Skip to content

C004 — Fix Availability for Vulnerable Open Source Components — Input

Contents

Original Text

95% of vulnerable open source components consumed by downstream projects have a known fix available that has not been applied.

Clarified for Testability

Among open source components with known vulnerabilities that are used as dependencies by downstream software projects, 95% have an available fix (typically a patched version) that the downstream project has not yet adopted. This implies that the vast majority of open source vulnerability exposure is due to failure to update rather than lack of available patches.

Embedded Assumptions Surfaced

  • Assumes 'known fix available' means a patched version of the component exists in the package registry, not necessarily that the fix is a drop-in replacement (it may require breaking changes).
  • Assumes the 95% figure comes from a specific measurement methodology — likely Sonatype's analysis of Maven Central, npm, PyPI, or similar package registries.
  • Assumes 'consumed by downstream projects' means the vulnerable version is declared as a dependency, not necessarily that the vulnerable code path is actually executed.
  • The framing implies developer negligence, but the reasons for not updating may include compatibility concerns, transitive dependency locks, or unawareness.
  • The source (Sonatype) sells software supply chain management tools, creating potential commercial bias toward findings that emphasize the problem their products solve.

Scope

Dimension Value
Domain Software supply chain security — vulnerability remediation rates
Timeframe From Sonatype's 2024 State of the Software Supply Chain report
Testability Testable by examining the Sonatype report methodology and cross-referencing against other supply chain security reports.

Vocabulary Map

Primary Terms: vulnerable components, known fix available, dependency update, patch availability, remediation rate

Domain Variants: unpatched dependencies, outdated dependencies, version lag, update debt, security debt

Related Concepts: dependency management, software supply chain, transitive dependencies, semantic versioning, breaking changes, automated dependency updates, Dependabot, Renovate

← Back to item overview