2024年开源安全与风险分析OSSRA报告：确保开源供应链安全 英文版 .docxVIP

2024OpenSourceSecurityandRiskAnalysisReport

Yourguidetosecuringyouropensourcesupplychain

TableofContents

3|ExecutiveSummary3|Aboutthe2024OSSRA

4|Overview

6|OpenSourceVulnerabilitiesandSecurity

7|TakingActiontoPreventVulnerabilitiesfromEnteringYourSoftwareSupplyChain

8|EightoftheTop10VulnerabilitiesCanBeTracedBacktoOneCWE9|WhySomeBDSAsDon’tHaveCVEs

10|VulnerabilitiesbyIndustry

11|OpenSourceLicensing12|UnderstandingLicenseRisk

14|ProtectingAgainstSecurityandIPComplianceRiskIntroducedbyAICodingTools

15|OperationalFactorsAffectingOpenSourceRisk15|OpenSourceConsumersNeedtoImproveMaintenancePractices

16|FindingsandRecommendations

17|CreatingaSecureSoftwareDevelopmentFramework

17|KnowingWhat’sinYourCode18|Terminology

18|Contributors

|OpenSourceSecurityandRiskAnalysisReport2024|2

ExecutiveSummary

Thisreportoffersrecommendationstohelpcreatorsandconsumersofopensourcesoftwaremanageitresponsibly,especiallyinthecontextofsecuringthesoftwaresupplychain.Whetheraconsumerorproviderofsoftware,youarepartofthesoftwaresupplychain,andneedtosafeguardtheapplicationsyouusefromupstreamaswellasdownstreamrisk.Inthefollowingpages,weexamine

?Persistentopensourcesecurityconcerns

?Whydevelopersneedtoimproveatkeepingopensourcecomponentsup-to-date

?TheneedforaSoftwareBillofMaterials(SBOM)forsoftwaresupplychainmanagement?HowtoprotectagainstthesecurityandIPcomplianceriskintroducedbyAIcodingtools

Fornearlyadecade,themajorthemeofthe“OpenSourceSecurityandRiskAnalysis”(OSSRA)reporthasbeenDoyouknowwhat’sinyourcode?In2024,it’saquestionmoreimportantthaneverbefore.WiththeprevalenceofopensourceandtheriseinAI-generatedcode,moreandmoreapplicationsarenowbuiltwiththird-partycode.

Withoutacompleteviewofwha