1、Census III of Free and Open Source SoftwareApplication LibrariesFrank Nagle,Harvard Business SchoolKate Powell,Laboratory for Innovation Science at HarvardRichie Zitomer,Harvard Business SchoolDavid A.Wheeler,Open Source Security Foundation(OpenSSF),The Linux FoundationIn partnership with December 2

2、024The use of cloud service-specific packages is increasing,with high-ranking components that did not rank in Census II.There is an ongoing transition from Python 2 to Python 3,demonstrating the challenges of transitioning to new versions of software with incompatibilities.Maven packages continue to

3、 be widely used and there is an increased prevalence of NuGet and Python packages.Use of components from Rust package repositories have increased considerably since Census II,signaling an industry response to memory safety vulnerabilities.There are promisingefforts to implement a standardized naming

4、 schema for software components which would improve supply chain security and future census efforts.Many of the top packages are hosted under individual developer accounts,which often have fewer protections and less granularity than organizational accounts.Legacy software persists in the open source

5、 space,making their security as important as their replacement packages.When considering npm,direct only,version agnostic packages,the top used package was react-dom.When considering non-npm,direct,version agnostic packages,the top used package was the maven package org.springframework.boot:spring-b

6、oot-starter-web.When considering non-npm,direct,version agnostic packages,log4j-core ranked very highly(#51).When considering non-npm,direct&indirect,version agnostic packages,the top used package was the go package top 50 non-npm projects,17%had only one developer&40%had one ortwo developersaccount