The M&A Open Source Risk Number

Spoiler alert: In 2022, audits found open source in 100% of our customer engagements.

Regular readers know that Synopsys recently published the eighth edition of the “Open Source Security and Risk Analysis” (OSSRA) report. We think it provides the best information available about open source use in the wild, and the frequency of open source risks.

The report is based on anonymized and aggregated data pulled from the Black Duck® Audit group’s work. It presents the results in terms of codebases—roughly equivalent to applications—that we audit as part of a merger and acquisition (M&A) transaction. However, because we typically audit multiple codebases in each customer engagement, statistics per codebase are only part of the story.

Without giving away the punchline, suffice to say we’re still seeing significant software risks in M&A transactions. In fact, in addition to every customer engagement containing open source, 99% had at least one unpatched open source vulnerability, and the percentage is almost as high for those with licensing issues.

You can also read our 2023 “Open Source Risk in M&A by the Numbers” white paper or watch this recorded webinar to get an inside look at the data Black Duck audits complied in 2022. These use the same data as the OSSRA report but the analysis is presented in the context of the M&A transactions themselves. For example, instead of digging into the frequency of high-severity vulnerabilities in a given codebase, we explore the percentage of M&A transactions that include code with high-severity vulnerabilities.

To learn how Black Duck audits can help you reduce software risk in M&A, please contact us.