www.sonatype.com
Open in
urlscan Pro
2606:2c40::c73c:671c
Public Scan
Submitted URL: https://www.sonatype.com/e3t/Btc/Q*113/cdrCy04/VWG89Q1QX9-HW7wYnpf43q22yW76My974y6TjhN5g75kc3q3pBV1-WJV7CgQnnW4QpxKL30MR3...
Effective URL: https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021?utm_campaign=Q4%202021-State%20of%20the%20Soft...
Submission: On October 01 via api from US — Scanned from DE
Effective URL: https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021?utm_campaign=Q4%202021-State%20of%20the%20Soft...
Submission: On October 01 via api from US — Scanned from DE
Form analysis
0 forms found in the DOMText Content
THIS WEBSITE USES COOKIES We use cookies to understand how you use our site and to improve your experience. This includes personalising content and advertising. To learn more, click here. [#OOI_PERSONAL_INFORMATION#] Reject Cookies Accept Cookies Show details OK Reject CookiesAllow selectionAllow all cookies Necessary Preferences Statistics Marketing Show details Cookie declaration [#IABV2SETTINGS#] About Necessary (19) Preferences (11) Statistics (21) Marketing (54) Unclassified (7) NameProviderPurposeExpiryTyperc::cGoogleUsed in context with video-advertisement. The cookie limits the number of times a visitor is shown the same advertisement-content. The cookie is also used to ensure relevance of the video-advertisement to the specific visitor. SessionHTML__cf_bm [x2]Hubspot TechTargetThis cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.1 dayHTTPli_gcLinkedInStores the user's cookie consent state for the current domain2 yearsHTTP__cfruidSonatypeThis cookie is a part of the services provided by Cloudflare - Including load-balancing, deliverance of website content and serving DNS connection for website operators. SessionHTTPCookieConsentCookiebotStores the user's cookie consent state for the current domain1 yearHTTPt3DIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtADeIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtADuIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtAEIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtCIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtMQIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtnsAppIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtPLIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtTDeIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtTDuIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtTEIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLtTfIT Central StationThis cookie is part of a bundle of cookies which serve the purpose of content delivery and presentation. The cookies keep the correct state of font, blog/picture sliders, color themes and other website settings.PersistentHTMLCONSENTYouTubeUsed to detect if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR-compliance of the website. 5940 daysHTTP NameProviderPurposeExpiryTypelang [x2]LinkedInRemembers the user's selected language version of a websiteSessionHTTPcheckForPermissionBeeswaxDetermines whether the visitor has accepted the cookie consent box. 1 dayHTTPvidyardSettingsVidyardUsed to determine the optimal video quality based on the visitor's device and network settings. PersistentHTML_biz_flagsABizibleThis cookie serves multiple purposes; it determines whether the user has submitted any forms, performed cross-domain migration or has made any tracking opt-out choices. 1 yearHTTPDRIFT_SESSION_IDDriftAllows the website to recoqnise the visitor, in order to optimize the chat-box functionality. SessionHTMLDRIFT_SESSION_STARTEDDriftStores a unique ID string for each chat-box session. This allows the website-support to see previous issues and reconnect with the previous supporter. SessionHTMLDRIFT_visitCountsDriftDetermines the number of visits of the specific visitor. This is used in order to make the chat-box function more relevant.PersistentHTMLdriftt_aidDriftNecessary for the functionality of the website's chat-box function. 2 yearsHTTPtestcdn01.smartling.comUsed to detect if the visitor has accepted the marketing category in the cookie banner. This cookie is necessary for GDPR-compliance of the website. 1 yearHTTPTS#TechTargetPendingSessionHTTP NameProviderPurposeExpiryTypeuAdobeCollects data on the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded with the purpose of generating reports for optimising the website content.SessionPixelwho.ashxWhoisCollects data such as visitors' IP address, geographical location and website navigation - This information is used for internal optimization and statistics for the website's operator. SessionPixel_gatGoogleUsed by Google Analytics to throttle request rate1 dayHTTP_gidGoogleRegisters a unique ID that is used to generate statistical data on how the visitor uses the website.1 dayHTTPcollectGoogleUsed to send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels.SessionPixelAnalyticsSyncHistoryLinkedInUsed in connection with data-synchronization with third-party analysis service. 29 daysHTTPloglevelVidyardCollects data on visitor interaction with the website's video-content - This data is used to make the website's video-content more relevant towards the visitor. PersistentHTMLvisitorIdVidyardRegisters statistical data on visitors' behaviour on the website. Used for internal analytics by the website operator. PersistentHTML_gaGoogleRegisters a unique ID that is used to generate statistical data on how the visitor uses the website.2 yearsHTTP_hjAbsoluteSessionInProgressHotjarThis cookie is used to count how many times a website has been visited by different visitors - this is done by assigning the visitor an ID, so the visitor does not get registered twice.1 dayHTTP_hjFirstSeenHotjarThis cookie is used to determine if the visitor has visited the website before, or if it is a new visitor on the website.1 dayHTTP_hjidHotjarSets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.1 yearHTML_hjIncludedInPageviewSampleHotjarDetermines if the user's navigation should be registered in a certain statistical place holder.1 dayHTTP_hjIncludedInSessionSampleHotjarRegisters data on visitors' website-behaviour. This is used for internal analysis and website optimization. 1 dayHTTP_hjRecordingLastActivityHotjarSets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.SessionHTML_hjTLDTestHotjarDetects the SEO-ranking for the current website. This service is part of a third-party statistics and analysis service. SessionHTTPhjViewportIdHotjarSets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.SessionHTMLub-emb-idassets.ubembed.comEnables the website to make variations of their landing-page. This is used to minimize bounce-rates, which means that fewer users leave the page immediately.PersistentHTMLpersonalization_idTwitterThis cookie is set by Twitter. The cookie allows the visitor to share content from the website on his/her Twitter profile.2 yearsHTTPvuidVimeoCollects data on the user's visits to the website, such as which pages have been read.2 yearsHTTPub-emb-GUID#assets.ubembed.comPendingPersistentHTML NameProviderPurposeExpiryTyperp.gifRedditNecessary for the implementation of the Reddit.com's share-button function.SessionPixelbitoBeeswaxSets a unique ID for the visitor, that allows third party advertisers to target the visitor with relevant advertisement. This pairing service is provided by third party advertisement hubs, which facilitates real-time bidding for advertisers.1 yearHTTPbitoIsSecureBeeswaxPresents the user with relevant content and advertisement. The service is provided by third-party advertisement hubs, which facilitate real-time bidding for advertisers.1 yearHTTPMUIDMicrosoftUsed widely by Microsoft as a unique user ID. The cookie enables user tracking by synchronising the ID across many Microsoft domains.1 yearHTTP_BUID [x2]Bizible AdobeCollects data on visitors' preferences and behaviour on the website - This information is used make content and advertisement more relevant to the specific visitor. 1 yearHTTPm/ipvBizibleRegisters user behaviour and navigation on the website, and any interaction with active campaigns. This is used for optimizing advertisement and for efficient retargeting. SessionPixeltuuidDemandBaseCollects unidentifiable data, which is sent to an unidentifiable receiver. The receiver's identity is kept secret by Perfect Privacy LLC.2 yearsHTTPtuuid_luDemandBaseContains a unique visitor ID, which allows Bidswitch.com to track the visitor across multiple websites. This allows Bidswitch to optimize advertisement relevance and ensure that the visitor does not see the same ads multiple times. 2 yearsHTTPvalidateCookieDemandBaseUsed in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes.SessionPixelIDEGoogleUsed by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.1 yearHTTPtest_cookieGoogleUsed to check if the user's browser supports cookies.1 dayHTTPtrFacebookUsed by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.SessionPixel_GRECAPTCHAGoogleThis cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of their website.179 daysHTTPads/ga-audiencesGoogleUsed by Google AdWords to re-engage visitors that are likely to convert to customers based on the visitor's online behaviour across websites.SessionPixelpagead/1p-user-list/#GoogleTracks if the user has shown interest in specific products or events across multiple websites and detects how the user navigates between sites. This is used for measurement of advertisement efforts and facilitates payment of referral-fees between websites.SessionPixelrc::aGoogleUsed in context with video-advertisement. The cookie limits the number of times a visitor is shown the same advertisement-content. The cookie is also used to ensure relevance of the video-advertisement to the specific visitor. PersistentHTMLbscookieLinkedInUsed by the social networking service, LinkedIn, for tracking the use of embedded services.2 yearsHTTPrc::bGoogleUsed in context with video-advertisement. The cookie limits the number of times a visitor is shown the same advertisement-content. The cookie is also used to ensure relevance of the video-advertisement to the specific visitor. SessionHTML__ptq.gifHubspotSends data to the marketing platform Hubspot about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.SessionPixel_session_idIT Central StationStores visitors' navigation by registering landing pages - This allows the website to present relevant products and/or measure their advertisement efficiency on other websites. SessionHTTPbcookieLinkedInUsed by the social networking service, LinkedIn, for tracking the use of embedded services.2 yearsHTTPlidcLinkedInUsed by the social networking service, LinkedIn, for tracking the use of embedded services.1 dayHTTPUserMatchHistoryLinkedInUsed to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences. 29 daysHTTPembed/v3/counters.gifHubspotCollects information on user preferences and/or interaction with web-campaign content - This is used on CRM-campaign-platform used by website owners for promoting events or products.SessionPixel__hsscHubspot IncCollects statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.1 dayHTTP__hssrcHubspot IncCollects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.SessionHTTP__hstcHubspot IncCollects statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.1 yearHTTP_biz_nABizibleCollects data on visitors' preferences and behaviour on the website - This information is used make content and advertisement more relevant to the specific visitor. 1 yearHTTP_biz_pendingABizibleCollects data on visitors' preferences and behaviour on the website - This information is used make content and advertisement more relevant to the specific visitor. 1 yearHTTP_biz_sidBizibleCollects data on visitors' preferences and behaviour on the website - This information is used make content and advertisement more relevant to the specific visitor. 1 dayHTTP_biz_uidBizibleCollects data on visitors' preferences and behaviour on the website - This information is used make content and advertisement more relevant to the specific visitor. 1 yearHTTP_fbpFacebookUsed by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers.3 monthsHTTP_hjRecordingEnabledHotjarThis cookie is used to identify the visitor and optimize ad-relevance by collecting visitor data from multiple websites – this exchange of visitor data is normally provided by a third-party data-center or ad-exchange.SessionHTML_rdt_uuidRedditUsed to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences. 3 monthsHTTP_uetsidMicrosoftCollects data on visitor behaviour from multiple websites, in order to present more relevant advertisement - This also allows the website to limit the number of times that they are shown the same advertisement. 1 dayHTML_uetsid_expMicrosoftContains the expiry-date for the cookie with corresponding name. PersistentHTML_uetvidMicrosoftUsed to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences. 1 yearHTML_uetvid_expMicrosoftContains the expiry-date for the cookie with corresponding name. PersistentHTMLdrift_aidDriftSets a unique ID for the specific user. This allows the website to target the user with relevant offers through its chat functionality. 2 yearsHTTPdrift_campaign_refreshDriftSets a unique ID for the specific user. This allows the website to target the user with relevant offers through its chat functionality. 1 dayHTTPDRIFT_SESSION_CAMPAIGNSDriftUsed to determine when and where certain pop-ups on the website should be presented for the user and remember whether the user has closed these, to keep them from showing multiple times.PersistentHTMLhubspotutkHubspot IncKeeps track of a visitor's identity. This cookie is passed to the marketing platform HubSpot on form submission and used when de-duplicating contacts.1 yearHTTPVISITOR_INFO1_LIVEYouTubeTries to estimate the users' bandwidth on pages with integrated YouTube videos.179 daysHTTPYSCYouTubeRegisters a unique ID to keep statistics of what videos from YouTube the user has seen.SessionHTTPyt.innertube::nextIdYouTubeRegisters a unique ID to keep statistics of what videos from YouTube the user has seen.PersistentHTMLyt.innertube::requestsYouTubeRegisters a unique ID to keep statistics of what videos from YouTube the user has seen.PersistentHTMLyt-remote-cast-availableYouTubeStores the user's video player preferences using embedded YouTube videoSessionHTMLyt-remote-cast-installedYouTubeStores the user's video player preferences using embedded YouTube videoSessionHTMLyt-remote-connected-devicesYouTubeStores the user's video player preferences using embedded YouTube videoPersistentHTMLyt-remote-device-idYouTubeStores the user's video player preferences using embedded YouTube videoPersistentHTMLyt-remote-fast-check-periodYouTubeStores the user's video player preferences using embedded YouTube videoSessionHTMLyt-remote-session-appYouTubeStores the user's video player preferences using embedded YouTube videoSessionHTMLyt-remote-session-nameYouTubeStores the user's video player preferences using embedded YouTube videoSessionHTML Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies. NameProviderPurposeExpiryTypeactivity/activity.gifTechTargetPendingSessionPixelimages_server/widget_logo_widgetc_147.pngIT Central StationPendingSessionPixelimages_server/widget_logo_widgetc_157.pngIT Central StationPendingSessionPixel_Shire_sessionSonatypePendingSessionHTTP{"words":[#,#,#,#,#],"sigBytes":20}VidyardPendingPersistentHTML_smtLastVisitedHostcdn01.smartling.comPending1 yearHTTPDRIFT_ALWAYS_SEND_IDSDriftPendingSessionHTML [#IABV2_LABEL_PURPOSES#] [#IABV2_LABEL_FEATURES#] [#IABV2_LABEL_PARTNERS#] [#IABV2_BODY_PURPOSES#] [#IABV2_BODY_FEATURES#] [#IABV2_BODY_PARTNERS#] Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages. You can at any time change or withdraw your consent from the Cookie Declaration on our website. Learn more about who we are, how you can contact us and how we process personal data in our Privacy Policy. Cookie declaration last updated on 26.09.21 by Cookiebot Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release * * * * * /resources/state-of-the-software-supply-chain-2021 utm_campaign=Q4%202021-State%20of%20the%20Software%20Supply%20Chain-Report&utm_medium=email&_hsmi=165826991&_hsenc=p2ANqtz-_rbj1VnQs2MMvzOcu7F7sx8QEgJFUtsmJ7nT1tjzU-pruUjd99DsloaR56OvgW6SOA2MQ6q6kq9QhRr3qvVfGL7hUD_g&utm_content=165826991&utm_source=hs_email PATH:/resources/state-of-the-software-supply-chain-2021 QUERY:utm_campaign=Q4%202021-State%20of%20the%20Software%20Supply%20Chain-Report&utm_medium=email&_hsmi=165826991&_hsenc=p2ANqtz-_rbj1VnQs2MMvzOcu7F7sx8QEgJFUtsmJ7nT1tjzU-pruUjd99DsloaR56OvgW6SOA2MQ6q6kq9QhRr3qvVfGL7hUD_g&utm_content=165826991&utm_source=hs_email DOMAIN:www.sonatype.com * Products * Software composition Analysis * Nexus Lifecycle Eliminate OSS risk across the entire SDLC * Nexus Firewall Protect your artifact repository from OSS risk * Code Quality Analysis * Sonatype Lift Find and fix security, performance, and reliability bugs during code review. * Repository MANAGEMENT * Nexus Repository OSS Universally manage binaries and artifacts for FREE * Nexus Repository Pro Universally manage binaries and artifacts with HA and support * CONTAINER + INFRASTRUCTURE SECURITY * Nexus Container Identify and remediate OSS risk in containers for build and run-time protection * Infrastructure as a Code Pack for Nexus Lifecycle Choose the best open source components and keep your cloud infrastructure secure. * FULL SPECTRUM PLATFORM Automate your software supply chain security against every attack with Sonatype’s suite of products. * PLANS & PRICING We’ve got your software supply chain covered. Simply pick the plan that works best for your team. * Solutions * For Professionals * Developers * Application Security * DevSecOps * Legal & Compliance * For Industries * Government * Financial Services * Manufacturing * Technology * Healthcare * Customer Stories * Resources * Content * Whitepapers & eBooks * Webinars * Videos * Events * INtegrations & FREE TOOLS * Sonatype Integrations * Sonatype OSS Index * Nexus Vulnerability Scanner * Free Developer Tools * CUSTOMER PORTAL * My Sonatype Customer support, product guides & documentation, online courses, community, and more. * Company * About Us * About Sonatype * About Nexus Intelligence * Partner Program * Careers at Sonatype * Press Releases * Media * Contact Us * Blog * BOOK A DEMO * Products * Solutions * Resources * Company * Blog * BOOK A DEMO SOFTWARE COMPOSITION ANALYSIS * Nexus Lifecycle Eliminate OSS risk across the entire SDLC. * Nexus Firewall Protect Nexus and Artifactory repos from OSS risk. CONTAINER + INFRASTRUCTURE SECURITY * Nexus Container Identify and remediate OSS risk in containers for build and run-time protection. * Infrastructure as a Code Pack for Nexus Lifecycle Choose the best open source components and keep your cloud infrastructure secure. CODE QUALITY ANALYSIS * Sonatype Lift Find and fix security, performance, and reliability bugs during code review. REPOSITORY MANAGEMENT * Nexus Repository OSS Universally manage binaries and artifacts for FREE. * Nexus Repository Pro Universally manage binaries and artifacts with HA and support. FULL SPECTRUM PLATFORM * Automate your software supply chain security against every attack with Sonatype’s suite of products. PLANS & PRICING * We’ve got your software supply chain covered. Simply pick the plan that works best for your team. FOR PROFESSIONALS * Developers * Application Security * DevSecOps * Legal & Compliance FOR INDUSTRIES * Government * Financial Services * Manufacturing * Technology * Healthcare CONTENT * Whitepapers & eBooks * Webinars * Videos * Customer Stories * Events INTEGRATIONS & FREE TOOLS * Sonatype Integrations * Sonatype OSS Index * Nexus Vulnerability Scanner * Free Developer Tools CUSTOMER PORTAL * Training & Workshops * My Sonatype Customer support, product guides & documentation, learning paths, community, and more. ABOUT US * About Sonatype * About Nexus Intelligence * Analyst Recognition * Partners * Careers at Sonatype * Press Releases * Media CONTACT US * ENGLISH * English * Français * Deutsch 2021 STATE OF THE SOFTWARE SUPPLY CHAIN DOWNLOAD THE FULL REPORT Now in its seventh year, Sonatype’s 2021 State of the Software Supply Chain Report blends a broad set of public and proprietary data to reveal important findings about open source and its increasingly important role in digital innovation. Select Section * open source Supply, Demand, and Security * Exemplary Open Source Projects * dependency management * Software Supply Chain Maturity survey * New Regulation and Standards 1 OPEN SOURCE SUPPLY, DEMAND, AND SECURITY Open source supply is growing exponentially. Currently, the top four open source ecosystems contain a combined 37,451,682 components and packages. These same communities released a combined 6,302,733 new versions of components / packages over the past year and have introduced 723,570 brand new projects in support of 27 million developers worldwide. Available Supply of Open Source Java 0 1 million 2 million 3 million 4 million 5 million 6 million 7 million 8 million Versions Projects New in 2021 Available prior to 2021 430,995 7.3 MILLION Javascript 0 1 million 2 million 3 million 4 million 5 million 6 million 7 million 8 million Versions Projects New in 2021 Available prior to 2021 21 MILLION 1.8 MILLION Python 0 1 million 2 million 3 million 4 million 5 million 6 million 7 million 8 million Versions Projects New in 2021 Available prior to 2021 3 MILLION 336,402 .NET 0 1 million 2 million 3 million 4 million 5 million 6 million 7 million 8 million Versions Projects New in 2021 Available prior to 2021 5.6 MILLION 338,423 * JAVA * JAVASCRIPT * PYTHON * .NET Open source demand continues to explode. Increase in Downloads Year Over Year 2020 - 2021 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% .NET Python JavaScript Java 71% increase 267 TO 457 BILLION 50% increase 1 TO 1.5 TRILLION 78% increase 44 TO 78 BILLION Year Over Year Increase Percentage 92% increase 66 TO 127 BILLION Open source demand continues to explode. In 2021, developers around the world will request more than 2.2 trillion open source packages, representing a 73% YoY growth in developer downloads of open source components. Despite the growing volume of downloads, the percentage of available components utilized in production applications is shockingly low. Vulnerabilities are more common in popular projects. The top 10% of most popular OSS project versions are 29% likely on average to contain known vulnerabilities. Conversely, the remaining 90% of project versions are only 6.5% likely to contain known vulnerabilities. In combination, these statistics indicate that the vast majority of security research (whitehat and blackhat) is focused on finding and fixing (or exploiting) vulnerabilities in projects that are more commonly utilized. Vulnerability Release Density Vs. Popularity Java (Maven) 0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 Vulnerable Not Vulnerable Percent of Releases Vulnerable by Popularity Group x% Popularity Top 10% Bottom 10% 7% 7% 3% 4% 6% 2% 3% 6% 3% 26% JavaScript (npm) 0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 Vunerable Not Vunerable Popularity Top 10% Bottom 10% 39% 17% 9% 8% 6% 6% 7% 7% 7% 4% Python (pypi) 0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 Vunerable Not Vunerable Popularity Top 10% Bottom 10% 38% 14% 12% 3% 6% 5% 11% 9% 7% 5% .NET (Nuget) Vunerable Not Vunerable 0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 Popularity Top 10% Bottom 10% 16% 6% 6% 6% 6% 6% 8% 7% 5% 4% * JAVA * JAVASCRIPT * PYTHON * .NET 2021 Software Supply Chain Statistics Ecosystem Total Projects Total Project Versions Download Requests Year Over Year Download Growth Ecosystem Project Utilization Vuln Density for Utilized Versions 10% Most Popular Vuln Density for Utilized Versions 90% Least Popular Java JavaScript Python .NET Totals/Averages 431K 1.9M 336K 338K 3M 7.3M 21M 3M 5.6M 37M 457B 1.5T 127B 78B 2.2T 71% 50% 92% 78% 73% 15% 2% 4% 2% 6% 23% 39% 38% 15% 29% 4% 8% 8% 6% 6.5% High-Profile Software Supply Chain Attacks Dec 2020-July 2021 DECEMBER 2020 SolarWinds Threat actors gained access to SolarWinds dev infrastructure, and injected malicious code into Orion update binaries. 18,000 customers automatically pulled trojanized updates, planting backdoors into their systems and allowing bad actors to exploit private networks at will. FEBRUARY 2021 Namespace Confusion Three days after news broke of an ethical researcher hacking over 35 big tech firms in a novel supply-chain attack, more than 300 malicious copycat attacks were recorded. Within one month, more than 10,000 namespace confusion copycats had infiltrated npm and other ecosystems. APRIL 2021 Codecov An attacker was able to gain access to a credential via a mistake in how Codecov were building Docker images. This credential then let them modify Codecov’s bash uploader script which was either used directly by customers or via Codecov’s other uploaders like their Github Action. The attacker used this modified script to steal credentials from the CI environments of customers using it. MAY 2021 Microsoft's WinGet The weekend after launching, WinGet's software registry was flooded with pull requests for apps that were either duplicates or malformed. Some newly added duplicate packages were corrupted and ended up overwriting the existing packages, raising serious concerns about the integrity of the WinGet ecosystem. JULY 2021 Kaseya A ransomware group discovered and exploited a zero-day vulnerability in a remote monitoring and management software platform used by dozens of managed security providers (MSP). Because these MSPs service thousands of downstream customers, the hackers were able to conduct a ransomware attack against 1,500 victims. See the full timeline Software Supply Chain Attacks Increase 650% Members of the world’s open source community are facing a novel and rapidly expanding threat that has nothing to do with passive adversaries exploiting known vulnerabilities in the wild — and everything to do with aggressive attackers intentionally tampering with open source projects to infiltrate the commercial software supply chain. From February 2015 to June 2019, 216 software supply chain attacks were recorded. Then, from July 2019 to May 2020, the number of attacks increased to 929 attacks. However, in the past year, such attacks numbered more than 12,000 and represented a 650% year over year increase. NEXT GENERATION SOFTWARESUPPLY CHAIN ATTACKS (2015–2020) Dependency Confusion, Typosquatting, and Malicious Code Injection 2020 2019 2018 2017 2015 2021 0 2,000 4,000 6,000 8,000 10,000 12,000 650% YEAR OVER YEAR INCREASE High-Profile Software Supply Chain Attacks Dec 2020-July 2021 DECEMBER 2020 SolarWinds Threat actors gained access to SolarWinds dev infrastructure, and injected malicious code into Orion update binaries. 18,000 customers automatically pulled trojanized updates, planting backdoors into their systems and allowing bad actors to exploit private networks at will. FEBRUARY 2021 Namespace Confusion Three days after news broke of an ethical researcher hacking over 35 big tech firms in a novel supply-chain attack, more than 300 malicious copycat attacks were recorded. Within one month, more than 10,000 namespace confusion copycats had infiltrated npm and other ecosystems. APRIL 2021 Codecov An attacker was able to gain access to a credential via a mistake in how Codecov were building Docker images. This credential then let them modify Codecov’s bash uploader script which was either used directly by customers or via Codecov’s other uploaders like their Github Action. The attacker used this modified script to steal credentials from the CI environments of customers using it. MAY 2021 Microsoft's WinGet The weekend after launching, WinGet's software registry was flooded with pull requests for apps that were either duplicates or malformed. Some newly added duplicate packages were corrupted and ended up overwriting the existing packages, raising serious concerns about the integrity of the WinGet ecosystem. JULY 2021 Kaseya A ransomware group discovered and exploited a zero-day vulnerability in a remote monitoring and management software platform used by dozens of managed security providers (MSP). Because these MSPs service thousands of downstream customers, the hackers were able to conduct a ransomware attack against 1,500 victims. See the full timeline Practical Recommendation To accelerate the pace of digital innovation without sacrificing quality or security, engineering and risk management leaders should understand supply, demand, and risk dynamics associated with third-party open source ecosystems. Furthermore, they should carefully define and automatically enforce open source policies across every phase of the software supply chain. 2 UNDERSTANDING EXEMPLARY OPEN SOURCE PROJECTS Some open source projects are definitely better than others. But how do you know? This year we examined three different methods for identifying exemplary open source projects: Sonatype Mean Time to Update (MTTU), OpenSSF Criticality. and Libraries.io Sourcerank. We found that MTTU combined with OpenSSF Criticality are strongly associated with exemplary project outcomes in the areas of security and dev productivity. Metrics to Use to Assess Relative Quality of an OSS Project * Sonatype MTTU * OpenSSF Criticality * Libraries.io Sourcerank Sonatype MTTU provides a measure of project quality that is based on how quickly the project moves to update dependencies. Lower (faster) is better. Components that consistently react quickly to dependency upgrades will have lower MTTU. Components that react slowly or have high variance in their update times will have higher MTTU. OpenSSF Criticality measures a project’s community, usage, and activity. This is distilled into a score that is intended to measure how critical the project is in the open source ecosystem. Libraries.io Sourcerank aims to measure the quality of software, mostly focusing on project documentation, maturity, and community. It is computed by evaluating a number of yes/no responses such as “Is the project more than six months old?” and a set of numerical questions, such as “How many ‘stars’ does the project have?” These are distilled into a single score, with yes/no questions adding or subtracting a fixed number of “points” and numerical questions being converted into points using a formula, e.g. “log(num_stars)/2.” The current maximum number of points is approximately 30. Lower MTTU is better. Components that consistently react quickly to dependency upgrades will have low MTTU. Components that either consistently react slowly or have high variance in their reaction time will have higher MTTU. Suppose we have a component A with dependencies B and C, both at version 1.2. Suppose B and C each release a new version (1.3) and some time later A releases a new version that bumps the version of B and C to 1.3. The time between the release of B version 1.3 and the release of A version 1.3 is the Time To Upgrade (TTU) for A’s migration to B version 1.3 (and similarly for A’s adoption of C version 1.3). The average of all these upgrade times is then the MTTU. Expand for more insight. Aggregate MTTUs are improving over time. In addition to the number of projects growing over the years, there has been a clear trend toward faster MTTUs. The average MTTU across projects in 2011 was 371 days. In 2014 it was 302 days and by 2018 it was 158 days. In 2021, as of August 1, average MTTU was 28 days – less half of the 73 days the average project took in 2020. Density MTTU in Days 10 -2 10 -1 10 0 10 1 10 2 10 3 10 4 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 (projected) 2021 2020 2019 2017 2016 2018 2015 2014 2013 2012 2011 0.00 0.02 0.04 0.06 0.08 0.10 0.12 0.14 MTTU is highly correlated to MTTR. Suppose a project A includes a dependency B, and B has a vulnerability disclosed at date D1. Then A updates the version of B it’s using on date D2. Time to Remediate (TTR) is then the time between D1 and D2 measured in days, and MTTR is the average TTR for a project across all disclosed security vulnerabilities. Expand for more insight. MTTU is highly correlated to MTTR. While MTTU does not directly measure the speed at which projects fix publicly disclosed vulnerabilities, it does correlate to a project’s mean time to remediate (MTTR), which is the time required to update dependencies that have published vulnerabilities. Thus, we consider MTTU to be the best metric available to determine the impact a component will have on the security of projects that incorporate it. Practical Recommendations Choosing high quality open source projects should be considered an important strategic decision for enterprise software development organizations. To avoid stale dependencies and minimize security risks associated with third party open source, software engineering teams should actively embrace projects that consistently demonstrate low mean time to update (MTTU) values and high OpenSSF Criticality scores. 3 HOW YOUR PEERS ARE MANAGING OPEN SOURCE DEPENDENCIES For this year’s report, we examined 4 million real-world dependency management decisions spread across 100,000 applications. Our learnings highlighted below are enlightening. Despite the growing volume of downloads, the percentage of available components observed in production applications is shockingly low. On average, production enterprise Java applications utilize 10% of available open source components, and commercial engineering teams actively update only 25% of those components that are utilized. Active Projects in the Maven Central Repository 430,000 projects in Maven projects present in 100,000 applications 40,000 across 100,000 applications projects were actively being updated during the past year 10,000 69% of dependency management decisions are suboptimal. 5 Groups of Migration Decisions Optimal Decisions Optimal version chosen 31% Imperfect Decisions Subjectively suboptimal version chosen 64% Dangerous Decisions Non subjective suboptimal version chosen 3% Risky Decisions Pre release version chosen 1% Dead End Decisions No good choice available 1% 69% of dependency management decisions are suboptimal. The average modern application contains 128 open source dependencies, and the average open source project releases 10 times per year. This reality combined with the fact that a few hyper active projects release more than 8,000 times per year, creates a situation in which developers must constantly decide when (and when not to) update third-party dependencies inside of their applications. In light of these circumstances, Sonatype researchers set out to answer the question: are developers making efficient dependency management decisions? We studied 100,000 applications and analyzed more than 4,000,000 component migrations (upgrades) and found that 69% of such decisions were suboptimal. Despite unstructured decision making, there is evidence of wisdom in the crowd. The chart below provides a visual summary of herd migration behavior over the past year associated with spring-core, a single component within the highly popular spring-framework. The y-axis shows the past 52 weeks of upgrade activity, with the top row representing herd migration decisions made one year ago, and the bottom row representing herd migration decisions made during the most recent week. The x-axis represents the 150 most recent versions with older versions to the left, and newer versions to the right. View key observations by clicking on the dots below. Herd Migration Behavior of org.springframework:spring-coreAugust 9, 2020–August 1, 2021 1 The most recent release (5.3.x) of spring-core releases approximately every 4 weeks. 2 The project is actively maintaining these 2 releases. Darker shading indicates the majority of the community is using these releases. 3 The project is no longer actively supporting these releases. Teams should migrate away from these stale versions. 4 Laggards continue to update to older, unsupported, and even vulnerable versions. 5 Older versions are vulnerable, and older non vulnerable versions (4.3.15+) will inevitably be subject to new vulnerability disclosures. 6 The community generally avoids .0 releases and pre-releases. 8 Rules for Upgrading to the Optimal Version Avoid Objectively Bad Choices Don’t choose an alpha, beta, milestone, release candidate, etc. version. Don’t upgrade to a vulnerable version. Upgrade to a lower risk severity if your current version is vulnerable. When a component is published twice in close succession, choose the later version. Avoid Subjectively Bad Choices Choose a migration path (from version to version) others have chosen. Choose a version that minimizes breaking code changes. Choose a version that the majority of the population is using. If all else is tied, choose the newest version. Passing these rules results in optimal upgrades. Save time and money. Intelligent automation that standardizes engineering teams on exemplary open source projects could remove 1.6M hours and $240M of real world waste spread across our sample of 100,000 production applications. Extrapolated out to the entire software industry, the associated savings would be billions. The Benefit of Intelligent Automation to Dev Teams Strategies for optimal dependency management: near the edge is best. The bleeding edge is dangerous. The near edge is optimal. When analyzing herd migration behavior around dependency management practices, we observed three distinct patterns of team behavior: Teams living in disarray, teams living on the edge, and teams living close to the edge. Strategies for Dependency Management Teams living in disarray Developers working on these teams lack automated guidance. They update dependencies infrequently. When they do update dependencies, they utilize gut instincts and commonly make suboptimal decisions. This approach to dependency management is highly reactive, not scalable, and leads to stale software and increased security risk. READ MORE READ LESS Teams living close to the edge Developers working on these teams have the benefit of intelligent and contextual automation. Dependencies are automatically recommended for updating, but only when optimal. This type of intelligent automation keeps software fresh without inadvertently introducing wasted effort or increased security risks. This approach is proactive, scalable, and optimal in terms of cost efficiency and quality outcomes. READ MORE READ LESS Teams living on the edge Developers working on these teams have the benefit of simplistic, but non contextual, automation. Dependencies are automatically updated to the latest version, whether optimal or not. Such automation helps to keep software fresh, but it can inadvertently lead to increased security risks and higher costs associated with unnecessary updates and broken builds. This approach is proactive and scalable, but not optimal in terms of costs or outcomes. READ MORE READ LESS Practical Recommendations Software engineering teams should strive to standardize dependency management decisions. Engineering leaders should maximize information available to developers to save time and money. Engineering leaders should embrace tools to automate intelligent dependency management decisions. 4 SOFTWARE SUPPLY CHAIN MATURITY SURVEY For this year’s report, we surveyed 702 engineering professionals about software supply chain management practices, including approaches and philosophies to utilizing open source components, organizational design, governance, approval processes, and tooling. Disconnect Between Perception vs Reality on Software Supply Chain Maturity Subjectively, survey respondents report they are doing a good job remediating defective components and indicate that they understand where supply chain risk resides. Objectively, research shows development teams lack structured guidance and frequently make suboptimal decisions with respect to software supply chain management. We plotted all survey responses against the five different stages of software supply chain maturity and found that the majority of respondents were graded less than the “Control” level - which is deemed the point at which an organization transitions from “figuring it out” to a minimal level of maturity that will enable high quality outcomes. Click on the dots to the right for additional insights. Software Supply Chain Maturity Score by Theme 5th, 50th, and 95th Percentile 1 The majority of respondents demonstrate an “Ad Hoc” approach to software supply chain management. 2 The only two themes where the respondents demonstrated a high level of maturity were for Inventory and Remediation. 3 Comparing survey responses to the objective analysis done, we see a disconnect between what is actually happening, and what people think is happening: 70% of remediations are actually suboptimal. Practical Recommendation The survey suggests that respondents have talked themselves into believing they’re doing a good job in areas we see objectively they are not. This is a reminder to be mindful of what you think your organization is doing, versus what's actually happening and continuously measure your workflow and systems against desired outcomes. 5 EMERGENCE OF SOFTWARE SUPPLY CHAIN REGULATION AND STANDARDS Following several attacks in 2020 aimed at critical infrastructure, governments around the world began to pursue regulations and standards aimed at improving software supply chain security and hygiene. The United States In May 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity, which has been heralded as a milestone for the U.S. government at a time when cyber espionage and nation-state attacks on critical infrastructure are reaching crisis proportions. The United Kingdom The U.K. government announced that it was seeking advice on defending against digital supply chain attacks from organizations that either consume IT services, or MSPs that provide software and services. Germany Germany passed the Information Technology Security Act 2.0 as an update to the First Act to “increase cyber and information security against the backdrop of increasingly frequent and complex cyber-attacks and the continued digitalisation of everyday life.” European Union The European Union Agency for Cybersecurity (ENISA) released a July 2021 report titled “Understanding the increase in Supply Chain Security Attacks.” The report reviewed 24 different software supply chain attacks and shared recommendations that organizations should put in place to protect themselves against attacks. Practical Recommendation As governments finally recognize the risks associated with unmanaged software supply chains, they are aggressively pursuing mandates that align the software industry with other manufacturing sectors. Pay attention to what's happening legislatively in your market, get involved in the public conversations and be prepared to make changes to your development practices accordingly. Dig Deeper and Download the Full Report Engineers are making a wide variety of digital decisions at every phase of the DevSecOps value stream that they didn't have to think about just a year ago. Understanding how to optimize those decisions and how they affect the greater software supply chain is paramount to a company's success. Dig into the full report for more insights, analysis and guidance around developing optimal software supply chains. Get Started with Sonatype Download the full report Twitter LinkedIn Facebook YouTube GitHub PRODUCTS * Sonatype Lift * Nexus Lifecycle * Advanced Development Pack * Advanced Legal Pack * Infrastructure as Code Pack * Nexus Lifecycle Foundation * Nexus Firewall * Nexus Auditor * Nexus Container * Nexus Repository OSS * Nexus Repository Pro * Pricing FREE TOOLS * Nexus Vulnerability Scanner * OSS Index * Free Developer Tools * Nexus Integrations * CVE Insights SOLUTIONS * Developers * AppSec * DevSecOps * Legal & Compliance * Government * Financial Services * Manufacturing * Technology * Healthcare * Success Stories RESOURCES * Sonatype Blog * Whitepapers & eBooks * Webinars * Videos * Events CUSTOMER PORTAL * My Sonatype * Guides * Documentation * Online Courses * Customer Support COMPANY * About Sonatype * Analyst Recognition * Nexus Intelligence * Partners * Investors * Press Releases * Media Coverage * Press Kit * Careers * Contact Us * Products * Free Tools * Solutions * Resources * About * Twitter * LinkedIn * Facebook * YouTube * GitHub Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759 Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102 Australia Office - 60 Martin Place Level 1, Sydney, NSW 2000, Australia London Office -168 Shoreditch High Street, E1 6HU London Copyright © 2008-present, Sonatype Inc. All rights reserved. Includes the third-party code listed here. Sonatype and Sonatype Nexus are trademarks of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation. All other trademarks are the property of their respective owners. Terms of Service Privacy Policy Event Terms and Conditions