GitHub: open source security vulnerabilities take years to detect

Get a free Techzine subscription!

Research also shows that once detected, bugs are fixed quickly.

GitHub this week released its 2020 State of the Octoverse report. In it, they highlighted the increased important of open source tools and their growing role in software development.

The organisation spent 2020 following over 56 million developers on the platform. During this time, users created over 60 million new repositories and added over 1.9 billion contributions.

Open source becoming more commonplace across platforms

“You would be hard-pressed to find a scenario where your data does not pass through at least one open source component,” GitHub says. “Many of the services and technology we all rely on, from banking to healthcare, also rely on open source software. The artifacts of open source code serve as critical infrastructure for much of the global economy, making the security of open source software mission-critical to the world.”

GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average. In addition, they found that open source dependencies arise most commonly in JavaScript (94%) as well as Ruby and .NET (90%).

Vulnerabilities go undetected for years

GitHub found that, on average, vulnerabilities in open source projects can often go for over four years before they are detected. Once detected, however, a fix is usually available in just over a month. GitHub observes that these two data points indicate “clear opportunities to improve vulnerability detection.”

The majority of bugs in open source software are not malicious, however. In fact, GitHub found that mistakes and human error, rather than malicious intent, caused 83% of the CVE alerts they issued. That said, malefactors could still exploit these accidental fails for attack purposes. 

GitHub considers 17% of open source vulnerabilities to be malicious, yet these triggered only 0.2% of alerts. This is because the bugs reside in abandoned or rarely-used packages. 

GitHub concludes that open source project stakeholders should check for vulnerabilities on a regular basis. They should also implement automated alerts if possible to resolve security issues more quickly.