With FOSS constituting 80-90 percent of all software, it is more important than ever that we understand what FOSS is most used and where it could be vulnerable to attack. To help ensure the continued health of the ecosystem, the Linux Foundation’s Core Infrastructure Initiative (CII) and the Laboratory for Innovation Science at Harvard (LISH) have released ‘Vulnerabilities in the Core,’ a Preliminary Report and Census II of Open Source Software.
This Census II analysis and report is said to represent important steps towards understanding and addressing structural and security complexities in the modern day supply chain where open source is pervasive, but not always understood.
Census II identifies the most commonly used free and open source software (FOSS) components in production applications and begins to examine them for potential vulnerabilities, which can inform actions to sustain the long-term security and health of FOSS. Census I (2015) identified which software packages in the Debian Linux distribution were the most critical to the kernel’s operation and security.
“The Census II report addresses some of the most important questions facing us as we try to understand the complexity and interdependence among open source software packages and components in the global supply chain,” said Jim Zemlin, executive director at the Linux Foundation.
“The report begins to give us an inventory of the most important shared software and potential vulnerabilities and is the first step to understand more about these projects so that we can create tools and standards that results in trust and transparency in software,” Zemlin added.