2026 State of the Software Supply Chain with Brian Fox

The podcast discusses Sonatypes long-running State of the Software Supply Chain Report (SSCR), which tracks trends and challenges in the open source ecosystem over 11 years. Key trends include growing awareness of open source reliance in the 2010s, the rise of SBOMs (Software Bill of Materials) for transparency, and the increasing prevalence of malware in open source packages, now reaching 1.2 million malicious components annually. Stakeholders also highlight concerns about end-of-life (EOL) components, which persist despite awareness, and the unsustainable costs of maintaining public registries like Maven Central, which face $510 million in annual operational expenses without adequate funding.

Open source usage has surged, with 9.8 trillion downloads in 2023 alone, surpassing Google search volume, but this growth strains infrastructure and creates challenges in managing software waste, such as unused code and "intentional garbage" in repositories. Malware volume is doubling yearly, while AI tools introduce new risks, including versioning errors and slop squatting, where attackers exploit AI-generated project names. The NVD (National Vulnerability Database) remains underfunded, with 65% of open source vulnerabilities unaddressed, and data quality issues in public databases exacerbate security risks.

The report underscores the need for improved vulnerability management, SBOM adoption, and funding models for registries to address scalability and sustainability. Case studies like Log4Shell reveal persistent gaps in patch adoption, even after high-profile vulnerabilities. While AI tools offer potential solutions, they also introduce risks like hallucinations and misaligned recommendations, necessitating human oversight or hybrid systems like Model Control Protocols (MCP) to refine AI-driven decisions. The industry faces ongoing challenges in balancing security, innovation, and the growing complexity of managing open source dependencies at scale.