开源组件的依赖性问题增加了

温馨提示:全文约1471字,阅读全文大约需要2分钟

根据软件管理公司Synopsys的一份最新报告,平均软件应用程序依赖于500多个开源库和组件,比两年内的298个依赖项增加了77%,凸显了跟踪每个软件组件漏洞的难度

. 大多数应用程序(84%)至少有一个漏洞—典型应用程序有158个漏洞—60%的应用程序至少有一个高严重性问题.

Synopsys首席安全策略师蒂姆麦基表示,这些数据突显出现代软件应用程序存依赖性问题

.

Synopsys发现了相似数量的依赖关系。

根据软件管理公司Synopsys的一份最新报告,平均软件应用程序依赖于500多个开源库和组件,比两年内的298个依赖项增加了77%,凸显了跟踪每个软件组件漏洞的难度

其“开源安全和风险分析”(OSSRA)报告中,该公司指出,它发现98%的应用程序使用开源,而开源库和组件占平均软件应用程序代码的75%以上。大多数应用程序(84%)至少有一个漏洞—典型应用程序有158个漏洞—60%的应用程序至少有一个高严重性问题

Synopsys首席安全策略师蒂姆•麦基(Tim Mackey)表示,这些数据突显出现代软件应用程序存依赖性问题

他说:“我们需要找到一种方法来控制(未修补的漏洞),因为我们正朝着错误的方向前进。”。“这种复杂性会滋生脆弱性,因为复杂性意味着开发团队不一定了解当今代码的行为方式,而且每当这种情况发生时,可能会有一些角落的情况下,他们可能会被咬。”

开源依赖性已经成为一个日益严重的问题,特别是对于JavaScript应用程序框架来说,由于该语言对软件体系结构的处理方式,它往往依赖数量级以上的组件。例如,去年对45000多个活动存储库的分析中,GitHub发现,虽然平均JavaScript应用程序有10个直接依赖项,但这些组件依赖于其他库,这导致依赖树增长到683个独立的代码库。PHP应用程序通常有70个依赖项,Ruby有68个,

英文译文:

The average software application depends on more than 500 open source libraries and components, up 77% from 298 dependencies in two years, highlighting the difficulty of tracking the vulnerabilities in every software component, according to a new report from software management firm Synopsys.

In its “Open Source Security and Risk Analysis” (OSSRA) report, the company states it found that 98% of applications used open source and that open source libraries and components made up more than 75% of the code in the average software application. Most applications, 84%, had at least one vulnerability — the typical application had 158 vulnerabilities — and 60% of applications had at least one high-severity issue.

The data underscores that modern software applications have a dependency problem, says Tim Mackey, principal security strategist with Synopsys.

“We need to find a way to get [unpatched vulnerabilities] under control because we are headed in the wrong direction,” he says. “This sort of complexity breeds fragility because complexity means that the developer teams don’t necessarily have an understanding of the way that code is behaving today, and whenever that happens, then there might be corner cases where they might get bit.”

Open source dependencies have become an increasing problem, especially for JavaScript application frameworks, which — because of the language’s approach to software architecture — tend to rely on an order of magnitude more components. In an analysis of more than 45,000 active repositories last year, for example, GitHub found that while the average JavaScript application has 10 direct dependencies, those components rely on other libraries, which results in a tree of dependencies that grows to a massive 683 separate codebases. PHP applications typically have 70 dependencies and Ruby has 68, according to the GitHub report.

Synopsys found a similar number of dependencies. While the company did not break out the numbers by language or platform, the average application audited by the firm had 528 dependencies, according to Mackey.

“To fix an open source vulnerability, you first have to know the vulnerability is there,” the company states in the OSSRA report. “Pinpointing vulnerable open source depends on identifying and inventorying all open source you’re using.”

 

Share this Post:

相关资讯: