Linux Foundation releases ‘Census III’ open source report

The Linux Foundation has released a report that identifies the most commonly used free and open source software (FOSS) application libraries.

Developed in partnership with the Laboratory for Innovation Science at Harvard, the “Census III” report provides invaluable insights into the state of the OSS ecosystem. Leveraging over 12 million data points from production environments across more than 10,000 companies, Census III highlights critical trends and challenges surrounding the use of OSS.

To bring this effort to life, the Linux Foundation collaborated not only with Harvard but also with major organisations specialising in Software Composition Analysis (SCA), including Black Duck, FOSSA, Snyk, and Sonatype. By pooling diverse expertise, data, and resources, the partnership provides new insights into open source software’s widespread adoption and highlights potential risks within the ecosystem.  

David A. Wheeler, Director of Open Source Supply Chain Security at the Open Source Security Foundation (OpenSSF), said: “FOSS is now ubiquitous, serving as a foundational infrastructure of society. However, its success has also made it a target for attackers seeking to exploit vulnerabilities.

“This report provides valuable insights that will help individuals and organisations worldwide prioritise their investments to significantly reduce both the recurrence and impact of vulnerabilities in FOSS – both unintentional and malicious.”

The Census III report identifies several notable trends in open source software usage:  

• Rising use of cloud-specific packages: Demand for cloud-focused libraries continues to grow.
• Migration to Python 3: There remains an ongoing transition from the now-deprecated Python 2 to Python 3.
• Expanded popularity: Maven packages, frequently used in Java development, remain widely utilised, while NuGet (associated with .NET) and Python repositories are seeing increased traction.  
• Emerging technologies: Rust package usage has considerably risen compared to the previous Census reports.  
• Legacy code challenges: Outdated software persists in use, adding a layer of complexity to long-term FOSS sustainability.
• Contributors and security: Many of the most extensively deployed FOSS libraries are often maintained by only a small group of contributors, underlining resource shortages and increasing the importance of securing individual developer accounts.  
• Standardisation needs: A lack of consistent naming conventions for software components complicates dependency tracking.  

The authors also note shifts in the OSS supply chain and its potential vulnerabilities.

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, commented: “If there are only a handful of contributors to a critical component or if the supplier is effectively one anonymous GitHub user account, the cybersecurity and software hygiene decisions of those individuals could introduce unexpected business risks.”

Transparency and investment  

Given the pivotal role of FOSS in today’s digital economy, contributors to the report advocate for greater investment in securing and sustaining open source software.

Kevin Wang, CEO of FOSSA, said: “The report clearly reaffirms the ubiquity and continued growing influence of open source on the economy. Government regulations, industry initiatives, and research like this are all instrumental in improving the software supply chain through open communication, which ultimately builds trust.”

The findings align with recent global efforts to improve software security, particularly against the backdrop of rising scrutiny from governments and policymakers regarding critical infrastructure.

Hilary Carter, SVP of Research at the Linux Foundation, added: “Understanding the health and security posture of open source software is a critical step to ensure its sustainability. Census III underscores the importance of identifying and supporting widely used open source components, complementing Linux Foundation projects, initiatives, and security-focused research.”

The report also addresses the importance of mitigating challenges from a decentralised development structure.

Danny Allan, CTO at Snyk, commented: “FOSS forms the backbone of modern technology, yet its decentralised nature presents challenges in understanding its true impact and vulnerabilities. Efforts like the FOSS Census are pivotal, combining community-driven data with analytical rigour to help the industry identify critical dependencies and prioritise investments.”

Building on previous Census reports  

The Census III report builds on its predecessors, which first sought to highlight critical OSS components and their role in global infrastructure.

The original Census, conducted in 2015, focused specifically on software used in the Debian Linux distribution. Census II expanded its scope, examining language-level OSS packages commonly relied upon by public and private organisations alike.  

Now, Census III significantly broadens this analysis by using anonymised data from partnering software composition analysis companies. This enhanced data makes it easier for stakeholders to understand and prioritise resources for addressing vulnerabilities within the OSS ecosystem.

Census III reinforces the message that open source software is not merely a technological cornerstone but also a shared resource that needs continuous support and safeguarding. Securing FOSS against vulnerabilities – both accidental and malicious – remains a vital step for enabling continued innovation. 

Brian Fox, Co-Founder and CTO of Sonatype, explained: “By providing critical data and insights into FOSS usage, we aim to empower organisations to make informed decisions about securing their software supply chains.”

As more industries integrate OSS into their workflows, the need for collaboration, standardisation, and proactive investment becomes increasingly clear. Census III sets a foundation for stakeholders to address these challenges and contribute to a stronger, more secure open source software ecosystem.

(Photo by Andrew Neel)

See also: Linux Foundation Decentralized Trust aims for web3 innovation

Looking to revamp your digital transformation strategy? Learn more about Digital Transformation Week taking place in Amsterdam, California, and London. The comprehensive event is co-located with IoT Tech Expo, AI & Big Data Expo, Cyber Security & Cloud Expo, and other leading events.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: census, coding, cybersecurity, foss, linux, linux foundation, open source, open-source, programming, report, research, security, study