TRENDING npm 44 %. The component TensorFlow has the highest number of reported vulnerabilities , and since it ’ s often installed without manifest files , it underlines the importance of covering “ phantom dependencies ”.
• Phantom Dependencies and Other Trouble Spots : Among select customers scanned for this report , the share of Python phantom dependencies in the universe of dependencies ranges from 0 to 60 %. But here ’ s the most important finding : The share of vulnerabilities in those phantom dependencies ( in the total of vulnerabilities ) gets as high as 85 %. In this regard , ‘ rebundling ’ is a serious issue across ecosystems – thousands of Python and Java components rebundle binary code from other open source projects .
• Finding Known-Vulnerable Code :
While identifying connections between apps and vulnerabilities is at the core of strengthening security , numerous technical challenges make it hard to link one to the other within their dependencies . However , building databases that cover this kind of dependency identification , particularly with regard to the quality of given vulnerabilities , is key to avoiding false positives and false negatives .
• Remediating known vulnerabilities :
24 % of 1250 updates from vulnerable to nonvulnerable component versions ( published by the 15 most problematic libraries after 2016 ) require a major version update , while 6 % of 1,250 updates can be done by updating the minor or patch version .
In terms of overall solutions , using the Exploit Predictability Scoring System ( EPSS ) as a prioritization tool is a strong second-order activity .
With this option , 80 % of reachable vulnerabilities have a 1 % or less predicted chance of being exploited . p
26 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com