close search bar

Sorry, not available in this language yet

close language selection

The M&A Open Source Risk Number

Find out what our audit services team unearthed in the 1,700+ codebases we reviewed in 2022.

open source | Synopsys

Spoiler alert: In 2022, audits found open source in 100% of our customer engagements.

Regular readers know that Synopsys recently published the eighth edition of the “Open Source Security and Risk Analysis” (OSSRA) report. We think it provides the best information available about open source use in the wild, and the frequency of open source risks.

The report is based on anonymized and aggregated data pulled from the Black Duck® Audit group’s work. It presents the results in terms of codebases—roughly equivalent to applications—that we audit as part of a merger and acquisition (M&A) transaction. However, because we typically audit multiple codebases in each customer engagement, statistics per codebase are only part of the story.

Without giving away the punchline, suffice to say we’re still seeing significant software risks in M&A transactions. In fact, in addition to every customer engagement containing open source, 99% had at least one unpatched open source vulnerability, and the percentage is almost as high for those with licensing issues.

You can also read our 2023 “Open Source Risk in M&A by the Numbers” white paper or watch this recorded webinar to get an inside look at the data Black Duck audits complied in 2022. These use the same data as the OSSRA report but the analysis is presented in the context of the M&A transactions themselves. For example, instead of digging into the frequency of high-severity vulnerabilities in a given codebase, we explore the percentage of M&A transactions that include code with high-severity vulnerabilities.

To learn how Black Duck audits can help you reduce software risk in M&A, please contact us.

Phil Odence

Posted by

Phil Odence

Phil Odence

Phil is the general manager of Synopsys’s Black Duck Audit business auditing the composition, security and quality of software for companies on both sides of M&A transactions. He focuses on software due diligence best practices and the M&A market. He also works closely with the company’s law firm partners and the open source community and is a frequent speaker on open source management and M&A. Phil chairs the Linux Foundation's Software Package Data Exchange (SPDX) working group which created an ISO standard for Software Bills of Materials (SBOMs). With decades of software industry experience, Phil held senior management positions at Hammer/Empirix and High Performance Systems, a startup in computer simulation modeling. He began his career in marketing and sales with Teradyne's electronic design and test automation (EDA) software group. He’s also written a book on fly fishing. Phil has an AB and an MS in engineering from Dartmouth College.

More from Open source and software supply chain risks