The Linux Foundation and Harvard’s Lab for Innovation Science release census for open-source software security

[Posted February 19, 2020 by jake]

The Linux Foundation's Core Infrastructure Initiative and Harvard University's Lab for Innovation Science have teamed up on a census of the most critical open-source components in today's production applications. The report [PDF], titled "Vulnerabilities in the core", identified more than 200 projects and details 20 of them. More information can be found in the press release and, of course, the report. "This Census II analysis and report represent important steps towards understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive, but not always understood. Census II identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security."

The Linux Foundation and Harvard’s Lab for Innovation Science release census for open-source software security

Posted Feb 20, 2020 18:48 UTC (Thu) by mtaht (subscriber, #11087) [Link] (2 responses)

Javascript? Is core?

have they ever bothered to look at root running daemons?

The Linux Foundation and Harvard’s Lab for Innovation Science release census for open-source software security

Posted Feb 20, 2020 23:17 UTC (Thu) by david.a.wheeler (subscriber, #72896) [Link]

> Javascript? Is core? have they ever bothered to look at root running daemons?

Yes, Census I (which I led) specifically looked at system packages (it specifically looked at Debian, though different distros share many of the same important packages in practice).

Census II (run by Harvard) wanted to look at language-level packages. Their report discusses some of the challenges. One challenge of many is that the JavaScript environment strongly encourages tiny modules, with around 1/2 of all JavaScript packages having at most one function. As a result, when you start counting dependencies, there are *far* more dependencies in JavaScript (because each module does so little), and so JavaScript tends to dominate. One solution is to look at each ecosystem separately (e.g., separate JavaScript from Python). Another problem is that while dependencies tell you about transitive dependencies, they don't tell you "what people are actually using". And so on.

In my post Census II Report on Open Source Software, their long-term goal is to figure out what FOSS packages are most critical through data analysis. However, "this turns out to extremely difficult, as discussed in the paper." They expressly state that their current results “cannot - and do not purport to - be a definitive claim of which FOSS packages are the most critical”. Instead, they have developed a method as a “proof of concept” to start working towards that answer.

This is not a final answer. Instead, it shows why it's so hard to get a final answer. It's merely a step to try to move towards an answer. Your suggestions on how to get there with quantitative analysis (instead of guessing) would be welcome :-).

The Linux Foundation and Harvard’s Lab for Innovation Science release census for open-source software security

Posted Feb 23, 2020 6:57 UTC (Sun) by flussence (guest, #85566) [Link]

Javascript is probably more dangerous than root nowadays, especially considering there's numerous fairly straightforward ways to avoid handing out full root like that.