Vulnerabilities and Exposures for Open Source Projects Rise by 130% in 2019

Sumeet Wadhwani Asst. Editor, Spiceworks Ziff Davis

June 9, 2020

RiskSense reveals common vulnerabilities and exposures for popular open source projects doubled in 2019, making it the record year for open source software vulnerabilities.

The findings of Risk Sense’s latest report might come as surprise to the open source community. The report, titled RiskSense Spotlight Report: The Dark Reality of Open Source may end up shattering the notion that open source software (OSS) is relatively more secure than commercial software.

The report highlights the trends in Common Vulnerabilities and ExposuresOpens a new window (CVEs), adherence to compliances in regard to vulnerability management, commonly exploited weaknesses etc in open source softwares. It aggregates data from 2015 through March 2020, of 54 open source projects.

“One of the more startling discoveries in this research is the issue of NVD latency, or how long it takes a known open source vulnerability to be added to the NVD. Five years for a critical vulnerability to show up in the NVD is a problem for people who are using open source. It’s important to note that this study was meant to help organizations prioritize OSS vulnerability management and is not an indictment of open source itself,” shared John Dasher, Vice President, Products & Marketing for RiskSense exclusively with Toolbox.

Some revelations from RiskSense Spotlight Report:

CVE Growth Trends: Besides the fact that Common Vulnerabilities and Exposures have been increasing, what’s astounding is that this increase has been more than 125&percnt; every year since 2017. Growth rates in CVEs through:

2017 to 2019: 435 to 968, a 127&percnt; rise
2018 to 2019: 421 to 968, a 130&percnt; rise

Data for the first three months of 2020 also matches this rate, and is at ‘historically high levels’ with 179 CVEs so far.

Year	Total CVEs	&percnt; Change Since Previous Year	&percnt; Change Since Base Year as 2015
2015	303	–	–
2016	388	28.06	28.06
2017	435	12.12	43.57
2018	421	-3.22	38.95
2019	968	129.93	219.48
2020 (First three months)	179	-6.51	34.08
Total	2694

Vulnerability Weaponization: 89 vulnerabilities are weaponized out of 2,694, 18 were found to enable remote code execution (RCE) or privilege escalation (PE), while 6 could be actively exploited.

Vulnerability Management: The first step in the management of exposed or disclosed vulnerability is their addition to the United States National Vulnerability Database (NVD). RiskSense’s report notes that the addition to NVD alone takes up a better part of two whole months, or to be exact, an average of 54 days, the longest being PostgreSQL vulnerability, whose addition was delayed by a staggering 1,817 days.

Highest Vulnerability Numbers: Of the 2,694 CVEs found, Jenkins automation server sits at the top with 646 CVEs, with MySQL DBMS at its side with 624 CVEs, and GitLab at 306.

Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Cybersecurity security

Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

opens a new window opens a new window

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on [email protected]