moderne analysis reveals that 'fix available' masks significant upgrade difficulty — only 30% of fixes are patch bumps, while 50% require minor and 10% require major version upgrades. The sources agree on the fact but diverge on its practical implication.
Independence: Independent. Sonatype and Moderne are separate companies analyzing different datasets. Sonatype measures fix availability across their repository of open source components. Moderne measures upgrade difficulty across their enterprise customer base. The convergence is genuinely independent.
Outliers¶
- https://www.moderne.ai/blog/security-dependency-updates-unmasked: Shows that only 30% of fixes are simple patch bumps, challenging the implication that available fixes are easy to apply — Not a contradiction but an important nuance: fix availability and fix practicality are different things. Both findings can be simultaneously true.
Probability Assessment¶
- C004-H1: Almost certain(ly) (95-99%)
- The precise figure (94.9%) is confirmed from two sections of the Sonatype 2024 report. The figure rounds to the claimed 95%. This is a straightforward factual verification.
- C004-H2: Very unlikely (05-15%)
- The figure is confirmed from the source. No evidence of inaccuracy was found. The methodology (checking whether a newer, non-vulnerable version exists in the registry) is straightforward and well-defined.
- C004-H3: Very likely (80-90%)
- Strong quantitative evidence from Moderne: only 30% of fixes require patch bumps, 50% require minor version upgrades, and 10% require major version upgrades. Combined with Sonatype's finding that 80% of dependencies remain unmanaged and the persistent 13% vulnerable Log4j download rate 3 years post-fix, the evidence strongly supports that fix availability does not equal fix practicality. Verdict: The claim is almost certainly correct (95-99%) as a factual statement about fix availability. However, it is very likely misleading (80-90%) because it masks significant upgrade difficulty. Only 30% of fixes are simple patch bumps; 60% require minor or major version upgrades. The 95% figure overstates how actionable the available fixes are.
Evidence Gaps¶
Expected but not found: - Breakdown of fix availability by ecosystem (npm vs. PyPI vs. Maven vs. Go) to understand ecosystem variation - Data on how many of the 'available fixes' are actually backward-compatible - Competing analysis from another vendor confirming or challenging the 95% figure
Unanswered questions: - Does the 95% figure vary significantly across different package ecosystems? - What is the median time between vulnerability disclosure and fix availability? - What fraction of the 95% are truly drop-in replacements requiring no code changes?
Impact on confidence: Gaps have minimal impact on confidence in the 95% figure itself (high) but moderate impact on understanding its practical implications. The Moderne data partially fills this gap by showing upgrade difficulty distribution.