Now in its sixth year, the 2021 Open Source Security and Risk Analysis (OSSRA) report exposes vulnerabilities and license conflicts found in more than 1,500 codebases across 17 industries. The report includes recommendations to help developers and consumers understand the software ecosystem they are a part of, as well as the risks accompanying open source development and use.
OPEN SOURCE IS ON THE RISE...
As the role of developers has grown more vital, so has the prominence of open source code. Today, open source libraries are the foundation for every application in every industry. It’s so prevalent that many code owners aren’t aware of all the open source components in their software.
An average of84Open SourceComponentsPer App
An average of528Open SourceComponentsPer App
...AS ARE VULNERABILITIES
As the use of open source has grown, unfortunately so has the number of vulnerabilities. This year’s report shows a 9% increase in vulnerabilities from the previous year—the second-highest year-on-year increase in the report’s six-year history. This trend indicates that more and more software is at risk across every industry.
...AND HIGH-RISK VULNERABILITIES
Paralleling the increase in vulnerabilities is the increase in high-risk vulnerabilities. This year’s report shows an 11% increase from the previous year. The majority of these have been in the code for more than two years and have documented solutions available.
Percentage of high-risk vulnerabilities per codebase
Percentage of codebases containing at least one vulnerability
KEY INDUSTRIES DURING COVID WERE VULNERABLE
Several industries saw exponential growth in revenue during the past year, largely due to market and societal changes during COVID. This year’s report reveals a correlation between these industries and the use of open source in their applications—and vulnerabilities as well. In fact, these high-growth industries had the largest number of vulnerabilities and high-risk vulnerabilities.
2021 OSSRA Report
A deep dive into the state of open source security, licensing, code quality, and maintenance risk