C004 — Fix Availability for Vulnerable Open Source Components — Reading List¶

Contents¶

State of the Software Supply Chain - 10-Year Retrospective
Sonatype · 2024
10-year retrospective reporting 94.9% fix availability, increasing remediation times, CVE volume surge, and Log4j persistent vulnerability downloads.
Why read: Contains the precise 94.9% figure, historical comparison (down from 96%), and the compelling Log4j case study showing persistent non-adoption of available fixes.
Security Dependency Updates Unmasked
Moderne (OpenRewrite platform) · 2023-06-30
Analysis of 1,307 vulnerable Java dependencies showing only 30% fixable via patch bumps, 50% require minor, 10% major version updates.
Why read: Essential counterpoint to the 95% fix-availability claim. Demonstrates that 'fix available' does not mean 'easy to apply,' with 70% requiring more than patch bumps.

State of the Software Supply Chain 2024 - Risk Section
Sonatype, in partnership with Tidelift, CHAOSS Project · 2024
Reports 95% fix availability, 13% vulnerable Log4j downloads, 80% unmanaged dependencies, and foundation-backed projects resolving vulnerabilities 45% faster.
Why read: Provides the alternative framing of the 95% figure ('for almost 95% of components that had a vulnerability, within a year') and the 80% unmanaged dependencies statistic.