www.sonatype.com Open in urlscan Pro
2606:2c40::c73c:671c Public Scan

Back to summary

Submitted URL:
https://www.sonatype.com/e3t/Btc/Q*113/cdrCy04/VWG89Q1QX9-HW7wYnpf43q22yW76My974y6TjhN5g75kc3q3pBV1-WJV7CgQnnW4QpxKL30MR3...
Effective URL:
https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021?utm_campaign=Q4%202021-State%20of%20the%20Soft...
Submission: On October 01 via api (October 1st 2021, 3:20:35 pm UTC) from US — Scanned from DE

Form analysis
0 forms found in the DOM

Text Content

THIS WEBSITE USES COOKIES

We use cookies to understand how you use our site and to improve your
experience. This includes personalising content and advertising. To learn more,
click here.
[#OOI_PERSONAL_INFORMATION#]
Reject Cookies Accept Cookies Show details
OK
Reject CookiesAllow selectionAllow all cookies
Necessary
Preferences
Statistics
Marketing
Show details
Cookie declaration [#IABV2SETTINGS#] About
Necessary (19) Preferences (11) Statistics (21) Marketing (54) Unclassified
(7)

NameProviderPurposeExpiryTyperc::cGoogleUsed in context with
video-advertisement. The cookie limits the number of times a visitor is shown
the same advertisement-content. The cookie is also used to ensure relevance of
the video-advertisement to the specific visitor. SessionHTML__cf_bm [x2]Hubspot
TechTargetThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of their
website.1 dayHTTPli_gcLinkedInStores the user's cookie consent state for the
current domain2 yearsHTTP__cfruidSonatypeThis cookie is a part of the services
provided by Cloudflare - Including load-balancing, deliverance of website
content and serving DNS connection for website operators.
SessionHTTPCookieConsentCookiebotStores the user's cookie consent state for the
current domain1 yearHTTPt3DIT Central StationThis cookie is part of a bundle of
cookies which serve the purpose of content delivery and presentation. The
cookies keep the correct state of font, blog/picture sliders, color themes and
other website settings.PersistentHTMLtADeIT Central StationThis cookie is part
of a bundle of cookies which serve the purpose of content delivery and
presentation. The cookies keep the correct state of font, blog/picture sliders,
color themes and other website settings.PersistentHTMLtADuIT Central StationThis
cookie is part of a bundle of cookies which serve the purpose of content
delivery and presentation. The cookies keep the correct state of font,
blog/picture sliders, color themes and other website
settings.PersistentHTMLtAEIT Central StationThis cookie is part of a bundle of
cookies which serve the purpose of content delivery and presentation. The
cookies keep the correct state of font, blog/picture sliders, color themes and
other website settings.PersistentHTMLtCIT Central StationThis cookie is part of
a bundle of cookies which serve the purpose of content delivery and
presentation. The cookies keep the correct state of font, blog/picture sliders,
color themes and other website settings.PersistentHTMLtMQIT Central StationThis
cookie is part of a bundle of cookies which serve the purpose of content
delivery and presentation. The cookies keep the correct state of font,
blog/picture sliders, color themes and other website
settings.PersistentHTMLtnsAppIT Central StationThis cookie is part of a bundle
of cookies which serve the purpose of content delivery and presentation. The
cookies keep the correct state of font, blog/picture sliders, color themes and
other website settings.PersistentHTMLtPLIT Central StationThis cookie is part of
a bundle of cookies which serve the purpose of content delivery and
presentation. The cookies keep the correct state of font, blog/picture sliders,
color themes and other website settings.PersistentHTMLtTDeIT Central StationThis
cookie is part of a bundle of cookies which serve the purpose of content
delivery and presentation. The cookies keep the correct state of font,
blog/picture sliders, color themes and other website
settings.PersistentHTMLtTDuIT Central StationThis cookie is part of a bundle of
cookies which serve the purpose of content delivery and presentation. The
cookies keep the correct state of font, blog/picture sliders, color themes and
other website settings.PersistentHTMLtTEIT Central StationThis cookie is part of
a bundle of cookies which serve the purpose of content delivery and
presentation. The cookies keep the correct state of font, blog/picture sliders,
color themes and other website settings.PersistentHTMLtTfIT Central StationThis
cookie is part of a bundle of cookies which serve the purpose of content
delivery and presentation. The cookies keep the correct state of font,
blog/picture sliders, color themes and other website
settings.PersistentHTMLCONSENTYouTubeUsed to detect if the visitor has accepted
the marketing category in the cookie banner. This cookie is necessary for
GDPR-compliance of the website. 5940 daysHTTP

NameProviderPurposeExpiryTypelang [x2]LinkedInRemembers the user's selected
language version of a websiteSessionHTTPcheckForPermissionBeeswaxDetermines
whether the visitor has accepted the cookie consent box. 1
dayHTTPvidyardSettingsVidyardUsed to determine the optimal video quality based
on the visitor's device and network settings.
PersistentHTML_biz_flagsABizibleThis cookie serves multiple purposes; it
determines whether the user has submitted any forms, performed cross-domain
migration or has made any tracking opt-out choices. 1
yearHTTPDRIFT_SESSION_IDDriftAllows the website to recoqnise the visitor, in
order to optimize the chat-box functionality.
SessionHTMLDRIFT_SESSION_STARTEDDriftStores a unique ID string for each chat-box
session. This allows the website-support to see previous issues and reconnect
with the previous supporter. SessionHTMLDRIFT_visitCountsDriftDetermines the
number of visits of the specific visitor. This is used in order to make the
chat-box function more relevant.PersistentHTMLdriftt_aidDriftNecessary for the
functionality of the website's chat-box function. 2
yearsHTTPtestcdn01.smartling.comUsed to detect if the visitor has accepted the
marketing category in the cookie banner. This cookie is necessary for
GDPR-compliance of the website. 1 yearHTTPTS#TechTargetPendingSessionHTTP

NameProviderPurposeExpiryTypeuAdobeCollects data on the user's visits to the
website, such as the number of visits, average time spent on the website and
what pages have been loaded with the purpose of generating reports for
optimising the website content.SessionPixelwho.ashxWhoisCollects data such as
visitors' IP address, geographical location and website navigation - This
information is used for internal optimization and statistics for the website's
operator. SessionPixel_gatGoogleUsed by Google Analytics to throttle request
rate1 dayHTTP_gidGoogleRegisters a unique ID that is used to generate
statistical data on how the visitor uses the website.1 dayHTTPcollectGoogleUsed
to send data to Google Analytics about the visitor's device and behavior. Tracks
the visitor across devices and marketing
channels.SessionPixelAnalyticsSyncHistoryLinkedInUsed in connection with
data-synchronization with third-party analysis service. 29
daysHTTPloglevelVidyardCollects data on visitor interaction with the website's
video-content - This data is used to make the website's video-content more
relevant towards the visitor. PersistentHTMLvisitorIdVidyardRegisters
statistical data on visitors' behaviour on the website. Used for internal
analytics by the website operator. PersistentHTML_gaGoogleRegisters a unique ID
that is used to generate statistical data on how the visitor uses the website.2
yearsHTTP_hjAbsoluteSessionInProgressHotjarThis cookie is used to count how many
times a website has been visited by different visitors - this is done by
assigning the visitor an ID, so the visitor does not get registered twice.1
dayHTTP_hjFirstSeenHotjarThis cookie is used to determine if the visitor has
visited the website before, or if it is a new visitor on the website.1
dayHTTP_hjidHotjarSets a unique ID for the session. This allows the website to
obtain data on visitor behaviour for statistical purposes.1
yearHTML_hjIncludedInPageviewSampleHotjarDetermines if the user's navigation
should be registered in a certain statistical place holder.1
dayHTTP_hjIncludedInSessionSampleHotjarRegisters data on visitors'
website-behaviour. This is used for internal analysis and website optimization.
1 dayHTTP_hjRecordingLastActivityHotjarSets a unique ID for the session. This
allows the website to obtain data on visitor behaviour for statistical
purposes.SessionHTML_hjTLDTestHotjarDetects the SEO-ranking for the current
website. This service is part of a third-party statistics and analysis service.
SessionHTTPhjViewportIdHotjarSets a unique ID for the session. This allows the
website to obtain data on visitor behaviour for statistical
purposes.SessionHTMLub-emb-idassets.ubembed.comEnables the website to make
variations of their landing-page. This is used to minimize bounce-rates, which
means that fewer users leave the page
immediately.PersistentHTMLpersonalization_idTwitterThis cookie is set by
Twitter. The cookie allows the visitor to share content from the website on
his/her Twitter profile.2 yearsHTTPvuidVimeoCollects data on the user's visits
to the website, such as which pages have been read.2
yearsHTTPub-emb-GUID#assets.ubembed.comPendingPersistentHTML

NameProviderPurposeExpiryTyperp.gifRedditNecessary for the implementation of the
Reddit.com's share-button function.SessionPixelbitoBeeswaxSets a unique ID for
the visitor, that allows third party advertisers to target the visitor with
relevant advertisement. This pairing service is provided by third party
advertisement hubs, which facilitates real-time bidding for advertisers.1
yearHTTPbitoIsSecureBeeswaxPresents the user with relevant content and
advertisement. The service is provided by third-party advertisement hubs, which
facilitate real-time bidding for advertisers.1 yearHTTPMUIDMicrosoftUsed widely
by Microsoft as a unique user ID. The cookie enables user tracking by
synchronising the ID across many Microsoft domains.1 yearHTTP_BUID [x2]Bizible
AdobeCollects data on visitors' preferences and behaviour on the website - This
information is used make content and advertisement more relevant to the specific
visitor. 1 yearHTTPm/ipvBizibleRegisters user behaviour and navigation on the
website, and any interaction with active campaigns. This is used for optimizing
advertisement and for efficient retargeting. SessionPixeltuuidDemandBaseCollects
unidentifiable data, which is sent to an unidentifiable receiver. The receiver's
identity is kept secret by Perfect Privacy LLC.2
yearsHTTPtuuid_luDemandBaseContains a unique visitor ID, which allows
Bidswitch.com to track the visitor across multiple websites. This allows
Bidswitch to optimize advertisement relevance and ensure that the visitor does
not see the same ads multiple times. 2 yearsHTTPvalidateCookieDemandBaseUsed in
context with Account-Based-Marketing (ABM). The cookie registers data such as
IP-addresses, time spent on the website and page requests for the visit. This is
used for retargeting of multiple users rooting from the same IP-addresses. ABM
usually facilitates B2B marketing purposes.SessionPixelIDEGoogleUsed by Google
DoubleClick to register and report the website user's actions after viewing or
clicking one of the advertiser's ads with the purpose of measuring the efficacy
of an ad and to present targeted ads to the user.1 yearHTTPtest_cookieGoogleUsed
to check if the user's browser supports cookies.1 dayHTTPtrFacebookUsed by
Facebook to deliver a series of advertisement products such as real time bidding
from third party advertisers.SessionPixel_GRECAPTCHAGoogleThis cookie is used to
distinguish between humans and bots. This is beneficial for the website, in
order to make valid reports on the use of their website.179
daysHTTPads/ga-audiencesGoogleUsed by Google AdWords to re-engage visitors that
are likely to convert to customers based on the visitor's online behaviour
across websites.SessionPixelpagead/1p-user-list/#GoogleTracks if the user has
shown interest in specific products or events across multiple websites and
detects how the user navigates between sites. This is used for measurement of
advertisement efforts and facilitates payment of referral-fees between
websites.SessionPixelrc::aGoogleUsed in context with video-advertisement. The
cookie limits the number of times a visitor is shown the same
advertisement-content. The cookie is also used to ensure relevance of the
video-advertisement to the specific visitor. PersistentHTMLbscookieLinkedInUsed
by the social networking service, LinkedIn, for tracking the use of embedded
services.2 yearsHTTPrc::bGoogleUsed in context with video-advertisement. The
cookie limits the number of times a visitor is shown the same
advertisement-content. The cookie is also used to ensure relevance of the
video-advertisement to the specific visitor. SessionHTML__ptq.gifHubspotSends
data to the marketing platform Hubspot about the visitor's device and behaviour.
Tracks the visitor across devices and marketing
channels.SessionPixel_session_idIT Central StationStores visitors' navigation by
registering landing pages - This allows the website to present relevant products
and/or measure their advertisement efficiency on other websites.
SessionHTTPbcookieLinkedInUsed by the social networking service, LinkedIn, for
tracking the use of embedded services.2 yearsHTTPlidcLinkedInUsed by the social
networking service, LinkedIn, for tracking the use of embedded services.1
dayHTTPUserMatchHistoryLinkedInUsed to track visitors on multiple websites, in
order to present relevant advertisement based on the visitor's preferences. 29
daysHTTPembed/v3/counters.gifHubspotCollects information on user preferences
and/or interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or
products.SessionPixel__hsscHubspot IncCollects statistical data related to the
user's website visits, such as the number of visits, average time spent on the
website and what pages have been loaded. The purpose is to segment the website's
users according to factors such as demographics and geographical location, in
order to enable media and marketing agencies to structure and understand their
target groups to enable customised online advertising.1 dayHTTP__hssrcHubspot
IncCollects anonymous statistical data related to the user's website visits,
such as the number of visits, average time spent on the website and what pages
have been loaded. The purpose is to segment the website's users according to
factors such as demographics and geographical location, in order to enable media
and marketing agencies to structure and understand their target groups to enable
customised online advertising.SessionHTTP__hstcHubspot IncCollects statistical
data related to the user's website visits, such as the number of visits, average
time spent on the website and what pages have been loaded. The purpose is to
segment the website's users according to factors such as demographics and
geographical location, in order to enable media and marketing agencies to
structure and understand their target groups to enable customised online
advertising.1 yearHTTP_biz_nABizibleCollects data on visitors' preferences and
behaviour on the website - This information is used make content and
advertisement more relevant to the specific visitor. 1
yearHTTP_biz_pendingABizibleCollects data on visitors' preferences and behaviour
on the website - This information is used make content and advertisement more
relevant to the specific visitor. 1 yearHTTP_biz_sidBizibleCollects data on
visitors' preferences and behaviour on the website - This information is used
make content and advertisement more relevant to the specific visitor. 1
dayHTTP_biz_uidBizibleCollects data on visitors' preferences and behaviour on
the website - This information is used make content and advertisement more
relevant to the specific visitor. 1 yearHTTP_fbpFacebookUsed by Facebook to
deliver a series of advertisement products such as real time bidding from third
party advertisers.3 monthsHTTP_hjRecordingEnabledHotjarThis cookie is used to
identify the visitor and optimize ad-relevance by collecting visitor data from
multiple websites – this exchange of visitor data is normally provided by a
third-party data-center or ad-exchange.SessionHTML_rdt_uuidRedditUsed to track
visitors on multiple websites, in order to present relevant advertisement based
on the visitor's preferences. 3 monthsHTTP_uetsidMicrosoftCollects data on
visitor behaviour from multiple websites, in order to present more relevant
advertisement - This also allows the website to limit the number of times that
they are shown the same advertisement. 1 dayHTML_uetsid_expMicrosoftContains the
expiry-date for the cookie with corresponding name.
PersistentHTML_uetvidMicrosoftUsed to track visitors on multiple websites, in
order to present relevant advertisement based on the visitor's preferences. 1
yearHTML_uetvid_expMicrosoftContains the expiry-date for the cookie with
corresponding name. PersistentHTMLdrift_aidDriftSets a unique ID for the
specific user. This allows the website to target the user with relevant offers
through its chat functionality. 2 yearsHTTPdrift_campaign_refreshDriftSets a
unique ID for the specific user. This allows the website to target the user with
relevant offers through its chat functionality. 1
dayHTTPDRIFT_SESSION_CAMPAIGNSDriftUsed to determine when and where certain
pop-ups on the website should be presented for the user and remember whether the
user has closed these, to keep them from showing multiple
times.PersistentHTMLhubspotutkHubspot IncKeeps track of a visitor's identity.
This cookie is passed to the marketing platform HubSpot on form submission and
used when de-duplicating contacts.1 yearHTTPVISITOR_INFO1_LIVEYouTubeTries to
estimate the users' bandwidth on pages with integrated YouTube videos.179
daysHTTPYSCYouTubeRegisters a unique ID to keep statistics of what videos from
YouTube the user has seen.SessionHTTPyt.innertube::nextIdYouTubeRegisters a
unique ID to keep statistics of what videos from YouTube the user has
seen.PersistentHTMLyt.innertube::requestsYouTubeRegisters a unique ID to keep
statistics of what videos from YouTube the user has
seen.PersistentHTMLyt-remote-cast-availableYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-cast-installedYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-connected-devicesYouTubeStores the user's video player
preferences using embedded YouTube
videoPersistentHTMLyt-remote-device-idYouTubeStores the user's video player
preferences using embedded YouTube
videoPersistentHTMLyt-remote-fast-check-periodYouTubeStores the user's video
player preferences using embedded YouTube
videoSessionHTMLyt-remote-session-appYouTubeStores the user's video player
preferences using embedded YouTube
videoSessionHTMLyt-remote-session-nameYouTubeStores the user's video player
preferences using embedded YouTube videoSessionHTML

Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.

NameProviderPurposeExpiryTypeactivity/activity.gifTechTargetPendingSessionPixelimages_server/widget_logo_widgetc_147.pngIT
Central StationPendingSessionPixelimages_server/widget_logo_widgetc_157.pngIT
Central
StationPendingSessionPixel_Shire_sessionSonatypePendingSessionHTTP{"words":[#,#,#,#,#],"sigBytes":20}VidyardPendingPersistentHTML_smtLastVisitedHostcdn01.smartling.comPending1
yearHTTPDRIFT_ALWAYS_SEND_IDSDriftPendingSessionHTML

[#IABV2_LABEL_PURPOSES#] [#IABV2_LABEL_FEATURES#] [#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_BODY_FEATURES#]
[#IABV2_BODY_PARTNERS#]
Cookies are small text files that can be used by websites to make a user's
experience more efficient.

The law states that we can store cookies on your device if they are strictly
necessary for the operation of this site. For all other types of cookies we need
your permission.

This site uses different types of cookies. Some cookies are placed by third
party services that appear on our pages.

You can at any time change or withdraw your consent from the Cookie Declaration
on our website.

Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Cookie declaration last updated on 26.09.21 by Cookiebot

Sonatype Unveils Full-Spectrum Software Supply Chain Management | Press Release

*
*
*
*
*

/resources/state-of-the-software-supply-chain-2021
utm_campaign=Q4%202021-State%20of%20the%20Software%20Supply%20Chain-Report&utm_medium=email&_hsmi=165826991&_hsenc=p2ANqtz-_rbj1VnQs2MMvzOcu7F7sx8QEgJFUtsmJ7nT1tjzU-pruUjd99DsloaR56OvgW6SOA2MQ6q6kq9QhRr3qvVfGL7hUD_g&utm_content=165826991&utm_source=hs_email
PATH:/resources/state-of-the-software-supply-chain-2021
QUERY:utm_campaign=Q4%202021-State%20of%20the%20Software%20Supply%20Chain-Report&utm_medium=email&_hsmi=165826991&_hsenc=p2ANqtz-_rbj1VnQs2MMvzOcu7F7sx8QEgJFUtsmJ7nT1tjzU-pruUjd99DsloaR56OvgW6SOA2MQ6q6kq9QhRr3qvVfGL7hUD_g&utm_content=165826991&utm_source=hs_email
DOMAIN:www.sonatype.com
* Products

* Software composition Analysis
* Nexus Lifecycle
Eliminate OSS risk across the entire SDLC
* Nexus Firewall
Protect your artifact repository from OSS risk
* Code Quality Analysis
* Sonatype Lift
Find and fix security, performance, and reliability bugs during code
review.
* Repository MANAGEMENT
* Nexus Repository OSS
Universally manage binaries and artifacts for FREE
* Nexus Repository Pro
Universally manage binaries and artifacts with HA and support
* CONTAINER + INFRASTRUCTURE SECURITY
* Nexus Container
Identify and remediate OSS risk in containers for build and run-time
protection
* Infrastructure as a Code Pack for Nexus Lifecycle
Choose the best open source components and keep your cloud infrastructure
secure.
* FULL SPECTRUM PLATFORM
Automate your software supply chain security against every attack with
Sonatype’s suite of products.
* PLANS & PRICING
We’ve got your software supply chain covered. Simply pick the plan that
works best for your team.
* Solutions

* For Professionals
* Developers
* Application Security
* DevSecOps
* Legal & Compliance
* For Industries
* Government
* Financial Services
* Manufacturing
* Technology
* Healthcare
* Customer Stories
* Resources

* Content
* Whitepapers & eBooks
* Webinars
* Videos
* Events
* INtegrations & FREE TOOLS
* Sonatype Integrations
* Sonatype OSS Index
* Nexus Vulnerability Scanner
* Free Developer Tools
* CUSTOMER PORTAL
* My Sonatype
Customer support, product guides & documentation, online courses,
community, and more.
* Company

* About Us
* About Sonatype
* About Nexus Intelligence
* Partner Program
* Careers at Sonatype
* Press Releases
* Media
* Contact Us
* Blog
* BOOK A DEMO

* Products
* Solutions
* Resources
* Company
* Blog
* BOOK A DEMO

SOFTWARE COMPOSITION ANALYSIS

* Nexus Lifecycle
Eliminate OSS risk across the entire SDLC.
* Nexus Firewall
Protect Nexus and Artifactory repos from OSS risk.

CONTAINER + INFRASTRUCTURE SECURITY

* Nexus Container
Identify and remediate OSS risk in containers for build and run-time
protection.
* Infrastructure as a Code Pack for Nexus Lifecycle
Choose the best open source components and keep your cloud infrastructure
secure.

CODE QUALITY ANALYSIS

* Sonatype Lift
Find and fix security, performance, and reliability bugs during code review.

REPOSITORY MANAGEMENT

* Nexus Repository OSS
Universally manage binaries and artifacts for FREE.
* Nexus Repository Pro
Universally manage binaries and artifacts with HA and support.

FULL SPECTRUM PLATFORM

* Automate your software supply chain security against every attack with
Sonatype’s suite of products.

PLANS & PRICING

* We’ve got your software supply chain covered. Simply pick the plan that works
best for your team.

FOR PROFESSIONALS

* Developers
* Application Security
* DevSecOps
* Legal & Compliance

FOR INDUSTRIES

* Government
* Financial Services
* Manufacturing
* Technology
* Healthcare

CONTENT

* Whitepapers & eBooks
* Webinars
* Videos
* Customer Stories
* Events

INTEGRATIONS & FREE TOOLS

* Sonatype Integrations
* Sonatype OSS Index
* Nexus Vulnerability Scanner
* Free Developer Tools

CUSTOMER PORTAL

* Training & Workshops
* My Sonatype
Customer support, product guides & documentation, learning paths, community,
and more.

ABOUT US

* About Sonatype
* About Nexus Intelligence
* Analyst Recognition
* Partners
* Careers at Sonatype
* Press Releases
* Media

* ENGLISH
* English
* Français
* Deutsch

2021

STATE OF THE SOFTWARE SUPPLY CHAIN

DOWNLOAD THE FULL REPORT

Now in its seventh year, Sonatype’s 2021 State of the Software Supply Chain
Report blends a broad set of public and proprietary data to reveal important
findings about open source and its increasingly important role in digital
innovation.

Select Section
* open source Supply, Demand, and Security
* Exemplary Open Source Projects
* dependency management
* Software Supply Chain Maturity survey
* New Regulation
and Standards

OPEN SOURCE SUPPLY, DEMAND, AND SECURITY

Open source supply is growing exponentially.

Currently, the top four open source ecosystems contain a combined 37,451,682
components and packages. These same communities released a combined 6,302,733
new versions of components / packages over the past year and have introduced
723,570 brand new projects in support of 27 million developers worldwide.

Available Supply of Open Source

Java

0 1 million 2 million 3 million 4 million 5 million 6 million 7 million 8
million Versions Projects New in 2021 Available prior to 2021 430,995 7.3
MILLION

Javascript

0 1 million 2 million 3 million 4 million 5 million 6 million 7 million 8
million Versions Projects New in 2021 Available prior to 2021 21 MILLION 1.8
MILLION

Python

0 1 million 2 million 3 million 4 million 5 million 6 million 7 million 8
million Versions Projects New in 2021 Available prior to 2021 3 MILLION 336,402

.NET

0 1 million 2 million 3 million 4 million 5 million 6 million 7 million 8
million Versions Projects New in 2021 Available prior to 2021 5.6 MILLION
338,423
* JAVA
* JAVASCRIPT
* PYTHON
* .NET

Open source demand continues to explode.
Increase in Downloads
Year Over Year 2020 - 2021
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% .NET Python JavaScript Java 71%
increase 267 TO 457 BILLION 50% increase 1 TO 1.5 TRILLION 78% increase 44 TO 78
BILLION Year Over Year Increase Percentage 92% increase 66 TO 127 BILLION
Open source demand continues to explode.

In 2021, developers around the world will request more than 2.2 trillion open
source packages, representing a 73% YoY growth in developer downloads of open
source components. Despite the growing volume of downloads, the percentage of
available components utilized in production applications is shockingly low.

Vulnerabilities are more common in popular projects.

The top 10% of most popular OSS project versions are 29% likely on average to
contain known vulnerabilities. Conversely, the remaining 90% of project versions
are only 6.5% likely to contain known vulnerabilities. In combination, these
statistics indicate that the vast majority of security research (whitehat and
blackhat) is focused on finding and fixing (or exploiting) vulnerabilities in
projects that are more commonly utilized.

Vulnerability Release Density Vs. Popularity

Java (Maven)

0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 Vulnerable Not Vulnerable
Percent of Releases Vulnerable by Popularity Group x% Popularity Top 10% Bottom
10% 7% 7% 3% 4% 6% 2% 3% 6% 3% 26%

JavaScript (npm)

0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 Vunerable Not Vunerable
Popularity Top 10% Bottom 10% 39% 17% 9% 8% 6% 6% 7% 7% 7% 4%

Python (pypi)

0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 Vunerable Not Vunerable
Popularity Top 10% Bottom 10% 38% 14% 12% 3% 6% 5% 11% 9% 7% 5%

.NET (Nuget)

Vunerable Not Vunerable 0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50
Popularity Top 10% Bottom 10% 16% 6% 6% 6% 6% 6% 8% 7% 5% 4%
* JAVA
* JAVASCRIPT
* PYTHON
* .NET

2021 Software Supply Chain Statistics
Ecosystem
Total
Projects
Total Project
Versions
Download
Requests
Year Over
Year Download Growth
Ecosystem
Project Utilization
Vuln Density
for Utilized
Versions 10%
Most Popular
Vuln Density for Utilized Versions
90% Least
Popular
Java
JavaScript
Python
.NET
Totals/Averages
431K
1.9M
336K
338K
3M
7.3M
21M
3M
5.6M
37M
457B
1.5T
127B
78B
2.2T
71%
50%
92%
78%
73%
15%
2%
4%
2%
6%
23%
39%
38%
15%
29%
4%
8%
8%
6%
6.5%
High-Profile Software Supply Chain Attacks
Dec 2020-July 2021
DECEMBER 2020
SolarWinds

Threat actors gained access to SolarWinds dev infrastructure, and injected
malicious code into Orion update binaries. 18,000 customers automatically pulled
trojanized updates, planting backdoors into their systems and allowing bad
actors to exploit private networks at will.

FEBRUARY 2021
Namespace Confusion

Three days after news broke of an ethical researcher hacking over 35 big tech
firms in a novel supply-chain attack, more than 300 malicious copycat attacks
were recorded. Within one month, more than 10,000 namespace confusion copycats
had infiltrated npm and other ecosystems.

APRIL 2021
Codecov

An attacker was able to gain access to a credential via a mistake in how Codecov
were building Docker images. This credential then let them modify Codecov’s bash
uploader script which was either used directly by customers or via Codecov’s
other uploaders like their Github Action. The attacker used this modified script
to steal credentials from the CI environments of customers using it.

MAY 2021
Microsoft's WinGet

The weekend after launching, WinGet's software registry was flooded with pull
requests for apps that were either duplicates or malformed. Some newly added
duplicate packages were corrupted and ended up overwriting the existing
packages, raising serious concerns about the integrity of the WinGet ecosystem.

JULY 2021
Kaseya

A ransomware group discovered and exploited a zero-day vulnerability in a remote
monitoring and management software platform used by dozens of managed security
providers (MSP). Because these MSPs service thousands of downstream customers,
the hackers were able to conduct a ransomware attack against 1,500 victims.

See the full timeline
Software Supply Chain Attacks Increase 650%

Members of the world’s open source community are facing a novel and rapidly
expanding threat that has nothing to do with passive adversaries exploiting
known vulnerabilities in the wild — and everything to do with aggressive
attackers intentionally tampering with open source projects to infiltrate the
commercial software supply chain.

From February 2015 to June 2019, 216 software supply chain attacks were
recorded. Then, from July 2019 to May 2020, the number of attacks increased to
929 attacks. However, in the past year, such attacks numbered more than 12,000
and represented a 650% year over year increase.

NEXT GENERATION SOFTWARESUPPLY CHAIN ATTACKS (2015–2020)

Dependency Confusion, Typosquatting, and Malicious Code Injection

2020 2019 2018 2017 2015 2021 0 2,000 4,000 6,000 8,000 10,000 12,000 650% YEAR
OVER YEAR INCREASE
High-Profile Software Supply Chain Attacks
Dec 2020-July 2021
DECEMBER 2020
SolarWinds

FEBRUARY 2021
Namespace Confusion

APRIL 2021
Codecov

MAY 2021
Microsoft's WinGet

JULY 2021
Kaseya

See the full timeline
Practical Recommendation

To accelerate the pace of digital innovation without sacrificing quality or
security, engineering and risk management leaders should understand supply,
demand, and risk dynamics associated with third-party open source ecosystems.
Furthermore, they should carefully define and automatically enforce open source
policies across every phase of the software supply chain.

UNDERSTANDING EXEMPLARY OPEN SOURCE PROJECTS

Some open source projects are definitely better than others. But how do you
know? This year we examined three different methods for identifying exemplary
open source projects: Sonatype Mean Time to Update (MTTU), OpenSSF Criticality.
and Libraries.io Sourcerank. We found that MTTU combined with OpenSSF
Criticality are strongly associated with exemplary project outcomes in the areas
of security and dev productivity.

Metrics to Use to Assess Relative Quality of an OSS Project
* Sonatype MTTU
* OpenSSF Criticality
* Libraries.io Sourcerank

Sonatype MTTU provides a measure of project quality that is based on how quickly
the project moves to update dependencies. Lower (faster) is better. Components
that consistently react quickly to dependency upgrades will have lower MTTU.
Components that react slowly or have high variance in their update times will
have higher MTTU.

OpenSSF Criticality measures a project’s community, usage, and activity. This is
distilled into a score that is intended to measure how critical the project is
in the open source ecosystem.

Libraries.io Sourcerank aims to measure the quality of software, mostly focusing
on project documentation, maturity, and community. It is computed by evaluating
a number of yes/no responses such as “Is the project more than six months old?”
and a set of numerical questions, such as “How many ‘stars’ does the project
have?” These are distilled into a single score, with yes/no questions adding or
subtracting a fixed number of “points” and numerical questions being converted
into points using a formula, e.g. “log(num_stars)/2.” The current maximum number
of points is approximately 30.

Lower MTTU is better.

Components that consistently react quickly to dependency upgrades will have low
MTTU. Components that either consistently react slowly or have high variance in
their reaction time will have higher MTTU.

Suppose we have a component A with dependencies B and C, both at version 1.2.
Suppose B and C each release a new version (1.3) and some time later A releases
a new version that bumps the version of B and C to 1.3. The time between the
release of B version 1.3 and the release of A version 1.3 is the Time To Upgrade
(TTU) for A’s migration to B version 1.3 (and similarly for A’s adoption of C
version 1.3). The average of all these upgrade times is then the MTTU.

Expand for more insight.

Aggregate MTTUs are improving over time.

In addition to the number of projects growing over the years, there has been a
clear trend toward faster MTTUs. The average MTTU across projects in 2011 was
371 days. In 2014 it was 302 days and by 2018 it was 158 days. In 2021, as of
August 1, average MTTU was 28 days – less half of the 73 days the average
project took in 2020.

Density MTTU in Days 10 -2 10 -1 10 0 10 1 10 2 10 3 10 4 2011 2012 2013 2014
2015 2016 2017 2018 2019 2020 2021 (projected) 2021 2020 2019 2017 2016 2018
2015 2014 2013 2012 2011 0.00 0.02 0.04 0.06 0.08 0.10 0.12 0.14
MTTU is highly correlated to MTTR.

Suppose a project A includes a dependency B, and B has a vulnerability disclosed
at date D1. Then A updates the version of B it’s using on date D2. Time to
Remediate (TTR) is then the time between D1 and D2 measured in days, and MTTR is
the average TTR for a project across all disclosed security vulnerabilities.

Expand for more insight.
MTTU is highly correlated to MTTR.

While MTTU does not directly measure the speed at which projects fix publicly
disclosed vulnerabilities, it does correlate to a project’s mean time to
remediate (MTTR), which is the time required to update dependencies that have
published vulnerabilities. Thus, we consider MTTU to be the best metric
available to determine the impact a component will have on the security of
projects that incorporate it.

Practical Recommendations

Choosing high quality open source projects should be considered an important
strategic decision for enterprise software development organizations.

To avoid stale dependencies and minimize security risks associated with third
party open source, software engineering teams should actively embrace projects
that consistently demonstrate low mean time to update (MTTU) values and high
OpenSSF Criticality scores.

HOW YOUR PEERS ARE MANAGING OPEN SOURCE DEPENDENCIES

For this year’s report, we examined 4 million real-world dependency management
decisions spread across 100,000 applications. Our learnings highlighted below
are enlightening.

Despite the growing volume of downloads, the percentage of available components
observed in production applications is shockingly low.

On average, production enterprise Java applications utilize 10% of available
open source components, and commercial engineering teams actively update only
25% of those components that are utilized.

Active Projects in the Maven Central Repository
430,000 projects in Maven projects present in 100,000 applications 40,000 across
100,000 applications projects were actively being updated during the past year
10,000
69% of dependency management decisions are suboptimal.
5 Groups of Migration Decisions
Optimal Decisions Optimal version chosen 31% Imperfect Decisions Subjectively
suboptimal version chosen 64% Dangerous Decisions Non subjective suboptimal
version chosen 3% Risky Decisions Pre release version chosen 1% Dead End
Decisions No good choice available 1%
69% of dependency management decisions are suboptimal.

The average modern application contains 128 open source dependencies, and the
average open source project releases 10 times per year. This reality combined
with the fact that a few hyper active projects release more than 8,000 times per
year, creates a situation in which developers must constantly decide when (and
when not to) update third-party dependencies inside of their applications. In
light of these circumstances, Sonatype researchers set out to answer the
question: are developers making efficient dependency management decisions? We
studied 100,000 applications and analyzed more than 4,000,000 component
migrations (upgrades) and found that 69% of such decisions were suboptimal.

Despite unstructured decision making, there is evidence of wisdom in the crowd.

The chart below provides a visual summary of herd migration behavior over the
past year associated with spring-core, a single component within the highly
popular spring-framework. The y-axis shows the past 52 weeks of upgrade
activity, with the top row representing herd migration decisions made one year
ago, and the bottom row representing herd migration decisions made during the
most recent week. The x-axis represents the 150 most recent versions with older
versions to the left, and newer versions to the right. View key observations by
clicking on the dots below.

Herd Migration Behavior of org.springframework:spring-coreAugust 9, 2020–August
1, 2021
1

The most recent release (5.3.x) of spring-core releases approximately every 4
weeks.

The project is actively maintaining these 2 releases. Darker shading indicates
the majority of the community is using these releases.

The project is no longer actively supporting these releases. Teams should
migrate away from these stale versions.

Laggards continue to update to older, unsupported, and even vulnerable versions.

Older versions are vulnerable, and older non vulnerable versions (4.3.15+) will
inevitably be subject to new vulnerability disclosures.

The community generally avoids .0 releases and pre-releases.

8 Rules for Upgrading to the Optimal Version
Avoid Objectively Bad Choices

Don’t choose an alpha, beta, milestone, release candidate, etc. version.

Don’t upgrade to a vulnerable version.

Upgrade to a lower risk severity if your current version is vulnerable.

When a component is published twice in close succession, choose the later
version.

Avoid Subjectively Bad Choices

Choose a migration path (from version to version) others have chosen.

Choose a version that minimizes breaking code changes.

Choose a version that the majority of the population is using.

If all else is tied, choose the newest version.

Passing these rules results in optimal upgrades.
Save time and money.

Intelligent automation that standardizes engineering teams on exemplary open
source projects could remove 1.6M hours and $240M of real world waste spread
across our sample of 100,000 production applications. Extrapolated out to the
entire software industry, the associated savings would be billions.

The Benefit of Intelligent Automation to Dev Teams

Strategies for optimal dependency management: near the edge is best.

The bleeding edge is dangerous. The near edge is optimal. When analyzing herd
migration behavior around dependency management practices, we observed three
distinct patterns of team behavior: Teams living in disarray, teams living on
the edge, and teams living close to the edge.

Strategies for Dependency Management

Teams living in disarray

Developers working on these teams lack automated guidance. They update
dependencies infrequently. When they do update dependencies, they utilize gut
instincts and commonly make suboptimal decisions. This approach to dependency
management is highly reactive, not scalable, and leads to stale software and
increased security risk.

READ MORE READ LESS
Teams living close to the edge

Developers working on these teams have the benefit of intelligent and contextual
automation. Dependencies are automatically recommended for updating, but only
when optimal. This type of intelligent automation keeps software fresh without
inadvertently introducing wasted effort or increased security risks. This
approach is proactive, scalable, and optimal in terms of cost efficiency and
quality outcomes.

READ MORE READ LESS
Teams living on the edge

Developers working on these teams have the benefit of simplistic, but non
contextual, automation. Dependencies are automatically updated to the latest
version, whether optimal or not. Such automation helps to keep software fresh,
but it can inadvertently lead to increased security risks and higher costs
associated with unnecessary updates and broken builds. This approach is
proactive and scalable, but not optimal in terms of costs or outcomes.

READ MORE READ LESS
Practical Recommendations

Software engineering teams should strive to standardize dependency management
decisions.

Engineering leaders should maximize information available to developers to save
time and money.

Engineering leaders should embrace tools to automate intelligent dependency
management decisions.

SOFTWARE SUPPLY CHAIN MATURITY SURVEY

For this year’s report, we surveyed 702 engineering professionals about software
supply chain management practices, including approaches and philosophies to
utilizing open source components, organizational design, governance, approval
processes, and tooling.

Disconnect Between Perception vs Reality on Software Supply Chain Maturity

Subjectively, survey respondents report they are doing a good job remediating
defective components and indicate that they understand where supply chain risk
resides. Objectively, research shows development teams lack structured guidance
and frequently make suboptimal decisions with respect to software supply chain
management.

We plotted all survey responses against the five different stages of software
supply chain maturity and found that the majority of respondents were graded
less than the “Control” level - which is deemed the point at which an
organization transitions from “figuring it out” to a minimal level of maturity
that will enable high quality outcomes.

Click on the dots to the right for additional insights.

Software Supply Chain Maturity Score by Theme
5th, 50th, and 95th Percentile
1
The majority of respondents demonstrate an “Ad Hoc” approach to software supply
chain management.
2
The only two themes where the respondents demonstrated a high level of maturity
were for Inventory and Remediation.
3
Comparing survey responses to the objective analysis done, we see a disconnect
between what is actually happening, and what people think is happening: 70% of
remediations are actually suboptimal.
Practical Recommendation

The survey suggests that respondents have talked themselves into believing
they’re doing a good job in areas we see objectively they are not. This is a
reminder to be mindful of what you think your organization is doing, versus
what's actually happening and continuously measure your workflow and systems
against desired outcomes.

EMERGENCE OF SOFTWARE SUPPLY CHAIN REGULATION AND STANDARDS

Following several attacks in 2020 aimed at critical infrastructure, governments
around the world began to pursue regulations and standards aimed at improving
software supply chain security and hygiene.

The United States

In May 2021, President Biden signed the Executive Order on Improving the
Nation’s Cybersecurity, which has been heralded as a milestone for the U.S.
government at a time when cyber espionage and nation-state attacks on critical
infrastructure are reaching crisis proportions.

The United Kingdom

The U.K. government announced that it was seeking advice on defending against
digital supply chain attacks from organizations that either consume IT services,
or MSPs that provide software and services.

Germany

Germany passed the Information Technology Security Act 2.0 as an update to the
First Act to “increase cyber and information security against the backdrop of
increasingly frequent and complex cyber-attacks and the continued digitalisation
of everyday life.”

European Union

The European Union Agency for Cybersecurity (ENISA) released a July 2021 report
titled “Understanding the increase in Supply Chain Security Attacks.” The report
reviewed 24 different software supply chain attacks and shared recommendations
that organizations should put in place to protect themselves against attacks.

Practical Recommendation

As governments finally recognize the risks associated with unmanaged software
supply chains, they are aggressively pursuing mandates that align the software
industry with other manufacturing sectors. Pay attention to what's happening
legislatively in your market, get involved in the public conversations and be
prepared to make changes to your development practices accordingly.

Dig Deeper and Download the Full Report

Engineers are making a wide variety of digital decisions at every phase of the
DevSecOps value stream that they didn't have to think about just a year ago.
Understanding how to optimize those decisions and how they affect the greater
software supply chain is paramount to a company's success.

Dig into the full report for more insights, analysis and guidance around
developing optimal software supply chains.

Get Started with Sonatype
Download the full report
Twitter LinkedIn Facebook YouTube GitHub

PRODUCTS

* Sonatype Lift
* Nexus Lifecycle
* Advanced Development Pack
* Advanced Legal Pack
* Infrastructure as Code Pack
* Nexus Lifecycle Foundation
* Nexus Firewall
* Nexus Auditor
* Nexus Container
* Nexus Repository OSS
* Nexus Repository Pro
* Pricing

FREE TOOLS

* Nexus Vulnerability Scanner
* OSS Index
* Free Developer Tools
* Nexus Integrations
* CVE Insights

SOLUTIONS

* Developers
* AppSec
* DevSecOps
* Legal & Compliance
* Government
* Financial Services
* Manufacturing
* Technology
* Healthcare
* Success Stories

RESOURCES

* Sonatype Blog
* Whitepapers & eBooks
* Webinars
* Videos
* Events

CUSTOMER PORTAL

* My Sonatype
* Guides
* Documentation
* Online Courses
* Customer Support

COMPANY

* About Sonatype
* Analyst Recognition
* Nexus Intelligence
* Partners
* Investors
* Press Releases
* Media Coverage
* Press Kit
* Careers
* Contact Us

* Products
* Free Tools
* Solutions
* Resources
* About

* Twitter
* LinkedIn
* Facebook
* YouTube
* GitHub

Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759

Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102

Australia Office - 60 Martin Place Level 1, Sydney, NSW 2000, Australia

London Office -168 Shoreditch High Street, E1 6HU London

Copyright © 2008-present, Sonatype Inc. All rights reserved. Includes the
third-party code listed here. Sonatype and Sonatype Nexus are trademarks of
Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache Software
Foundation. M2Eclipse is a trademark of the Eclipse Foundation. All other
trademarks are the property of their respective owners.

www.sonatype.com Open in urlscan Pro 2606:2c40::c73c:671c Public Scan

Form analysis 0 forms found in the DOM

Text Content

www.sonatype.com Open in urlscan Pro
2606:2c40::c73c:671c Public Scan

Form analysis
0 forms found in the DOM