Project sustainability is a growing problem in the open source community. There’s no guarantee that the people behind any given open source project will continue maintaining the code indefinitely. In fact, of the 2,400+ codebases examined for the OSSRA report, 88% contained open source components that had had no development activity in the last two years.
As software ages, it loses support. With open source, the number of developers working to ensure updates—including feature improvements, as well as security and stability updates—decreases over time. The component becomes more likely to break—or open a codebase to exploit—without the support needed to provide fixes. Without SCA tools in place to identify the risks that legacy open source can create, organizations open themselves up to the possibility of issues in their software.
“SCA will continue to grow in importance as an element in organizations’ AST toolsets,” the Gartner report concludes. “This will include evaluations of the viability, stability, and provenance of packages. Tools will begin to provide warnings of packages that are maintained by a small group, where updates or responses to reported vulnerabilities lag, or when control of a package changes from one group to another.