Chart of the Week

SEPT 2023: VOLUME 1

What’s in your open-source software?

The Data

Lineaje research indicates that 8.3% of Open Source Software is of unknown origin.


  • 3% of components embedded in open source software as dependencies don’t come from where the open source developers claimed to have gotten them from. So you don’t know where they came from and neither do the developers that included them!
  • 5.3% of all components come from the PURL (Package URL) where they were included. However, the version included does not match the version published by the developing product. They have been tampered with and the tampered source code from where they were built is not available to you.

The Implication


  • Lack of Trust: Components with dubious or unknown origins do not undergo the same level of scrutiny or security checks as well-established, reputable sources.
  • Potential for Malicious Insertions: Components of unknown origin may have been tampered with, potentially containing backdoors, malware, or other malicious code that could compromise the security of the system.
  • Limited Patch Availability: In the event of a vulnerability discovery, it may be difficult or impossible to obtain timely patches or updates for components of dubious origin, leaving the software exposed to potential exploits.
  • Remediation Efforts: Identifying and replacing components of dubious origin can be resource-intensive and time-consuming.
  • Opaque Dependencies: Far unknown components understanding the function the component provides is difficult and the dependencies it includes are opaque.

Unknown components in your software are a high risk and well-known Open source components pull them into your software.