The Code the World Depends On: A First Look at Technology Makers' Open Source Software Dependencies
Cadence Patrick, Kimberly Ruth, Zakir Durumeric
TL;DR
This study interrogates OSS dependency usage among 108 major software and device makers to understand which dependencies are most critical and how openly such data is published. Using a cross-company search and consolidation approach, the authors find that only a minority (about 22%) publish package-level dependency names and that data availability varies significantly by industry. They identify a large, diverse ecosystem of dependencies (over 8000 unique packages) with top packages like OpenSSL, zlib, and ncurses repeatedly appearing across firms, highlighting the downstream risk of vulnerabilities in widely used components. The work argues for standardized SBOM disclosures and ongoing data sharing to improve proactive vulnerability analysis and security hardening, marking a first step toward mapping the ripple effects of OSS vulnerabilities on critical infrastructure.
Abstract
Open-source software (OSS) supply chain security has become a topic of concern for organizations. Patching an OSS vulnerability can require updating other dependent software products in addition to the original package. However, the landscape of OSS dependencies is not well explored: we do not know what packages are most critical to patch, hindering efforts to improve OSS security where it is most needed. There is thus a need to understand OSS usage in major software and device makers' products. Our work takes a first step toward closing this knowledge gap. We investigate published OSS dependency information for 108 major software and device makers, cataloging how available and how detailed this information is and identifying the OSS packages that appear the most frequently in our data.