Forty-three percent of the audited codebases containing jQuery also contained CVE-2020-11023. Forty-three percent! The kneejerk reaction to those findings might be to consider discarding jQuery altogether when it’s a coin-flip whether a jQuery library may be accompanied by a vulnerability.
Yet the jQuery community had the component patched and updated almost immediately after the vuln was disclosed in May 2020, so the blame shouldn’t be assigned there. Like open source itself, the underlying security issue isn’t jQuery, it’s users not keeping the open source they use up-to-date. Need proof? Of the 1,481 codebases examined by the Black Duck Audit Services team in 2022, 91% contained outdated versions of open source components.
More than a year after its disclosure, Log4Shell is another example of an evergreen vulnerability. Despite the media attention it received and the numerous avenues organizations can take to confirm its presence and remediate it, the 2023 OSSRA report data still found vulnerable versions of Log4J in 5% of the total codebases scanned, and in 11% of Java codebases.
It’s also worth noting that the same jQuery vulnerability—CVE-2020-11023—was also found in 43% of the codebases scanned the previous year for the 2022 OSSRA report. This is more proof that developers and users are either deferring updating vulnerable open source components or unaware that the vulnerabilities are there.
Of course, there can be valid reasons for not keeping software up-to-date. A DevSecOps team might determine that the risk of unintended consequences outweighs whatever benefit would come from applying the newer version. Embedded software may be at minimal risk from vulnerabilities that can only be introduced from an external source. Or it could be a time/resources issue. With many teams already stretched to the limit building and testing new code, updates to existing software can become a low priority except for the most critical issues.
But it’s more likely that the majority of unpatched open source components are due to a DevSecOps team not knowing that there is a newer version of the component available—if they are aware the component is there at all. Dev teams are constantly changing; people take on new projects or leave the organization altogether, and group knowledge regularly gets lost.