SRC007 — https://www.sonatype.com/state-of-the-software-supply-chain/2024/10-year-look¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.sonatype.com/state-of-the-software-supply-chain/2024/10-year-look |
| Authors | Sonatype |
| Date | 2024 |
Content Summary¶
Sonatype's 10-year retrospective covering attackers, publishers, consumers, and regulators. Key findings: 94.9% of vulnerable downloads had a fixed version available; mean time to remediate vulnerabilities increasing to 400-500+ days for some severity levels; CVE volume surged from 28K to 40K+ between 2023-2024; only 10.5% of 7M+ components are actively chosen by developers.
Reliability: Medium¶
Long-running vendor report with consistent methodology over 10 years, but with commercial incentives.
Relevance: High¶
Provides the precise 94.9% figure and extensive context on vulnerability remediation trends over a decade.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Low risk | Comprehensive 10-year dataset with historical comparisons. |
| Measurement | Some concerns | Algorithm for measuring fix availability was 'reviewed and updated' this year, introducing potential discontinuity. |
| Selective Reporting | Some concerns | Report advocates for Sonatype's approach to software supply chain management. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | High risk | Sonatype sells software supply chain management products that directly address the problems documented. |