Revenera released the Revenera 2022 State of the Software Supply Chain Report, including research and six steps to better secure the software supply chain. This report helps security, software development, and legal experts benchmark their own efforts against market trends.

The Revenera report analyzes data from more than 100 open source audit projects conducted in 2021, identifying trends related to companies' use of open source software (OSS) and their awareness of the associated license compliance and security risks. This global, cross-industry study evaluated more than 2.6 billion lines of code and found that companies are only aware of 17% of the open source components they use, a 4 percent increase in the past year.

Given that open source use is on the rise, along with the imposed operational risks and growing need for transparency and an SBOM, adoption of Software Composition Analysis (SCA) tools is expected to steadily go up. SCA identifies open source components and provides warnings regarding license terms and security vulnerability exposures-helping organizations to shore up potential blind spots in their software supply chain. 

"Companies have realized they need to secure the software supply chain, which is under attack-as evidenced through vulnerabilities such as Log4Shell. All indications say bad actors are going to step up their exploits in the coming year," said Alex Rybak, Director, Product Management, Revenera. "The use of third-party content and open source software will continue to increase. Organizations that invest in company-wide policies, continuous assessment, Software Composition Analysis solutions, and corporate compliance programs are best able to quickly respond to risks and customer requests."

Key highlights of the Revenera 2022 State of the Software Supply Chain Report:

• Issues at all priority levels are growing: The number of the most severe issues, priority level P1, grew 6% over last year's findings. Lower priority issues, however, surged: secondary priority issues (P2) and the lowest risk (P3) issues grew by 50% and 34%, respectively, over the past year. This indicates the growing prevalence of OSS and that the average number of dependencies is significantly increasing in popular ecosystems, broadening the plane for risk.

• Demands for SBOM are growing: Demand for SBOMs was driven by a broadening array of stakeholders and regulatory requirements, such as the U.S. government's Executive Order on Improving the Nation's Cybersecurity. The approach to building SBOMs is improving with automated, collaborative, and dynamic processes and as formats for creating and sharing SBOMs-SPDX, CycloneDX, and SWID-become standard.

• SBOM items increased: The Revenera audit team identified 12 percent more items in 2021 (over prior year) with 2,200 uncovered per audit project compared to 1,959 in 2020.  Additionally, Revenera discovered a new issue for every 11,500 lines of code analyzed-a 5% increase compared to 2020.

• More binaries:  Compared to source code, binaries are more complex, often combining IP from multiple sources and using many constituent files. This report found a 7 percent increase in binaries compared to 2020.

• M&A activity drove more SCA audits: M&A activity drove demand for complete risk profiles, forensic reports, and remediation assessments.