Nearly three-quarters of commercial codebases assessed for risk contain open-source components impacted by high-risk vulnerabilities, according to the Open Source Security and Risk Analysis” (OSSRA) report by Synopsys, Inc.
Alarming rise
Economic instability, the layoffs of tech workers, and decreasing number of resources available to patch vulnerabilities may contribute to the sharp increase of codebases with high-risk open-source vulnerabilities from 48% in 2022 to 74% in 2023.
“The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open-source vulnerabilities. Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking, and managing open-source effectively is a key element to strengthening the security of the software supply chain,” said Jason Schmitt, general manager of Synopsys Software Integrity Group.
Additional key findings
The study also revealed that 91% of codebases contained outdated components by ten or more versions. Around 49% of codebases had zero development activity components within the past two years.
Moreover, the study found that some codebases contained open-source license conflicts (53%) and were using code with either no discernible license or a customised license (31%).
The researchers also observed that eight of the top 10 vulnerabilities trace back to one common weakness type classified as Improper Neutralisation weaknesses (CWE-707), which includes the various forms of cross-site scripting.