The State of Trusted Open Source

The reliable source for open source, Chainguard, has a unique perspective on how contemporary businesses actually use open source software and where they encounter operational difficulties and risks This article explores chain open source. . With over 1800 container image projects, 148,000 versions, 290,000 images, 100,000 language libraries, and nearly half a billion builds across a growing customer base, they can see what teams pull, deploy, and maintain on a daily basis, as well as the vulnerabilities and remediation realities that go hand in hand.

For this reason, they developed The State of Trusted Open Source, a quarterly report on the supply chain for open source software.

The Chainguard team discovered recurring themes regarding what open source engineering teams are truly building with and the risks involved as they examined anonymized product usage and CVE data. What they discovered is as follows: The baseline stack is changing due to AI: Python, which powers the current AI stack, was the most widely used open source image among Chainguard's worldwide clientele. ### Most well-liked by area: Similar foundations, different longtail mix North America exhibits a wide and consistent set of default production building blocks: Python (71.7% of customers), Node (56.6%), nginx (39.8%), go (31.9%), redis (31.5%), and Kubernetes ecosystem components (cert-manager, istio, argocd, prometheus, kube-state-metrics, node-exporter, kubectl).

Interestingly, utility images such as busybox appear in a meaningful way.

The same core stack is present outside of North America, but the portfolio is distributed differently: Python (72% of customers), Node (55.8%), Go (44.2%), nginx (41.9%), and a discernible presence of PostgreSQL and.NET runtimes (aspnet-runtime, dotnet-runtime, and dotnet-sdk). ### Instead of edge cases, the longtail of images is essential to production. The most popular images on Chainguard make up about half of all container pulls, but they only make up 1.37% of all available images.

1,436 longtail images, or 61.42% of the average customer's container portfolio, account for the other half of production usage.

The team notably outperformed Chainguard's SLAs (seven days for Critical CVEs and 14 days for High, Medium, and Low CVEs) by addressing High CVEs in 2.05 days, Medium CVEs in 2.5 days, and Low CVEs in 3.05 days in addition to Critical CVE remediation. Furthermore, this speed isn't limited to the most well-liked packages. They fixed 50 CVEs in less well-known images for each CVE fixed in a top 20 image project.

The majority of your actual exposure is hidden in that longtail, and trying to keep up can seem hopeless.

The data makes it evident that you must secure the "quiet majority" of your software supply chain with the same rigor as your most critical workloads, even though most engineering organizations simply cannot devote resources to patch vulnerabilities in packages that fall outside of their core stack.

Top 5 this week

China-Linked Hackers Exploit VMware ESXi Zero-Days to Escape Virtual Machines

Trend Micro Apex Central RCE Flaw Scores 9.8 CVSS in On-Prem Windows Versions

CISA Retires 10 Emergency Cybersecurity Directives Issued Between 2019 and 2024

Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances

Related Posts