SRC007 — https://www.sonatype.com/state-of-the-software-supply-chain/2024/10-year-look¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.sonatype.com/state-of-the-software-supply-chain/2024/10-year-look |
| Authors | Sonatype |
| Date | 2024 |
Content Summary¶
Sonatype's 10th annual report retrospective confirms that 94.9% of vulnerable components downloaded had a fixed non-vulnerable version available (compared to 96% in 2022 and 2023). Also reports that 13% of Log4j downloads three years post-disclosure are still known-vulnerable versions, and that mean time to remediate vulnerabilities has increased dramatically, with some critical fixes taking 500+ days.
Reliability: Medium¶
Primary vendor report from the dominant Maven Central steward — authoritative for Java ecosystem data.
Relevance: High¶
Contains the exact figure being verified (94.9% vs. claimed 95%) with multi-year trend data.
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Data heavily weighted toward Maven Central/Java ecosystem — other ecosystems less represented. |
| Measurement | Low risk | Based on observed download data from Maven Central — objective measurement. |
| Selective Reporting | Some concerns | Vendor report designed to highlight supply chain risks — aligns with Sonatype's product narrative. |
| Randomization | N/A | Observational data from package registry. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | High risk | Sonatype sells SCA products that directly address the problem being described — clear commercial incentive. |