Sonatype 2023 Supply Chain Report: Open‑Source Growth, Security Risks & AI

Sonatype released its latest "State of the Software Supply Chain" report, examining how to define better software in a world of abundant choices and exploring the profound impact of artificial intelligence (AI) on software development, as well as the intricate interplay between open‑source supply, demand, and security.

The report tracks the growth of open‑source applications in four major ecosystems: Java (Maven), JavaScript (npm), Python (PyPI), and .NET (NuGet Gallery). From 2022 to 2023, the number of available open‑source projects grew on average by 29%. In 2023, projects released an average of 15 usable versions, with each ecosystem offering 10 to 22 versions per project, resulting in roughly 1‑2 new versions per month and a total of 60 million new versions across observed ecosystems.

While the supply of open‑source components continues to rise, demand has not kept pace. Over the past two years, the download growth rate has declined, with an average growth rate of 33% in 2023 compared to 73% in 2021.

Security concerns remain acute: by September 2023, the research team identified 245,032 malicious packages, twice the total of previous years. One‑eighth of open‑source downloads contain known risks, and 23% of Log4j downloads still have severe vulnerabilities.

Active maintenance of open‑source projects is decreasing; nearly 19% of projects stopped being maintained last year, affecting Java and JavaScript ecosystems, and only 11% receive active upkeep. Nevertheless, Sonatype notes that about 96% of components with known vulnerabilities can be avoided by selecting non‑vulnerable versions.

Regarding AI in software development, 97% of surveyed DevOps and SecOps leaders report using AI in their workflows to some extent, with most using two or more AI tools daily. Adoption of AI/ML components in enterprise environments increased by 135% last year.

The report also highlights a gap between perceived and actual security: 67% of companies believe their systems are free of vulnerable code, yet 10% experienced security incidents due to vulnerable components this year. Detection times vary, with 39% finding vulnerabilities within 1‑7 days, 29% taking over a week, and 28% resolving them in less than a day.