Hidden security and licensing threats lie in open source codebases, but organizations using them may not be applying sufficient due diligence.

In a review of the results of more than 2,400 audits of commercial and proprietary codebases from merger-and-acquisition transactions, it has been found that open source code is widely used among the audited organizations, but managing the associated risks in the software supply chain can be a challenge.

What are some trends in open source usage within commercial and proprietary applications? What insights can help developers gain a better understanding of the interconnected software ecosystem? The review report based on the audit results detail the pervasive risks posed by unmanaged open source resources, including security vulnerabilities, outdated or abandoned components, and license compliance issues.

This report on open source and risk analysis has pointed out four trends: 

  • Outdated open source remains the norm. From an operational risk/maintenance perspective, 85% of the 2,097 codebases contained open source that was more than four years out-of-date. 88% utilized components that were not the latest available version, and 5% contained a vulnerable version of Log4j.
  • Open source vulnerabilities were decreasing overall. In the review 2,097 of the assessed codebases included security and operational risk assessments. There was a more dramatic decrease in the number of codebases containing high-risk open source vulnerabilities. 49% of the audited codebases contained at least one high-risk vulnerability, compared to 60% previously. Additionally, 81% of the assessed codebases contained at least one known open source vulnerability, a decrease of 3% from the 2021 report.
  • License conflicts were also decreasing overall. Some 53% of the codebases reviewed had contained license conflicts, a decrease from the 65% seen in 2020. In general, specific license conflicts had decreased across the board between the audit reviews in 2020 and 2021. 
  • Some open source codebases had no license or a customized license. Since a software license governs the right to use it, software with no license presents the dilemma of whether use of the open source component entails legal risk. Additionally, customized open source licenses may place undesirable requirements on the licensees and may require legal evaluation for possible IP issues or other implications.

According to Tim Mackey, Principal Security Strategist, Synopsys Cybersecurity Research Center, which compiled the report, users of static code analysis software in the study period had reduced open source license issues and addressing high-risk vulnerabilities, but “the fact remains that over half of the codebases audited still contained license conflicts and nearly half still contained high-risk vulnerabilities.”

Also, 88% of the codebases [with risk assessments] had contained outdated versions of open source components with an available update or patch that was not applied. “Unless an organization keeps an accurate and up-to-date inventory of the open source used in their code, an outdated component can be forgotten until it becomes vulnerable to a high-risk exploit. This is precisely what occurred with Log4j, and why software supply chains and Software Bill of Materials (SBOM) are such hot topics.”