State of the Software Supply Chain 2021

Now in its seventh edition, Sonatype’s State of the Software Supply Chain 2021 report combines a broad set of public and private data to reveal important findings about open source code and its increasingly important role in digital innovation.


Open source supply is growing exponentially

Today, the four major open source ecosystems contain a total of 37,451,682 components and packages. These same communities collectively released 6,302,733 new component/package versions in the past year and have introduced 723,570 entirely new projects in support of 27 million developers worldwide.

By 2021, developers worldwide will have ordered more than 2.2 billion open source packages, representing a 73% year-over-year growth in open source component downloads by developers. Despite the growing volume of downloads, the percentage of available components used in production applications is surprisingly low.


Vulnerabilities are more common in projects

The top 10% of the most popular versions of OSS projects have an average probability of 29% of containing known vulnerabilities. In contrast, the remaining 90% of project versions have only a 6.5% chance of containing known vulnerabilities. Taken together, these statistics indicate that the vast majority of security research (whitehat and blackhat) is focused on finding and fixing (or exploiting) vulnerabilities in the most widely used projects.


Attacks on the software supply chain increase by 650%.

Members of the global open source community are facing a novel and rapidly expanding threat that has nothing to do with passive adversaries exploiting known vulnerabilities.

From February 2015 to June 2019, 216 attacks on the software supply chain were recorded. Then, from July 2019 to May 2020, the number of attacks increased to 929 attacks. However, in the last year, these attacks numbered more than 12,000 and represented a 650% increase year over year.