OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT
96% of scanned codebases contained open source
76% of code in codebases was open source
84% of codebases contained at least one vulnerability
48% of codebases contained high-risk vulnerabilities
89% were more than 4 years out of date
91% contained components that weren't the current version
91% had received no development activity in the last 2 years
88% contained components with no activity in the last 2 years and contained components that weren't the latest version
Percentage of codebases containing open source by industry
Percentage of code that was open source by industry
Big Data, AI, BI, Machine Learning
Computer Hardware and Semiconductors
Energy and Clean Tech
Financial Services and FinTech
Healthcare, Health Tech, Life Sciences
Internet and Mobile Apps
Internet and Software Infrastructure
Internet of Things
Manufacturing, Industrials, Robotics
Retail and eCommerce
Telecommunications and Wireless
Virtual Reality, Gaming, Entertainment, Media
The annual “Open Source Security and Risk Analysis” (OSSRA) report, now in its 8th edition, examines vulnerabilities and license conflicts found in roughly 1,700 codebases across 17 industries. The report offers recommendations for security, legal, risk, and development teams to better understand the security and risk landscape accompanying open source development and use.
Open source continues to prove its staying power, serving as the foundation for the vast majority of commercial codebases. In fact, it’s so intertwined in modern development that code owners often don’t know the open source components in their own software.
The overall percentage of codebases containing security vulnerabilities remains troublingly high. After a year of modest progress, there was another slight uptick (4%) in vulnerabilities during 2022.
While overall vulnerabilities were slightly up, the percentage of codebases with high-risk vulnerabilities was down 2% from last year, to 48%. Also promising was fewer instances of Log4J, which was found in 11% of audited Java codebases this year, down from 15%. While an improvement, this points to a larger trend of organizations failing to implement patches.
A worrying number of codebases contained open source that had no development activity and no user updates in the last two years. When no feature upgrades, code improvements, or security remediation occurs for 24 months, it’s likely the project is no longer being maintained at all.
The same story emerged across all industry sectors: Open source was present in almost every codebase, composed the majority of the total codebases, and was vulnerable to exploit and attack. Only a comprehensive inventory of all software in use by an organization can help mitigate this business risk.
2023 OSSRA Report A deep dive into the state of open source security, licensing, code quality, and maintenance risk