Research with Snyk and Redhunt Labs: Scanning the top 1000 orgs on GitHub

Open source code is a vital aspect of modern development. It allows developers to increase their application’s functionality, while reducing overall development time. However, the system isn’t perfect. The nature of third party software and it’s dependencies often creates opportunity for security vulnerabilities to lurk in libraries and downloads. 

One solution to this problem is package managers. Many languages, such as JavaScript or Python, have package managers like npm (Node Package Manager) and pip (Preferred Installer Program) — which rely on the specific files they read to determine what dependencies should be downloaded. If a dependency explicitly mentions a version, the package manager will download those dependency versions. But, the versions of these dependencies are often depreciated, and could contain potential security vulnerabilities. 

In a recent research project, Snyk and Redhunt Labs set out to learn more about the security posture of popular GitHub repositories. The top 1000 GitHub organizations were scanned for insecure dependencies in their source repositories. By extracting their dependencies and comparing their versions against widely known security flaws, the researchers attempted to evaluate the security state of these repositories. Results for the Java, JavaScript, Python, and Ruby repositories are presented separately in the report.

In order to concentrate on repositories with a possible impact, the research entailed filtering down repositories based on star count and particular keywords. In total, 11,900 repositories were examined, and 1,229,601 vulnerabilities in 15,584 vulnerable dependency files were found.

Some of the findings include:

• Deserialization of Untrusted Data was the most prevalent vulnerability type with a whopping 130,831 occurrences in Java repositories, by making it 40 per cent of the total vulnerabilities identified.

• Prototype Pollution being the most common vulnerability identified (62%) in JavaScript, repositories contained 5,49,566 vulnerabilities in total.

• 16,590 vulnerabilities were High or Critical among the 72,082 vulnerabilities found in the Python repositories' 2,602 dependency files.

• Last but not least, In Ruby repositories, 50% of the vulnerabilities are in the Critical or High categories.

• The top ten researchers who reported the most vulnerabilities are also highlighted in the study.

Download the report today to learn more about the approach, methodology, and results of this exciting study with RedHunt Labs.