Counting Vulnerabilities In Open Source Projects and Programming Languages
Written by Alex Armstrong   
Thursday, 18 April 2019

The number of disclosed open source vulnerabilities skyrocketed in 2017, reaching a total of almost 3,500. Mozilla was the open source projects with the most vulnerabilities and C/C++ was the most vulnerable language.

whitesource bannerTo provide this information, WhiteSource - a company that sells software which monitors open source components to provide alerts about security and licensing issues -.conducted a survey of 650 developers from the US and Western Europe about their practices and challenges of open source usage. They also collected data from the NVD, the United State's national vulnerability database, together with security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather insights into open source vulnerability management.

The statistics they presented in the The State of Open Source Vulnerability Management Report showed that the number of disclosed open source software vulnerabilities in 2017 rose by over 50%  compared to 2016. In 2018 the number of reported vulnerabilities fell slightly on 2017 but confirmed the upward trend:whitesource os bugs

Looking at the distribution of vulnerabilities among popular open source projects, Mozilla Firefox tops the list, closely followed by Linux:whitesourceprojects

With regard to languages C/C++ tops comes top by a long margin:


Commenting on this finding in a recent post on the WhiteSource blog, Ayala Goldstein writes:

This is not to say that C is less secure than the other languages. The high number of open source vulnerabilities in C can be explained by several factors. For starters, C has been in use for longer than any of the other languages we researched and has the highest volume of written code. It is also one of the languages behind major infrastructure like Open SSL and the Linux kernel. This winning combination of volume and centrality explains the high number of known open source vulnerabilities in C.

The blog post also did an analysis by language over time, noting the substantial rise in known open source security vulnerabilities, across all languages over the past two years:

whitesource highvuln

Commenting on this Goldstein writes:

This rise can be explained by the rise in awareness of known security vulnerabilities in open source components, along with the continuously growing popularity of open source. As more resources have been invested in open source security research, the number of issues discovered has increased. The use of automated tools and the growing investment in bug bounty programs have further contributed to the sharp rise in the amount of disclosed open source security vulnerabilities.

Goldstein then focused on high severity open source security vulnerabilities (scores above 7 according to CVSS v2) by language over time:

whitesource highvuln2

Comparing this with the previous chart JavaScript and PHP stand it is clear that the percentage of critical vulnerabilities is declining in most of the languages covered in the report, except for JavaScript and PHP.

Commenting on this Goldstein writes: 

The decrease in the percentage of critical vulnerabilities could be a result of the concerted effort from security researchers to use automated tools to discover vulnerabilities in open source components. These tools are usually less capable of finding more complex and critical issues. While many of these tools are doing a good job of discovering vulnerabilities, many of the issues are not critical, and so we see a rise in the number of mostly medium vulnerabilities over the past few years in most of the programming languages that we studied.



More Information

The State of Open Source Vulnerability Management

Is One Programming Language More Secure Than The Rest?

Related Articles

Ever Increasing Need For Secure Programming 

Don't Neglect Open Source Security

Vulnerability Revealed In GNU C Library 

Memory Safety Bugs Form 70 Percent Of Vulnerabilities

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


Supersimple - Deep Insights From Data

Announcing $2.2 Million in pre-seed funding, the Estonian startup Supersimple has launched an AI-native data analytics platform which combines a semantic data modeling layer with the ability to answer [ ... ]

Redis Changes License, Rival Fork Launched

The developers of Redis have announced that they are changing the licensing model for the database. From now on, all future versions of Redis will be released with source-available licenses rather tha [ ... ]

More News

raspberry pi books



or email your comment to:

Last Updated ( Thursday, 18 April 2019 )