There are many metrics to track the prevalence of open source components, such as GitHub stars and downloads, but they don’t paint the full picture of how they’re being used in production codebases.
Census III of Free and Open Source Software: Application Libraries leans on more than 12 million data points from software composition analysis (SCA) and application security tools such as Black Duck, FOSSA, Snyk, and Sonatype, which have been deployed at more than 10,000 companies.
The extensive report highlights the shift toward memory-safe programming, with Rust adoption surging. And from a security concern perspective, it points to the continued reliance on Python 2, as well as a lack of standardized naming for components — this can increase the risk of dependency confusion and malicious package injection.
Produced by The Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF) and Harvard University, the report follows two previous installments in 2015 and 2020, respectively. The latest one is available for download now.