The State of Software Composition 2017

What's in your app?

An increasingly large amount of all software today consists of third-party code, either purchased or licensed consumer off-the-shelf (COTS) software or free open source software (FOSS). Software Composition Analysis (SCA) is a testing process that breaks down the individual components, the ingredients of any software, producing a Bill of Materials (BoM) that shows what vulnerabilities and software components exist within a given application.

The State of Software Composition 2017 report is based on analysis of 128,782 software applications uploaded and tested through the Synopsys Software Composition Analysis tool (Protecode SC) cloud service from January 1 through December 31, 2016. 

What did we discover?

  • Nearly 50% of the software component versions are more than four years old
  • A total of 9,553 common vulnerabilities and exposures (CVEs) found
  • 45% of the observed CVEs date back to 2013 or earlier

Why is this important?

Organizations need to determine the relative risk of integrating FOSS and third-party components as well as the overall security risk of the final software application. Additionally, if the organization must demonstrate OWASP compliance, specifically A9-Using Components with Known Vulnerabilities, this report should shed light on known problem areas. 

Get all the research findings—download the report.