Open source bugs have skyrocketed in the last year, according to a report from open source licence management and security software vendor WhiteSource.
The number of open source bugs sat steady at just over 4,000 in 2017 and 2018, the report said, having more than doubled the number of bugs from pre-2017 figures that had never before broken the 2,000 mark.
Then, 2019’s numbers soared again, topping 6,000 for the first time, said WhiteSource, representing a rise of almost 50%.
By far the most common weakness enumeration (CWE – a broad classifier of different bug types) in the open source world is cross-site scripting (XSS). This kind of flaw accounted for almost one in four bugs and was the top for all languages except C. This was followed by improper input validation, buffer errors, out-of-bound reads, and information exposure. Use after free, another memory flaw, came in last with well under 5% of errors.
WhiteSource had some harsh words for the national vulnerability database (NVD), which it said only contains 84% of the open source vulnerabilities that exist. It adds that many of these vulnerabilities are reported in other places first and only make it into the NVD much later.
It also criticised the common vulnerability scoring system (CVSS), which was launched in 2005 and was recently upgraded to 3.1. It said that the system has changed the way it scores bugs over time, tending towards higher scoring. WhiteSource complained:
[…] how can we expect teams to prioritize vulnerabilities efficiently when over 55% are high-severity or critical?
FIRST, which organises CVSS, didn’t reply to our request for comment but we will update this article if they do.
Expect to see the number of bugs rise over time, predicted the report. It pointed to GitHub’s recently announced Security Lab as a key development in open source bug reporting. GitHub, which hosts many open source products, has an embedded disclosure process that will encourage project maintainers to report vulnerabilities, it said.
The 2017 bug spike isn’t specific to open source, which happens to be WhiteSource’s focus here. We saw a corresponding spike in general bugs as reported in the CVE database in 2017. However, the number of overall bugs reported as CVEs actually dipped below 2017 levels last year.
Update 17 March
With the introduction of CVSSv3, many new concepts, previously unavailable in earlier versions of the CVSS specification, were introduced. These included: Scope, Attack Complexity, User Interaction, and Privileges Required. Additionally, detailed analysis was performed by over 20 active CVSS SIG members. To produce the CVSS v3.0 formula, the SIG framed the lookup table by assigning v3.0 metric values to real vulnerabilities, and a severity group (low, medium, high, critical). Having defined the acceptable numeric ranges for each severity level, the SIG then collaborated with Deloitte & Touche LLP to adjust formula parameters in order to align v3.0 metric combinations to the SIG’s proposed severity ratings.
The resultant scoring curve represents, in the representative members’ opinions, a more applicable and apt scoring of vulnerabilities, compared to previous versions of CVSS. A quick review of the CVSS Scoring Examples for v3.0 and v3.1 show how this realignment has helped provide better alignment of the severity ratings with heuristic expectations for various types of vulnerabilities. For example, CVE-2014-3566 (POODLE) changed from a CVSSv2 score of 4.3 to a CVSSv3.0 score of 3.1, while CVE-2012-1342, an access control list bypass, was raised slightly from 5.0 (v2) to 5.8 (v3). Famously, cross-site scripting vulnerabilities were woefully under-scored in CVSSv2 (e.g. CVE-2013-1937) and brought more in line with real-world impact (4.3 → 6.1).Finally, it’s not unreasonable to assume that there may be some instances of “vendor disclosure bias” where a CVE ID or external advisory is not pursued for vulnerabilities on the lower end of the CVSS spectrum. This could give the impression that most [public] vulnerabilities have relatively high scores along the intended CVSS normal curve.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Cassandra
Is this like crime figures?
If people think something might be done, they report it.
If reporting is made easier, they report it
Or is it that more people are moving to open source and consequently less skilled developers are putting more “beta” applications out there which have a smaller skilled user base to examine the source code before it gets into the hands of the rest of us?
Or are we recognising as “bugs” things which would previously have been called quirky features or “anomalies” (the favourite excuse of IT at a company I worked for in the 1980s).
We need to better understand the headline; are things getting more dangerous or are we just recognising that things have always been dangerous?
Paul Ducklin
All of the above, I suspect. More code, more scrutiny, more things identified as “bugs”, a more open policy to denoting bugs, more visibility into the number that get fixed, and so on.
dor.grey79@gmail.com
And still less than windows……..
Brad Hawkes
I agree with WhiteSource with respect to newer versions of CVSS ranking everything all too high. A few years ago when we switched from using CVSS v2 to v3 to quantify risk and prioritize work, we found it far more difficult.