International. The Open Source Security and Risk Analysis (OSSRA) report indicates that most organizations are still working to identify and manage open source risk in their application portfolios.
The report says that "although the number of vulnerabilities in open source is small compared to proprietary software, only in 2018 were more 7.000 vulnerabilities discovered in open source, more than 50.000 have emerged in the last two decades."
The report highlights the persistent challenges organizations face when it comes to managing open source risk, which includes:
- An increase in the average number of open source components detected in each code base, with an average of more than 298 open source components. Those who use open source often overlook the associated security and licensing risks.
- Another record year for the number of open source vulnerabilities revealed in the NVD. The 60 percent contained at least one open source vulnerability and the 68 percent contained components with license conflicts, according to the report.
- An increase in the average age of open source vulnerabilities detected, with more than 40 percent of the code bases containing a vulnerability that was revealed more than a decade ago.
- More than 40 percent of code bases contain a high-risk vulnerability.
Despite these challenges, the XSUMX OSSRA data suggests that, in the wake of Equifax's breach, an increase in the knowledge of open source risk and the maturation of commercial software composition analysis solutions has led to Progress forward, which includes:
- The percentage of code bases containing vulnerable components has decreased.
- The percentage of code bases containing license conflicts has decreased.