SRC013 — https://www.sonatype.com/state-of-the-software-supply-chain/2024/10-year-look¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.sonatype.com/state-of-the-software-supply-chain/2024/10-year-look |
| Authors | Sonatype |
| Date | October 2024 |
Content Summary¶
Sonatype's 10-year retrospective reports that in 2022 and 2023, 96% of vulnerable components downloaded had a fixed version available. The 2024 analysis with a revised algorithm found 94.9% (rounded to 95%). Also reports 13% of Log4j downloads remain vulnerable, down from 30-35% in prior reports.
Reliability: High¶
Primary source providing longitudinal context for the 95% figure across multiple years.
Relevance: High¶
Confirms the 95% figure and provides year-over-year context showing consistency (96% in prior years, 94.9% in 2024).
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Low risk | Provides multi-year context and explains methodology changes. |
| Measurement | Low risk | Describes revised algorithm transparently. |
| Selective Reporting | Some concerns | Focuses on avoidable risk, which supports Sonatype's product narrative. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | High risk | Sonatype sells dependency management tools. |