Census II Lists Critical Application Libraries
Written by Sue Gee   
Thursday, 03 March 2022

The Linux Foundation has announced the publication of "Census II of Free and Open Source Software - Application Libraries" which identifies more than one thousand of the most widely deployed open source application libraries found from scans of commercial and enterprise applications.

The rationale is that this information can be used to decide which open source packages, components and projects warrant proactive operations and security support. 

The original Census Project ("Census I") was conducted in 2015 to identify which software packages in the Debian Linux distribution were the most critical to a Linux server's operation and security. According to the Linux Foundation:

The goal of the current study (Census II) is to pick up where Census I left off and to identify and measure which open source software is most widely deployed within applications developed by private and public organizations.

Brian Behlendorf, executive director of Open Source Software Foundation (OpenSSF), a partner in the Census II project   explained: 

"Understanding what FOSS packages are the most widely used in society allows us to proactively engage the critical projects that warrant operations and security support. Census II provides the foundational detail we need to support the world's most critical and valuable infrastructure."


Census II was initiated in 2018 when the Linux Foundation partnered with the Laboratory for Innovation Science at Harvard University (LISH), with the goal of identifying and measuring which open source software is most widely deployed within applications by private and public organizations. To obtain as full as possible a picture of FOSS usage it analyzed usage data  based on scans of software codebases at thousands of companies with the intention of discovering which FOSS packages are heavily depended on by private companies.

By way of results Census II includes eight lists of the 500 most used FOSS packages. These include different slices of the data including versioned/version-agnostic, npm/non-npm package manager, and direct/direct and indirect package calls.  
For example, the top 10 version-agnostic packages available on the npm package manager that were called directly ranked by usage are:
  1. lodash
  2. react
  3. axios
  4. debug
  5. @babel/core
  6. express
  7. semver
  8. uuid
  9. react-dom
  10. jquery
In its conclusion the report states:
Far from being the final word on critical FOSS projects, this census effort represents the beginning of a larger dialogue on how to identify vital packages and ensure they receive adequate resources and support.
The study also identified five high-level findings important to the future health and security of FOSS: 
  1. The need for a standardized naming schema for software components.
  2. The complexities associated with package versions.
  3. Much of the most widely used FOSS is developed by only a handful of contributors.
  4. The increasing importance of individual developer account security.
  5. The persistence of legacy software in the open source space.
Adding the comment:
Given the distributed nature of FOSS, only through data sharing, coordination, and investment will the value of this critical component of the digital economy be preserved for generations to come. 

More Information

Census II of Free and Open Source Software — Application Libraries (pdf)

Related Articles

New Initiative For Taking Open Source Software Security Seriously

Taking Open Source Criticality Seriously

Open Source Insights Into The Software Supply Chain

The State Of Secure Software Development - Three OpenSSF Courses


To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.


JetBrains Updates IDEs With AI Code Completion

JetBrains has launched the first set of updates for 2024 of its JetBrains IDEs. The new versions include full-line code autocompletion powered by locally run AI models.

Conference Times Ahead

Following a well-established pattern both Google's and Microsoft's Developer Conferences will take place in May while Apple follows on in June. Here are the dates plus what to expect.

More News

raspberry pi books



or email your comment to: comments@i-programmer.info


Last Updated ( Thursday, 03 March 2022 )