5 risk factors of open source software beyond CVEs
To understand whether an open source package is safe to use, we’ve historically relied on CVEs (or the lack of CVEs) as the leading indicator: if there are no known vulnerabilities in the code, then it’s OK to use. While it makes sense not to use open source software that contains known vulnerabilities, there are other factors that can be just as risky as known vulnerabilities.
This post explores other risk factors outside of CVEs that you should consider when determining whether open source software is truly safe to use. Below, we’ve outlined five of those risk factors and how you can evaluate them.
When we're referring to malicious packages here, we mean packages that attack the developer's machine. It seems obvious that you shouldn’t use malicious open source software, but traditional software scanners may not find malicious packages in your software if they don’t have any known CVEs.
The open source project OSV.dev (sponsored by Google) recently added support for malicious package reporting in its data feed. OSV is an open source project created and sponsored by Google. It provides a standardized format for vulnerability and malicious package data that can be used by both vulnerability database producers and open source consumers, with the goal of making it easier for developers and security teams to automate and triage vulnerability reporting.
