back to article The great big open-source census: Most-used libraries revealed – plus 10 things developers should be doing to keep their code secure

With modern applications now composed of 80 to 90 per cent Free and Open Source Software (FOSS), the Linux Foundation and Laboratory for Innovation Science at Harvard University (LISH) on Wednesday published their second open-source census to promote better security and code management practices. The first such report appeared …

  1. Pascal Monett Silver badge

    Something's missing in the Top 10s

    I note that in none of the top 10 most used modules listed is there anything to help with input sanitizing and checking.

    That goes some way to explain the horrendous fiascos we've witnessed in the past few years.

    1. Charlie Clark Silver badge

      Re: Something's missing in the Top 10s

      This is a result of the methodology. There are already services, such as <a href="https://libraries.io/>Libraries.io</a> that will calculate library dependencies and watch them for security updates and you can only sensibly do this on a component/application basis.

    2. Anonymous Coward
      Anonymous Coward

      Re: Something's missing in the Top 10s

      As if some shared library could sanitise input as well as my half arsed routines.

      Next you'll be suggesting I use encryption libraries that Governments recommend rather than the cunning things I have devised. Just try decrypting my 103-pass modified Caeser cipher...

      Tbbq yhpx jvgu gung

      1. katrinab Silver badge
        Paris Hilton

        Re: Something's missing in the Top 10s

        My highly sophisticated hacking tool tells me that your encrypted message says "Good luck with that".

        1. Anonymous Coward
          Anonymous Coward

          Re: Something's missing in the Top 10s

          Damn... Another 500-passes will fix this...

          Tbbq yhpx jvgu gung

          1. Alister

            Re: Something's missing in the Top 10s

            Try 501 passes...

            1. Anonymous Coward
              Anonymous Coward

              Re: Something's missing in the Top 10s

              There's some sort of bug with even numbers...haven't figured it out yet...

  2. Phil Endecott

    I find it surprising that I’ve never heard of any of their top-10 things, from either list.

    Things like OpenSSL and Apache aren’t there. Have I misunderstood the scope of what they’re doing?

    1. Jon F

      Looks like they have just dumped the 10 most used libraries from npm and maven central.

      1. Notas Badoff

        Keyholes and revelations

        Consider the cited limited scope of sources (!): "contribution of private usage data by Software Composition Analysis (SCAs)" (see Methods in that PDF)

        I read that as "Hey, we got knowledgeable people to put together this corpus. (So that we didn't have to)" Hmm, what's laying around here and easy to stuff into a zip/tar.gz. Thus they are all Javascript (cuz todays' fever) and Java (cuz voluminous cuz yesterdays' medicine).

        Past the headline generating claims, their Conclusion starts with "We understand that these findings are not comprehensive, but with the usage data provided, we hoped to ..." So they know they are peeking through a keyhole.

        Probably the only interesting bit of the report is in their subsection "Lessons Learned : The Persistence of Legacy Software in the Open Source Space", where they discover people continue to use old code, through a combination of code copying and cargo-culting. Well gee...

    2. Michael Wojcik Silver badge

      I guess you don't read software-security mailing lists, then. Things like jackson-databind and Apache Commons have a rich history of vulnerabilities.

      Jackson-databind just had a fresh one - CVE-2020-8840. It's only a CVSS 9.8 ("you're already dead"), though.

    3. scobiej

      Utter joke. Not even close to the top ten used libraries on the planet. I bet most of those are written in C.

  3. mr-slappy

    80 to 90 per cent FOSS

    "With modern applications now composed of 80 to 90 per cent Free and Open Source Software (FOSS)"

    Is there a citation for this? It's an interesting statistic.

    1. Fungus Bob
      Devil

      Re: 80 to 90 per cent FOSS

      Yes.

      https://www.theregister.co.uk/2020/02/20/linux_foundation_report/

    2. Michael Wojcik Silver badge

      Re: 80 to 90 per cent FOSS

      Sure, if you define "modern application" as "an application composed of 80 to 90 percent1 FOSS".

      1"per cent"? Was this report written in 1970?

  4. Inachu

    Not sure if anyone else gripes about this but I really hate when:

    You have a sort of professional company name and this goes fro Linux or windows:

    You run setup or install and the path is

    program folder name"Often times the name of the company then the next sub folder is

    something so childish like \fuzzybear or some other weird name that appears to come out of

    some fantasy or sci fi world.

    STOP IT! JUST STOP IT! NOW!

    1. Anonymous Coward
      Gimp

      I understand where you are coming from for Windows but on Linux this does not really happen. Everything ends up in a simple set of well known paths /bin or /usr/bin or /usr/lol/bin (soz) /usr/local/bin unless its ./sbin or perhaps some of those are symlinks. Now where's my config? /etc or /opt/lol/etc/config/tiddlywinks. Now go and find the logs. Oh the /srv and /var/lib thing and old uncle Tom Cobbley and all (and all)

      OK, I'm taking the piss and actually it is surprisingly easy to find stuff on a Linux box once you work out the logic and the same usually applies on Windows too, especially once you find c:\programdata\ and the nether regions of your user home directory. Again the Linux equivalent needs a bloody great map (hello ~/.local) or some good grep and find skills to get around. At least you get those out of the box.

      1. eldakka

        The OP does have a point when it comes to COTS software. e.g. IBM software tends to install itself under

        /opt/IBM
        sometimes with other additional paths for all software from a particular marketing brand, e.g.
        /opt/IBM/Rational
        However, you can change this if you want by either using a non-silent install so you get prompted for installation paths, or use a response file with the appropriate installation path entries.

      2. crayon

        Programs on *nix used to store their (user) config files and data in a central and fairly predictable place ie in a single "hidden" directory/file in the users home directory. Nowadays they are split over $HOME/.config

        $HOME/.cache

        $HOME/.local

        and maybe something in $HOME/ for good measure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like