Linux Foundation’s Census of OSS app libraries help prioritize security work


The Linux Foundation has announced the final version of “Census II of Free and Open Source Software – Application Libraries”, which identifies more than a thousand of the most widely deployed open source application libraries. This study indicates which open source packages, components, and projects warrant proactive operations and security support.

The objective of this study is to identify and measure the most widely deployed open source software in applications developed by private and public organizations. The study helps to get a more complete picture of free and open source software (FOSS) adoption by analyzing usage data provided by software composition analysis (SCA) partner companies Snyk, the Synopsys (CyRC) and FOSSA cybersecurity research and is based on their analysis of codebases in thousands of companies.

“Understanding which FOSS packages are most critical to the company allows us to proactively support projects that warrant operational and security support,” said Brian Behlendorf, general manager of OpenSSF. “Open source software is the foundation upon which our daily lives are built, from our banking institutions to our schools and workplaces.”

Top 10 version independent packages available on npm package manager

Census II includes eight rankings of the 500 most used FOSS packages from those reported in private usage data provided by SCA partners. These include different slices of data including versioned/version independent, npm/non-npm package manager, and direct/direct and indirect package calls. For example, the top 10 version-independent packages available on the npm package manager that were called directly are:

  • Lodash
  • react
  • axios
  • debug
  • @babel/core
  • Express
  • sow
  • uid
  • react-dom
  • jquery

“Our goal is not only to identify the most widely used FOSS, but also to provide an example of how the distributed nature of FOSS requires a multi-stakeholder effort to fully understand the value and security of the FOSS ecosystem. This It is only through data sharing, coordination and investment that the value of this essential component of the digital economy will be preserved for generations to come,” said Frank Nagle, assistant professor at Harvard Business. School.

“As companies become more and more dependent on open source technologies, if these same companies do not contribute to the open source projects on which they depend, they increase their business risk. This risk ranges from projects that have become orphaned and contain potentially vulnerable code, to implementation changes that break existing applications. The only meaningful way to mitigate this risk is to allocate resources to contribute to the open source that powers the business. After all, while millions of developers contribute to open source, there might be only one developer working on something critical to your success,” said Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center .


Comments are closed.