Sonatype’s annual software supply chain analysis finds open source project maintenance in decline, while 1 in 8 open source downloads have a known risk. Credit: Thinkstock A recent analysis accounting for nearly 1.2 million open source software projects primarily across four major ecosystems found that only about 11% of projects were actively maintained. In its 9th Annual State of the Software Supply Chain report, published October 3, software supply chain management company Sonatype assessed 1,176,407 projects and reported an 18% decline this year in actively maintained projects. Just 11% of projects—118,028—were receiving active maintenance. The report also found some new projects, unmaintained in 2022, now being maintained. The four ecosystems included JavaScript, via NPM; Java, via the Maven project management tool; Python, via the PyPI package index; and .NET, through the NuGet gallery. Some Go projects also were included. According to the report, 18.6% of Java and JavaScript projects that were being maintained in 2022 are no longer being maintained today. Sonatype also found that open source projects that are consistently maintained outperform counterparts on critical best practices for software security. The 62-page report blends public and proprietary data and analysis, including dependency update patterns for more than 400 billion Maven Central downloads and thousands of open source projects. It also incorporates survey results from 621 engineering professionals and security trends from the four major software ecosystems. Additional findings from the report: 67% of respondents said they did not believe their applications relied on known vulnerable libraries. Nearly 10% reported security breaches due to open source vulnerabilities in the past 12 months. 39% of organizations discover vulnerabilities within one to seven days while 29% take more than a week and 28% discover them within a day. As far as mitigation, 39% require more than a week to mitigate vulnerabilities. Use of AI and machine learning software components within corporate environments surged 135% over the last year. One in eight open source downloads had a known risk, but 96% of vulnerable downloaded releases had a fixed version available. The rate of download growth in open source consumption has slowed during the past two years. Open SourceJavaJavaScriptPythonMicrosoft .NETSoftware DevelopmentDevelopment Tools