The 2022 “Open Source Security and Risk Analysis” (OSSRA) report, in its 7th edition this year, examines vulnerabilities and license conflicts found in more than 2,400 codebases across 17 industries. The report offers recommendations to help security, legal, risk, and development teams better understand the security and risk landscape accompanying open source development and use.
OPEN SOURCE ENDURES
Open source continues to demonstrate staying power, serving again this year as the foundation for the vast majority of commercial codebases. In fact, it’s so intertwined in modern development that often, code owners aren’t even aware of the open source components in their own software.
VULNERABILITY NUMBERS ARE IMPROVING
Percentage of codebases containing at least one vulnerability
Percentage of high-risk vulnerabilities per codebase
The use of open source remains constant, and there’s promising progress with open source vulnerabilities. This year’s report shows a modest 3% decrease in vulnerabilities from the previous year, though the overall percentage of codebases containing vulnerabilities remains troublingly high. This trend indicates that progress toward minimizing risk is slow, but it’s moving in the right direction.
Contrasting the slight decrease in open source vulnerabilities is the more dramatic decrease in high-risk vulnerabilities. The percentage of codebases containing high-risk open source vulnerabilities decreased by 11% compared to last year’s report. This indicates that organizations are starting to stress the importance of prompt identification, prioritization, and mitigation of high-risk vulnerabilities.
OPERATIONAL RISK IS CONCERNING
Despite vulnerability improvements, a troubling number of codebases contained open source that had seen no development activity and no user updates in the last two years. When no feature upgrades, code improvements, or security remediation activity occurs for 24 months, it’s likely that a project is no longer being maintained at all.
IN A YEAR OF RECORD M&A TRANSACTIONS, KEY INDUSTRIES REMAIN VULNERABLE
The same story emerged across all industry sectors: Open source was present in almost every codebase, comprised the majority of the total codebases, and was vulnerable to exploit and attack. Only a comprehensive inventory of all software a business uses, regardless of where it came from or how it was acquired, can help eliminate this business risk.
2022 OSSRA Report
A deep dive into the state of open source security, licensing, code quality, and maintenance risk