Open Source Libraries: Uncovering the Risks That Lurk Beneath the Surface

Hope Goslin By Hope Goslin
June 8, 2020

The use of open source libraries to assemble applications is accelerating. Not only are more people using open source libraries, but more individual developers, and even companies, are also on a mission to contribute to more open source projects. For Veracode, we’re seeing more than 70 percent of our customer base leveraging one or more open source libraries in their applications.

And that could just be the tip of the open source iceberg in your application. Beyond the third-party code explicitly introduced by a developer, lies code and vulnerabilities, introduced indirectly. Transitive dependencies happen when an open source library employed by your organization is dependent on code from other libraries. In other words, the open source library that is visible to your organization is pulling from a library that is “invisible” to your organization.

In our recent report, State of Software Security: Open Source Edition, we analyzed the security of open source libraries found in over 85,000 applications. We found that 70.5 percent of the applications had an open source flaw, and of those applications, 46.6 percent of the flaws were transitive, and 41.9 percent were direct (11.5 percent were both). Bottom line: most flaws are reaching your code indirectly.

For our report, we also uncovered the dependency breakdown by language. As you will notice in the figure below, JavaScript, Ruby, PHP, and Java have the most transitive inclusions.


Making the data work for you

The bottom line is that using open source libraries isn’t a security threat to the business. The threat lies in a lack of awareness. The real problem is not knowing that what you’re using contains vulnerabilities and that they’re exploitable in your application.

Veracode helps you quickly and effectively address open source risk by accurately highlighting where you have open source vulnerabilities, and if they are in your application’s execution path. In this way, you focus only on the vulnerabilities truly increasing your risk.

This image is a visualization within our solution of a dependency graph. The empty circle in the middle is your application, and all of the sections around it are different direct and indirect libraries. In this specific example, all of the colored sections are libraries containing vulnerabilities that affect the application either directly or indirectly. Our scanner identifies all of these, the versions being used, and any vulnerabilities that they contain.


And for supported languages, it identifies the call stacks and traces the vulnerabilities through your application to identify those that actually impact your application and leave it open to exploits.

To get all our data and analysis on the security of open source libraries, download out full State of Software Security: Open Source Edition report.


Hope is part of the content team at Veracode, based in Burlington, MA. In this role, she focuses on creating engaging AppSec content for the security community.