A concerning analysis reveals that affected functions are documented for only about 1% of open-source software (OSS) security vulnerabilities, raising questions about the effectiveness of vulnerability tracking and mitigation efforts.
According to data from major vulnerability databases including GitHub Advisory DB and Google's OSV.dev, out of over 20,000 documented OSS vulnerabilities, information about specific affected functions is available for fewer than 400 cases.
The Go programming language ecosystem stands as a notable exception, with function-level details available for 31% of its security advisories. This higher coverage rate demonstrates that better documentation is possible when prioritized.
This knowledge gap has serious implications for software composition analysis (SCA) tools that promise "reachability analysis" - a feature meant to determine if vulnerable functions are actually being used in a codebase. While vendors claim this can reduce false positives by 85-98%, the lack of public data about affected functions makes these claims difficult to verify independently.
Currently, function-level vulnerability information is scattered across different databases with varying formats:
- GitHub Advisory DB documents affected functions for only 393 out of 20,058 advisories
- Google's OSV.dev covers 810 out of 25,916 total advisories
- The Go Vulnerability Database includes function details for 547 out of 1,761 advisories
- Rust Advisory Database provides this information for approximately 114 out of 724 advisories
Industry experts argue that keeping this critical data in proprietary databases hampers overall security efforts. The fragmented approach, with each vendor maintaining their own non-standardized dataset, creates inconsistencies and questions about data quality.
The findings highlight an urgent need for improved public documentation of vulnerability details at the function level. Without this foundation, developers and security teams lack the precise information needed to effectively assess and address security risks in open-source dependencies.