Latest News

Sonatype Uncovers Millions of Previously Hidden Open Source Vulnerabilities Through Unique Shaded Vulnerability Detection System

LONDON, UK. 2nd May 2024 – Sonatype, the software supply chain optimisation company, today announced it has identified 336,000 previously undetectable, “Critical” open source vulnerabilities through a new, first-of-its-kind shaded vulnerability detection capability in the Sonatype platform, that revolutionises the identification of hidden security threats within open source code.

This industry-first data enhancement comes from a novel, Sonatype-created algorithm capable of detecting vulnerabilities in “shaded” open source files—a technique in which original code is repackaged, often making detection by traditional means impossible. Through this technique, Sonatype uncovered a previously hidden layer of risk within the software supply chain, resulting in 4.5 million additional open source vulnerabilities being found, 1.85 million with a “High” risk classification, and 336,000 having a CVSS score of 9.7+, categorised as Critical by the National Vulnerability Database (NVD) and comparable to Log4Shell in severity.

The pace of software innovation is paramount to remaining competitive, but for development teams to work efficiently, they must prioritise where to spend their time. Comprehensive intelligence on vulnerable components provides a holistic picture, improving risk management while eliminating developer waste so teams can focus on innovating at scale.

Speaking on the announcement, Wayne Jackson, CEO of Sonatype said, “The reality is, ‘good enough’ is not enough when it comes to securing the open source software that underpins much of the digital world. Bad actors are constantly evolving their methods, and to help our customers stay ahead of them, we must evolve as well. Our commitment is to provide the deepest, most comprehensive insights into open source vulnerabilities, coupled with the tools and automation necessary to boost developer productivity while minimising security risks.”

This announcement is particularly important, given the recent uptick in attacks targeting the software supply chain, such as the malicious code found in the widely-used XZ utility. These recent attacks have shone a harsh light on the need for companies to adopt more sophisticated software supply chain security measures to protect against such vulnerabilities, mitigate risks within the open-source ecosystem, and safeguard organisations from large-scale attacks.

Unlike other tools, the Sonatype platform’s design emphasises comprehensiveness and precision in findings, while virtually eliminating false positives and illuminating false negatives. This ensures that teams focus only on genuine threats at the right time, thereby reducing unnecessary workload and strain on development teams. Equally important, the platform also empowers developers with automated remediation tools, enabling far more efficient and productive vulnerability resolution.

“While no one wants to see more vulnerabilities discovered in open source, sunshine is, as they say, the best disinfectant. The key here is to prioritise the most critical, exploitable defects and to provide developers with reliable fixes that do not get in the way of innovation,” said Jackson. “We know the pressures on both developers and security teams, which is why our solutions streamline and even automate the remediation process; helping developers resolve the most critical issues while maintaining high levels of efficiency and productivity. This balance is key for driving innovation while safeguarding software integrity.”

Amid the growing complexity of software supply chains, Sonatype’s innovations offer optimism that developers can continue to develop innovative software, while avoiding additional security-related stress. By merging security with productivity, Sonatype dispels the notion that companies must compromise between the two. This progress highlights the potential for businesses to enhance efficiency and security, making a new era in software development and cybersecurity truly possible.

About Sonatype

Sonatype is the software supply chain optimisation company. We provide the world’s best software supply chain optimisation technology and intelligence, empowering enterprises to create and maintain secure, quality, and innovative software at scale. As founders of Nexus Repository and stewards of Maven Central, the world’s largest repository of Java open-source software, we are software pioneers and our open-source expertise is unmatched. We empower innovation with an unparalleled commitment to build faster, safer software and harness AI and data intelligence to mitigate risk, maximise efficiencies, and drive powerful software development. More than 2,000 organisations, including 70% of the Fortune 100 and 15 million software developers, rely on Sonatype to optimise their software supply chains. To learn more about Sonatype, please visit www.sonatype.com.