Report Highlights Open Source Dependency Risks

- The European Union's Digital Operational Resilience Act (DORA) mandates that financial institutions map their dependencies on third-party ICT providers, including open source components, and maintain a register of this information. This regulation, which became applicable on January 17, 2025, requires firms to manage and mitigate risks associated with these dependencies to ensure they can withstand and recover from ICT-related disruptions. - Research shows that 95% of vulnerabilities in open source software are found in transitive dependencies—meaning, the dependencies of the dependencies that developers directly pull into a project. This indirect inclusion of code makes it difficult for developers to assess the true impact and reachability of these vulnerabilities. - Attacks targeting the software supply chain have increased by over 1,300% between 2020 and 2023, with threats circulating via open-source package repositories growing significantly. In the first nine months of 2023 alone, over 7,000 malicious packages were detected on the Python Package Index (PyPI). - A significant portion of open source projects are not actively maintained; one report found that 50% of the most used packages in a particular census had not had a new release in 2022, and 30% had their last release prior to 2018. This lack of maintenance can lead to unpatched vulnerabilities and other operational risks. - The Endor Labs 2024 Dependency Management Report found that less than 9.5% of all vulnerabilities are exploitable at the function level, meaning there is a direct call path from the application to the vulnerable function in a library. This highlights the importance of function-level reachability analysis to prioritize remediation efforts and reduce noise from non-exploitable vulnerabilities. - The use of AI in code generation is introducing new risks, with one report finding that only one in five dependency versions recommended by AI coding assistants were safe and free of both "hallucinations" (non-existent packages) and known vulnerabilities. Depending on the AI model, between 44% and 49% of dependencies imported by coding agents contained known security vulnerabilities. - The financial services and fintech industries have one of the highest rates of open source license conflicts, with 66% of audited codebases containing components with incompatible licenses. This can create legal and intellectual property risks, especially when proprietary code is mixed with "copyleft" licenses that require source code to be made public. - In 2023, the first recorded open-source software supply chain attacks specifically targeting the banking sector were detected. These sophisticated attacks often involve embedding malicious code within open-source components to gain unauthorized access to financial systems.