A recent report by Lineaje AI Labs has revealed that the United States is the top contributor to open-source projects, but it also leads in anonymous contributions, raising significant concerns about transparency and security in the global software supply chain.
Geopolitical Risks in Open-Source Contributions
The report, titled “Crossing Boundaries: Breaking Trust,” highlights the geopolitical risks associated with the geographic distribution of open-source contributions. With the rise of nation-state cyberattacks, the origin of code has become a critical issue for national and economic security. Microsoft estimates that its customers face 600 million cyberattacks daily, with 24% targeting the IT sector from nation-state attackers.
Key Findings:
- U.S. Dominates Open-Source Contributions: The U.S. accounts for more than one-third (34%) of global open-source contributions, followed by Russia at 13%. Other significant contributors include Canada, the U.K., and China.
- High Rate of Anonymous Contributions: In the U.S., 20% of open-source contributions are anonymous, more than twice the rate of Russian contributions and three times that of Chinese contributors. Globally, 5-8% of open-source components are of unknown or dubious origin, potentially introducing hidden backdoors, malware, or critical vulnerabilities.
- Critical Software Faces Geo-Provenance Concerns: Industries such as defense, water, electricity, banking, and retail face challenges in software maintenance due to contributions from multiple countries, making it difficult to exclude adversarial nations completely.
Global Maintenance Gaps in Open Source
The report also identifies several troubling trends in the maintenance of open-source software, which contribute to critical vulnerabilities:
- Security Weaknesses: Open source contributes 2 to 9 times the code developers write, with over 95% of security weaknesses originating within open-source dependencies. Over half (51%) of these vulnerabilities have no known fixes, and 70% of open-source components are poorly maintained.
- Unmaintained Open Source Less Vulnerable: Surprisingly, unmaintained open source is less vulnerable than well-maintained open-source, which is 1.8 times more vulnerable due to the high rate of change.
- Deep Layer Vulnerabilities: Open-source projects can embed up to 60 layers of components, leading to poor risk assessment and remediation approaches. Knowing which vulnerabilities to fix can eliminate at least 50% of the effort and improve security posture by 20-70%.
- Version Sprawl Complications: More than 15% of open-source components have multiple versions in a single application, complicating remediation efforts.
- Security Risks from Coding Language Diversity: A mid-sized application can include 1.4 million lines of code across 139 languages, often dragging in risky memory-unsafe languages.
- Team Size Impacts Security: Open-source projects with very small (<10) or large (>50) teams deliver more risky packages than mid-sized teams.
As open-source software continues to play an integral role in the global software supply chain, understanding and mitigating the risks associated with anonymous contributions and maintenance gaps will be more important than ever during this time of geopolitical tensions.
