SRC005 — https://www.sonatype.com/state-of-the-software-supply-chain/2024/risk¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.sonatype.com/state-of-the-software-supply-chain/2024/risk |
| Authors | Sonatype |
| Date | October 2024 |
Content Summary¶
Sonatype's 2024 State of the Software Supply Chain report states that 95% of vulnerable component releases that had been downloaded already had a fix available. Also reports 13% of Log4j downloads are still vulnerable versions nearly three years later. The figure is derived from updated analysis finding 94.9% (rounded to 95%) of vulnerable components had a non-vulnerable version available within a year.
Reliability: High¶
Primary source from the report publisher, backed by telemetry from 1.5 trillion Maven Central requests and multiple ecosystems.
Relevance: High¶
Contains the exact 95% figure and explains the methodology behind it.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Methodology details for the 95% calculation are discussed but the exact algorithm is proprietary. |
| Measurement | Low risk | Based on download telemetry and vulnerability database matching, objective measurements. |
| Selective Reporting | Some concerns | Report emphasizes metrics that support Sonatype's product value proposition. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | High risk | Sonatype sells dependency management and SCA tools; alarming consumption statistics directly support their business. |