I’ve been warning about this for years

I haven’t said anything about the Log4j issue here but this article from the Washington Post (https://www.washingtonpost.com/politics/2022/01/14/open-source-bugs-present-an-extermination-problem-government/) that discusses the recent meeting at the White House about securing open source software shows that people are finally waking up to the fact that open source needs to be patrolled better. Far too many developers pull in open source packages without regard to their exposures and those places that makes sure the packages are vetted often miss the packages that are pulled in as dependencies.

I’m not putting down any of the open source contributors but I’ve been a contributor and code reviewer and it’s just TOO easy to miss a vulnerability. Sure, automated processes can catch a lot but if someone is intent on introducing a vulnerability, it can be done without a lot of extra effort. No, I don’t have a solution but I’m certain the open source community can come up with some good ones.