Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
New Black Duck Report: 86% of Commercial Codebases Contain Vulnerable Open Source, Exposing Organizations to Security Risks
Black Duck Software, Inc. ("Black Duck") released the tenth annual "Open Source Security and Risk Analysis" (OSSRA) report. The research provides security, development and legal teams with a comprehensive view of the open source landscape, including trends in the adoption and use of open source software, the prevalence of security vulnerabilities and software licensing and code quality risks.

The 2025 OSSRA report is based on the Black Duck Audit team's evaluation of the anonymized findings from 1,658 analyses of 965 commercial codebases across 16 industries during 2024.

This year's report found that 86% of commercial codebases evaluated contained open source software vulnerabilities and 81% contained high- or critical-risk vulnerabilities. Black Duck's data shows that the number of open source files in an average application has tripled, from more than 5,300 in 2020 to more than 16,000 in 2024.

"The 2025 OSSRA report underscores a critical and ongoing challenge for organizations: managing the security and compliance risks inherent in open source software," said Jason Schmitt, CEO of Black Duck. "As open source adoption continues to grow at an incredible velocity, businesses need to implement robust software composition analysis and risk management strategies to build trust into their applications, data and intellectual property."

Additional key findings from the 2025 OSSRA report include:

  • 90% of audited codebases were found to have open source components more than four years out-of-date: Outdated components magnify security risks, provide attackers with an expanded attack surface and create compliance and compatibility issues. The presence of older open source also suggests that developers need to take advantage of software improvements.
  • jQuery was found to be the most frequent source of vulnerabilities: Eight of the top ten high-risk vulnerabilities were found in jQuery, a widely used JavaScript library. In fact, 43% of the applications Black Duck scanned contained some version of jQuery, frequently an outdated version. The most frequently found high-risk vulnerability was CVE-2020-11023, an XSS vulnerability affecting outdated versions of jQuery, but still present in a third of scanned codebases.
  • 56% of the audited codebases contain license conflicts: Transitive dependencies - open source libraries that other software components rely on to function - caused nearly 30% of the license conflicts found in the audits. Additionally, 33% of codebases contained open source with no license or a customized license.
  • Only 77% of dependencies could be identified via package manager scanning, suggesting that the remainder were introduced to applications by other means, including AI coding assistants. These blind spots are what lead to lingering unpatched vulnerabilities, outdated components, and license conflicts.

To learn more, download the 2025 OSSRA report

Published Tuesday, February 25, 2025 4:39 PM by David Marshall
Filed under: ,
Get This Featured White Paper: Immutability out-of-the-box solved for Mirazon and their customers
You may also be interested in this white paper: The Essential Guide to Cloud-Based Backup and Disaster Recovery
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
GenAI
DTW-NA
innovatrix
capacity-europe
vExpert
Calendar
<February 2025>
SuMoTuWeThFrSa
2627282930311
2345678
9101112131415
16171819202122
2324252627281
2345678