Last week, the nonprofit Linux Foundation and Harvard’s Lab for Innovation Science published Census II of Free and Open Source Software—Application Libraries. This report identifies more than 1,000 of the most widely deployed open source application libraries. Synopsys Cybersecurity Research Center (CyRC) was among the contributors of anonymized usage data based on scans of codebases at thousands of companies, providing data that allowed for a more complete picture of the free and open source software (FOSS) landscape.
The report authors noted, “It is difficult to fully understand the health, economic value, and security of FOSS because it is produced in a decentralized and distributed manner.” Because there is such variety in the ways software components are packaged, as well as how versions are catalogued and identified, the report organized them into eight Top 500 lists. Mike McGuire, security solutions manager with the Synopsys Software Integrity Group, describes packages and versions as being a bit like the model, year, and trim of a car. “If I told you I drive a Toyota Camry, you still don’t know exactly what I drive. Is it the 1999 version or the 2022 version? It’s important to know this when ordering parts, getting service, tracking recalls, etc.”