Nine out of 10 components in the average application are open source, according to an analysis of 1,700 apps in Sonatype’s “State of the Software Supply Chain.” In its own report, Synopsys reports 70% of the customer codebases it audited are open source. Those are high-end estimates. A survey of people familiar with application security by ESG provides a lower figure — only 43% believe that more than half of their enterprise’s codebase of open source.
Why the wide variation in numbers? Semantics. A report co-written by Frank Nagle of the Harvard Business School notes that Software Composition Analysis vendors don’t have a common definition of what constitutes a “component.” For example, a package containing many sub-components is considered a separate entity in some data sets. Furthermore, the definition of what constitutes an application is an inherently subjective endeavor.
The complete article can be found here.