Open Source, Open Threats? Investigating Security Challenges in Open-Source Software

The increasing trend of open-source software (OSS) development has established its role across critical industries, creating an undeniable reliance on these ecosystems. However, this rapid expansion has also led to increased vulnerabilities, raising urgent concerns among developers, policymakers, and users. This paper investigates the trends and patterns of reported vulnerabilities within OSS platforms, focusing on the implications of these findings for security practices. To understand the dynamics of OSS vulnerabilities, we analyze a comprehensive dataset comprising over 29,367 vulnerability reports from GitHub’s advisory database and Snyk.io reports. Our methodology covers 10 programming languages by examining the distribution of vulnerabilities from prominent Common Weakness Enumerations (CWEs). The analysis reveals a substantial increase in reported vulnerabilities, surging at an annual rate of 91%, which far exceeds the average annual growth rate of 27% in the number of OSS packages. We also analyze top CWEs across each studied programming language to investigate common and language-specific CWEs. The analysis reveals that in all platforms, the top 5 CWEs are responsible for more than 40% of the total vulnerability reports. Additionally, our study shows that vulnerability distribution across packages is not uniform. For example, Composer has 6.7 vulnerabilities per vulnerable package, concentrating on a few critical packages, while NPM’s average of 1.44 suggests a broader, more dispersed distribution. Finally, we evaluate the characteristics that make certain packages more prone to vulnerabilities, based on factors like total stars, contributors, and dependencies.