Open-source components with known security vulnerabilities are still widely used.

Open-source components with known security vulnerabilities are still widely used.
GuideSonatype, which provides Maven's central repository hosting service, says 1/16 of Java component downloads contain security issues. Sonatype claims that developers need to download more than 31 billion Java components each year, and more than 10 thousand new components and more than new components are added each day.

Enterprises now use a managed central component repository to store their code. Some of the Code comes from private projects, while others come from open-source code. In most cases, they just download open-source code and import it to their projects, do not perform necessary security audits.
Sonatype found that 8% and 90 of enterprise code are composed of open-source components, which are directly imported from open-source code.

Because these security defects are public, and Sonatype is able to access the server statistics of its managed services, it will get more data than others, therefore, they warn developers to pay attention to the risks of using insecure or expired components in their code.
This warning is even more serious for companies, because if attackers attack Applications created using defective components, the results may lead to more economic losses.

The defect rate of older components is as high as three times

After analyzing more than three thousand enterprise applications from 25,000 institutions in several different industries, Sonatype finds that every enterprise downloads about five thousand different components every year.
The older the component, the more likely it will contain security defects. Even worse, 97% of downloaded components cannot be easily tracked and audited. If the company only wants to fix two thousand of the 10% applications, it will require a huge investment of about $7.42 million.
These problems indicate that enterprises need to manage the software supply chain to avoid future defects. The time spent on the component security audit will be rewarded after the project has security vulnerabilities.
Removing defective components from this managed central code repository should also be the highest priority for the communities behind these projects.
The software supply chain report contains more information about today's software supply chain.

From: https://linux.cn/article-7594-1.html

Address: http://www.linuxprobe.com/components-vulnerabilities.html