As a Data Scientist at SourceClear I get to analyze lots of interesting vulnerability data as well as anonymized project data. New customers often ask us what "normal" looks like when it comes to vulnerabilities in their projects, so I thought I'd take a look and share a few insights.
How many projects have vulnerabilities, and how many do they usually have?
What's up with all these dependencies?
When we analyze your projects, we first build a full dependency graph to see what libraries are in use. Those libraries you specify are called 'direct' dependencies, but that's not everything. Your dependencies have dependencies, called 'transitive' dependencies. Your package manager resolves this whole graph until you've got dozens, sometimes hundreds of libraries inside your projects.
What are the most popular dependencies?
With every app so full of dependencies, lets take a look to see which ones are the most popular - both direct and transitive ones.
Top Java Dependencies
|guava (29%)||slf4j (46%)|
|avro (29%)||jackson (45%)|
|log4j (26%)||jackson datamapper (43%)|
|mocha (29%)||inherits (86%)|
|express (29%)||minimatch (80%)|
|eslint (20%)||ms (79%)|
inherits library, for example, mostly as a transitive dependency. The top transitive libraries appear in at least 70% of projects:
Where do vulnerabilities typically come from?
In every language but Python (oddly enough) - most vulnerabilities are introduced through transitive dependencies.
Drop us a line if there's something else you'd like us to dig into. Of course you can analyze your own projects with SourceClear too, to see what dependencies lurk in your projects, and which of them may be vulnerable.