62% of libraries found in applications are inactive, that are not used at all by the software, according to a new study revealed by Contrast Security. Additionally, 69% of library classes are not invoked by applications. Vulnerabilities in these unused portions of applications are reported as exploitable risk by legacy software composition analysis (SCA) tools. This exposes an organization to higher risk, operational inefficiency, and potential delays in software release cycles.
The 2021 State of Open-source Security Report was compiled by Contrast Security, the industry’s only true application security platform. Its analysis is based on aggregate telemetry data from thousands of applications and application programming interfaces (APIs) protected by Contrast OSS and Contrast Assess. This methodology gives a rare glimpse into real-life software supply chains to assess the organizational risk posed by third-party libraries, and to identify best practices to minimize that risk.
Open-source libraries and frameworks are a critical element of the vast improvements in speed and efficiency of software factories over the past decade. Such code reuse is essential for integrated approaches like DevOps, but it is not without risk.
The report identifies and quantifies five layers of risk stemming from the use of third-party code: active and inactive libraries, active and inactive library classes, library age, open-source vulnerabilities, and license risk.
Five Layers of Risk
1. Active and Inactive Libraries: A Need for Observability
Data from Contrast Labs reveals that 62% of libraries found in applications are inactive — that is, not used by the software in any way. When a developer uses a library for a certain function, additional libraries are imported into the application that have nothing to do with that function. This creates complex dependency trees, and sorting out which libraries are active and inactive requires runtime visibility into routes taken by the software.
2. Active and Inactive Library Classes: More Layers of Unused Code
Even in active libraries, applications typically use only some parts of that library — known as classes. Even within active libraries, an average of only 31% of classes is invoked, leaving 69% unused. This also means that less than 10% of application code is active third-party library code. Again, determining which library classes pose potential risk requires observability into how the application interacts with the library classes.
3. Library Age: Risk Increases With Time
The average library version used in applications in the dataset was released 2.6 years ago. And while 28% of active libraries are less than a year old, 31% are more than two years old.
While it is not always advisable to use the very latest version of a library, allowing them to sit for years without being updated creates problems. For example, Contrast Labs data indicates that the odds of a Critical or Major vulnerability increases from 3% for libraries that are one year old to 13% for those that are five years old. In addition, the more changes between the library in use and the latest version, the more testing that is needed and the greater the likelihood that the change breaks the application — thus resulting in unplanned or unscheduled work.
4. Vulnerabilities: Too Many False Positives
While the average application contains 34 Common Vulnerabilities and Exposures (CVEs) from third-party libraries, an average 23% of these CVEs — and 18% of those categorized as Critical and Major — are found in inactive libraries and classes. These non-risky vulnerabilities are false positives when they appear alongside other vulnerabilities in reports compiled by legacy SCA tools.
5. License Risk: Potential Legal and Operational Pitfalls
Each third-party library should have some sort of license. Permissive licenses pose little or no risk, while copyleft licenses can require that an entire application be made open source — even if the library covered by the license provides only a very small part of the application’s functionality. Contrast Labs data shows that license risk is quite high, with 69% of Java applications containing at least one high-risk license — and 95% containing a license of variable or unknown risk.
The 2021 State of Open-source Security Report highlights the increasing complexity of the software supply chain in modern software factories. Such complexity can increase risk, and organizations need to ensure that they have a strategy to mitigate the five layers of risk detailed in the report. This includes the following:
- Setting comprehensive policies for libraries, frameworks, and licensing
- Establishing continuous observability into active and inactive libraries and classes, library age, vulnerabilities, and licenses
- Embedding controls in continuous integration/continuous deployment (CI/CD) processes