We recently released the fifth annual State of the Software Supply Chain Report in London. This year, we worked with Gene Kim and Dr. Stephen Magill to examine our largest data sample ever. Our goal? To qualify and quantify how exemplary development teams operate.
As part of the research we identified the top 3% of DevOps teams using exemplary practices. (Take the quiz to see how your team stacks up.)
Before we could truly understand these practice, we had to have the right context. The report’s first goal was to compare the use of open source in 2019 - to that of years past - and understand the broader environment developers are working in. As anticipated, open source component use continues to rocket upward.
Supply of Open Source is Massive
As the report indicates:
The massive supply of open source components grows with every new innovation and maintenance of previous parts. New versions enhance features, fix bugs, and patch security.
Supply of Open Source is Expanding Rapidly
Sonatype’s study across several open source component ecosystems reveals number of releases housed within public repositories increased from 16.6 million to 28.4 million from January 2018 through today. On average, developers had access to more than 21,448 new open source component releases every day, since the beginning of 2018.
This poses significant questions for organizations wanting to better manage their software supply chains:
- How often do projects publish new versions?
- Do certain projects release updates more frequently?
- Do other projects release updates less frequently?
- What are the implications?
- Who are the best component suppliers?
Open Source Consumption has “Gone Wild”
Consumption of open source is so vast that most organizations cannot identify how many components are entering into their software supply chains, how those components are flowing through development lifecycles, the relative quality and security of those components, or which components exist within production applications.
In 2018, developers around the world consumed hundreds of billions of open source software component releases.
Accelerating Demand for Open Source Libraries
Automated Pipelines and DevOps Are Key Drivers
Moreover, managing this massive growth requires automation. As the report details:
Exponential growth in the consumption of open source component releases and containers is a proxy for the adoption of automated software development tools and DevOps pipelines. Automated tooling can generate hundreds or thousands of download requests per build.
In the context of software supply chain management, each download equates to a procurement effort by development teams. Each open source software component release is chosen from an OSS project that acts as a supplier to developers who assemble tens, hundreds, and sometimes thousands of component releases into a finished application.
This landscape, which only points to continued growth and demand of open source, poses interesting dilemmas and opportunities. Operating in today’s open source software universe means that teams must:
- Select parts -- the best quality parts -- from an increasing supply of open source components;
- Evaluate parts -- again, the best -- from new and constantly updated releases;
- Understand which open source components (and related dependencies) exist in their projects;
- Automate the development process to manage the above conditions, and;
- Protect the integrity of their final product, whether a stand-alone application or integrated software
Balancing these demands requires marrying excellent DevOps practices with seamless security - true DevSecOps. The report shares more about the environment we’re all living in and what we can learn from these exemplar teams.