{"id":52580,"date":"2023-10-05T14:41:27","date_gmt":"2023-10-05T18:41:27","guid":{"rendered":"https:\/\/sdtimes.com\/?p=52580"},"modified":"2023-10-27T14:01:30","modified_gmt":"2023-10-27T18:01:30","slug":"sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report","status":"publish","type":"post","link":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/","title":{"rendered":"Sonatype shines light on current state of supply chain security in latest report"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In 2023, there was an 18% decline in the number of open-source projects that are considered to be \u201cactively maintained.\u201d This is according to Sonatype\u2019s <\/span><a href=\"https:\/\/www.sonatype.com\/state-of-the-software-supply-chain\/Introduction\"><span style=\"font-weight: 400;\">Annual State of the Software Supply Chain Report<\/span><\/a><span style=\"font-weight: 400;\">.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The report claims that only 11% of open-source projects are actually actively maintained.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Despite these flaws, Sonatype still says that 96% of vulnerabilities are avoidable. There were 2.1 billion downloads of open-source software that had known vulnerabilities for which there was a newer version with the issue fixed.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">\u201cA lot of maintainers are very diligent \u2013 Big Tech companies go out of their way to hire talented people to maintain libraries they rely on,\u201d said Brian Fox, CTO at Sonatype. \u201cOur industry needs to direct its efforts towards the right place. The fact that there\u2019s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers on becoming better decision-makers, and giving them access to the right tools. The goal is to help developers be more intentional about downloading open source software from projects with the most maintainers and the healthiest ecosystem of contributors. This will not only create safer software, but also recoup nearly two weeks of wasted developer time each year.&#8221;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The number of supply chain attacks continues to increase year-over-year. In 2023, there were twice as many attacks as the combined number from 2019-2022. This equates to 245,032 malicious packages, with one in eight open source downloads containing a known vulnerability.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Sonatype also said they found a disconnect between how secure companies think they are versus the reality. 67% say they are confident they don\u2019t have code from vulnerable libraries in their systems, but 10% have suffered a security breach due to vulnerabile components this year.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">And finally, the company found that 39% of companies find a vulnerability within one to seven days, 29% take over a week, and 28% take less than one day.\u00a0\u00a0<\/span><\/p>\n<!-- AddThis Advanced Settings generic via filter on the_content --><!-- AddThis Share Buttons generic via filter on the_content -->","protected":false},"excerpt":{"rendered":"<p>In 2023, there was an 18% decline in the number of open-source projects that are considered to be \u201cactively maintained.\u201d This is according to Sonatype\u2019s Annual State of the Software Supply Chain Report.\u00a0 The report claims that only 11% of open-source projects are actually actively maintained.\u00a0 Despite these flaws, Sonatype still says that 96% of  &hellip; <a class=\"read-more\" href=\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/\">continue reading<\/a><!-- AddThis Advanced Settings generic via filter on get_the_excerpt --><!-- AddThis Share Buttons generic via filter on get_the_excerpt --><\/p>\n","protected":false},"author":752,"featured_media":52581,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"om_disable_all_campaigns":false,"cybocfi_hide_featured_image":"","footnotes":"","_links_to":"","_links_to_target":""},"categories":[1],"tags":[45,406,16101],"coauthors":[11687],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Sonatype shines light on current state of supply chain security in latest report - SD Times<\/title>\n<meta name=\"description\" content=\"In 2023, there was an 18% decline in the number of open-source projects that are considered to be \u201cactively maintained.\u201d\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sonatype shines light on current state of supply chain security in latest report - SD Times\" \/>\n<meta property=\"og:description\" content=\"In 2023, there was an 18% decline in the number of open-source projects that are considered to be \u201cactively maintained.\u201d\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/\" \/>\n<meta property=\"og:site_name\" content=\"SD Times\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/SDTimesD2\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-05T18:41:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-10-27T18:01:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jenna Barron\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:site\" content=\"@sdtimes\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jenna Barron\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/\"},\"author\":{\"name\":\"Jenna Barron\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/f2524e55ae19da07ea3613577da9f786\"},\"headline\":\"Sonatype shines light on current state of supply chain security in latest report\",\"datePublished\":\"2023-10-05T18:41:27+00:00\",\"dateModified\":\"2023-10-27T18:01:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/\"},\"wordCount\":325,\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg\",\"keywords\":[\"security\",\"Sonatype\",\"Supply Chain Security\"],\"articleSection\":[\"Latest News\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/\",\"url\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/\",\"name\":\"Sonatype shines light on current state of supply chain security in latest report - SD Times\",\"isPartOf\":{\"@id\":\"https:\/\/sdtimes.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg\",\"datePublished\":\"2023-10-05T18:41:27+00:00\",\"dateModified\":\"2023-10-27T18:01:30+00:00\",\"description\":\"In 2023, there was an 18% decline in the number of open-source projects that are considered to be \u201cactively maintained.\u201d\",\"breadcrumb\":{\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#primaryimage\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg\",\"width\":1920,\"height\":1280},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/sdtimes.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Sonatype shines light on current state of supply chain security in latest report\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sdtimes.com\/#website\",\"url\":\"https:\/\/sdtimes.com\/\",\"name\":\"SD Times\",\"description\":\"Software Development News\",\"publisher\":{\"@id\":\"https:\/\/sdtimes.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sdtimes.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/sdtimes.com\/#organization\",\"name\":\"SD Times\",\"url\":\"https:\/\/sdtimes.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"contentUrl\":\"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png\",\"width\":225,\"height\":90,\"caption\":\"SD Times\"},\"image\":{\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/SDTimesD2\",\"https:\/\/x.com\/sdtimes\",\"https:\/\/www.linkedin.com\/company\/sdtimes\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/f2524e55ae19da07ea3613577da9f786\",\"name\":\"Jenna Barron\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/sdtimes.com\/#\/schema\/person\/image\/b4be3423b187642936e62f121111345e\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/b128943929626cdcafccbac86bd306f9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/b128943929626cdcafccbac86bd306f9?s=96&d=mm&r=g\",\"caption\":\"Jenna Barron\"},\"description\":\"Jenna Barron is News Editor of SD Times.\",\"url\":\"https:\/\/sdtimes.com\/author\/jennifer-sargent\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sonatype shines light on current state of supply chain security in latest report - SD Times","description":"In 2023, there was an 18% decline in the number of open-source projects that are considered to be \u201cactively maintained.\u201d","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/","og_locale":"en_US","og_type":"article","og_title":"Sonatype shines light on current state of supply chain security in latest report - SD Times","og_description":"In 2023, there was an 18% decline in the number of open-source projects that are considered to be \u201cactively maintained.\u201d","og_url":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/","og_site_name":"SD Times","article_publisher":"https:\/\/www.facebook.com\/SDTimesD2","article_published_time":"2023-10-05T18:41:27+00:00","article_modified_time":"2023-10-27T18:01:30+00:00","og_image":[{"width":1920,"height":1280,"url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg","type":"image\/jpeg"}],"author":"Jenna Barron","twitter_card":"summary_large_image","twitter_creator":"@sdtimes","twitter_site":"@sdtimes","twitter_misc":{"Written by":"Jenna Barron","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#article","isPartOf":{"@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/"},"author":{"name":"Jenna Barron","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/f2524e55ae19da07ea3613577da9f786"},"headline":"Sonatype shines light on current state of supply chain security in latest report","datePublished":"2023-10-05T18:41:27+00:00","dateModified":"2023-10-27T18:01:30+00:00","mainEntityOfPage":{"@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/"},"wordCount":325,"publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"image":{"@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg","keywords":["security","Sonatype","Supply Chain Security"],"articleSection":["Latest News"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/","url":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/","name":"Sonatype shines light on current state of supply chain security in latest report - SD Times","isPartOf":{"@id":"https:\/\/sdtimes.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#primaryimage"},"image":{"@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#primaryimage"},"thumbnailUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg","datePublished":"2023-10-05T18:41:27+00:00","dateModified":"2023-10-27T18:01:30+00:00","description":"In 2023, there was an 18% decline in the number of open-source projects that are considered to be \u201cactively maintained.\u201d","breadcrumb":{"@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#primaryimage","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2023\/10\/pexels-travis-saylor-951408.jpg","width":1920,"height":1280},{"@type":"BreadcrumbList","@id":"https:\/\/sdtimes.com\/security\/sonatype-shines-light-on-current-state-of-supply-chain-security-in-latest-report\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sdtimes.com\/"},{"@type":"ListItem","position":2,"name":"Sonatype shines light on current state of supply chain security in latest report"}]},{"@type":"WebSite","@id":"https:\/\/sdtimes.com\/#website","url":"https:\/\/sdtimes.com\/","name":"SD Times","description":"Software Development News","publisher":{"@id":"https:\/\/sdtimes.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sdtimes.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/sdtimes.com\/#organization","name":"SD Times","url":"https:\/\/sdtimes.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/","url":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","contentUrl":"https:\/\/sdtimes.com\/wp-content\/uploads\/2014\/05\/deafaultlogo.png","width":225,"height":90,"caption":"SD Times"},"image":{"@id":"https:\/\/sdtimes.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/SDTimesD2","https:\/\/x.com\/sdtimes","https:\/\/www.linkedin.com\/company\/sdtimes\/"]},{"@type":"Person","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/f2524e55ae19da07ea3613577da9f786","name":"Jenna Barron","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/sdtimes.com\/#\/schema\/person\/image\/b4be3423b187642936e62f121111345e","url":"https:\/\/secure.gravatar.com\/avatar\/b128943929626cdcafccbac86bd306f9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/b128943929626cdcafccbac86bd306f9?s=96&d=mm&r=g","caption":"Jenna Barron"},"description":"Jenna Barron is News Editor of SD Times.","url":"https:\/\/sdtimes.com\/author\/jennifer-sargent\/"}]}},"_links":{"self":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/52580"}],"collection":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/users\/752"}],"replies":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/comments?post=52580"}],"version-history":[{"count":1,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/52580\/revisions"}],"predecessor-version":[{"id":52582,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/posts\/52580\/revisions\/52582"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media\/52581"}],"wp:attachment":[{"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/media?parent=52580"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/categories?post=52580"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/tags?post=52580"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/sdtimes.com\/wp-json\/wp\/v2\/coauthors?post=52580"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}