The annual “Open Source Security and Risk Analysis” (OSSRA) report, now in its ninth edition, examines vulnerabilities and license conflicts found in over 1,000 codebases across 17 industries. The report offers recommendations to help security, legal, risk, and development teams better understand open source security and the license risk landscape, especially in the context of securing the software supply chain.
With the prevalence of open source and the rise in AI-generated code, more applications are now built with third-party code. Open source has become so interconnected with modern development that security and development teams struggle to identify all the components in their software.
Although the overall percentage of codebases containing security vulnerabilities remained the same as the previous year, the severity of those vulnerabilities increased a staggering 54% for codebases containing high-risk vulnerabilities.
Forty-nine percent of codebases examined contained open source that had no new development in the last two years. Additionally, 91% of the 900+ risk-assessed codebases contained components 10 versions or more behind the most current version, indicating that open source consumers need to improve their maintenance practices.
Get a deep dive into the state of open source security, licensing, code quality, and maintenance risk