A World of Infinite Choice in Open Source Software

July 11, 2019 By Katie McCaskey

4 minute read time

We recently released the fifth annual State of the Software Supply Chain Report in London. This year, we worked with Gene Kim and Dr. Stephen Magill to examine our largest data sample ever. Our goal? To qualify and quantify how exemplary development teams operate.

As part of the research we identified the top 3% of DevOps teams using exemplary practices. (Take the quiz to see how your team stacks up.)

Before we could truly understand these practice, we had to have the right context. The report’s first goal was to compare the use of open source in 2019 - to that of years past - and understand the broader environment developers are working in. As anticipated, open source component use continues to rocket upward.

Supply of Open Source is Massive

As the report indicates:

There are now more than 3.7 million unique Java open source software component releases in the Central Repository, 800,000 unique JavaScript packages in npm, 1.2 million unique Python component releases housed in the PyPI repository, and 1.6 million .NET component releases in the NuGet Gallery. There are also more than 2.2 million containerized applications housed in Docker Hub — up from 900,000 the previous year.

The massive supply of open source components grows with every new innovation and maintenance of previous parts. New versions enhance features, fix bugs, and patch security.

Supply of Open Source is Expanding Rapidly

Open Source Software Growing Rapidly

Sonatype’s study across several open source component ecosystems reveals number of releases housed within public repositories increased from 16.6 million to 28.4 million from January 2018 through today. On average, developers had access to more than 21,448 new open source component releases every day, since the beginning of 2018.

Open source growth is robust across numerous ecosystems, but npm has grown particularly fast due to JavaScript’s emergence as a universal web application programming language.

This poses significant questions for organizations wanting to better manage their software supply chains:

  • How often do projects publish new versions?
  • Do certain projects release updates more frequently?
  • Do other projects release updates less frequently?
  • What are the implications?
  • Who are the best component suppliers?

Open Source Consumption has “Gone Wild”

Consumption of open source is so vast that most organizations cannot identify how many components are entering into their software supply chains, how those components are flowing through development lifecycles, the relative quality and security of those components, or which components exist within production applications.

In 2018, developers around the world consumed hundreds of billions of open source software component releases.

Accelerating Demand for Open Source Libraries

The growing demand for innovation has accelerated implementations of automated software development pipelines. This is driving open source consumption to new heights across all major ecosystems, such as Java, Javascript, and npm.

npm - Number of download requests for Java components

Automated Pipelines and DevOps Are Key Drivers

Moreover, managing this massive growth requires automation. As the report details:

Exponential growth in the consumption of open source component releases and containers is a proxy for the adoption of automated software development tools and DevOps pipelines. Automated tooling can generate hundreds or thousands of download requests per build.
In the context of software supply chain management, each download equates to a procurement effort by development teams. Each open source software component release is chosen from an OSS project that acts as a supplier to developers who assemble tens, hundreds, and sometimes thousands of component releases into a finished application.

This landscape, which only points to continued growth and demand of open source, poses interesting dilemmas and opportunities. Operating in today’s open source software universe means that teams must:

  • Select parts -- the best quality parts -- from an increasing supply of open source components;
  • Evaluate parts -- again, the best -- from new and constantly updated releases;
  • Understand which open source components (and related dependencies) exist in their projects;
  • Automate the development process to manage the above conditions, and;
  • Protect the integrity of their final product, whether a stand-alone application or integrated software

Balancing these demands requires marrying excellent DevOps practices with seamless security - true DevSecOps. The report shares more about the environment we’re all living in and what we can learn from these exemplar teams.

Download the full 2019 State of the Software Supply Chain Report here.

 

Sources:

Sonatype, npmjs.org, python.pypi.org, nuget.org
hub.docker.com
https://twitter.com/seldo/status/1105987692305604608

 

Tags: open source management, open source governance, open source software supply chain, News and Views, Post developers/devops, 2019 State of the Software Supply Chain Report

Written by Katie McCaskey

Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.