2020 Open Source Security and Risk Analysis (OSSRA) Report: 91% of commercial apps contain outdated open source components

Synopsys released the “2020 Open Source Security and Risk Analysis (OSSRA) Report “report, which was produced by the Synopsys Cyber ​​Security Research Center (CyRC) and studied the results of more than 1,250 commercial codebase audits conducted by the Black Duck Audit Services team. It highlights the trends and models of open source use in commercial applications and provides insights and recommendations to help organizations better manage open source risks from security, license compliance, and operational perspective.

The report reiterates the key role of open source in today’s software ecosystem, revealing that almost all (99%) of the audited codebases in the past year contain at least one open-source component, with open source code accounting for 70% of the total code. However, it is more noteworthy that aging or obsolete open source components continue to be widely used, and 91% of the codebase contains components that have been outdated for more than four years or have no development activities in the past two years.

In addition, what is more, worrying is the trend of increasing security risks brought about by unmanaged open source? 75% of the audited code base contains open source components with known security vulnerabilities; at the same time, almost half (49%) of the codebase contains high-risk vulnerabilities; the proportion of both has increased year-on-year.

Some of the open-source risk trends worth watching in the 2020 OSSRA report are summarized as follows:

• The adoption rate of open source continues to soar. 99% of the codebase contains at least some open-source, and each codebase has an average of 445 open source components, a significant increase from the 298 in 2018. 70% of the reviewed code is determined to be open source, and this number has grown from 60% in 2018 to nearly double since 2015 (36%).
• Outdated and “obsolete” open source components are everywhere.  91% of the codebase contains components that have either been outdated for more than four years or have no development activities in the past two years. In addition to the increased likelihood of security vulnerabilities, the risk of using outdated open source components is that updating them will also introduce unnecessary functionality or compatibility issues.
• The use of vulnerable open source components is again on the rise. Between 2017 and 2018, the proportion of codebases containing vulnerable open source components dropped from 78% to 60%, and then rose to 75% in 2019. Similarly, the percentage of codebases containing high-risk vulnerabilities increased from 40% in 2018 to 49% in 2019. Fortunately, none of the codebases reviewed in 2019 were affected by the notorious Heartbleed bug or the Apache Struts vulnerability that plagued Equifax in 2017.
• Open source license conflicts continue to put intellectual property at risk.  68% of the codebase contains some form of open source license conflicts, while 33% of the codebase contains open source components without an identifiable license. The incidence of license conflicts varies from industry to industry, from the highest 93% (Internet and mobile applications) to a relatively low 59% (virtual reality, games, entertainment, media).