...
Executive Summary / Key Take-Aways
You don't fix open source supply chain issues by focusing exclusively on the upstream
means of productionproducer.
If we could somehow make perfect releases of all ASF projects tomorrow, it would literally take years before we would see the effects. And plenty of cases where the update would never be applied.
Community is defined by those who show up.
We have many components which are widely used, yet many of the companies that build these into their product either don't review the code or chose not to contribute back their fixes.
Vulnerabilities aren't always isolated to a single component.
In the case of the recent Apache Log4j vulnerability, the Java Naming and Directory Interface (JNDI) is a critical part of the exploit. JNDI is a part of the Java runtime, not part of Log4j itself. The industry tends to treat concepts of "JNDI injection" as if it were a known problem, but just like "SQL injection" and other injection problems, this is demonstrably not the case. If it were possible to improve those common components, that could be a very big win.
...