60 Percent of Commercial Codebases Contain Open Source Vulnerabilities, Suggests New Report


However, the percentage of codebases containing vulnerable components and  license conflicts has decreased, as per the report. 

Black Duck by Synopsys on Tuesday released its annual Open Source Security and Risk Analysis (OSSRA) report, which suggested that up to 60 percent of commercial codebases contain at least one vulnerability originating from open source components.

Titled “Understanding Open Source Risk and Why It’s So Important to Manage,” the report provides an in-depth look at the state of open source security, license compliance and code-quality risk in commercial software.

The Synopsys Cybersecurity Research Center (CyRC) team examined findings from the anonymized data of more than 1,200 commercial codebases reviewed by the Black Duck Audit Services team in 2018.

Of the total codebases reviewed by Black Duck, 96 percent contained open source components, according to the report.

Most of the codebases that contained no open source consisted of fewer than 1,000 files. More than 99 percent of the codebases scanned in 2018 with more than 1,000 files contained open source components.

On average, Black Duck identified 298 open source components per codebase in 2018 in comparison to 257 in 2017. This indicates the continued rise of open source adoption.

jQuery, open source software using the permissive MIT License, was found in 56 percent of the scanned codebases and in virtually every industry covered in the OSSRA report.

Other notable open source components found in the scans include Bootstrap, jQuery UI and Font Awesome.

Open Source Vulnerabilities

However, the report also found that 60 percent of the codebases reviewed contained at least one vulnerability, and 40 percent contain at least one high-risk vulnerability.

Surprisingly, this is a reduced figure from 78 percent in 2017, which means that the security situation is improving.

The average age of vulnerabilities scanned was 6.6 years. The oldest, CVE-2000-0388, is a buffer overflow flaw in the FreeBSD libmytinfo library which was disclosed 28 years ago. In total, 43 percent of codebases scanned contained a bug over 10 years old.

Some of the most critical vulnerabilities found included CVE-2018-7489, a remote code execution FasterXML jackson-databind security flaw; CVE-2017-15095, a deserialization flaw in jackson-databind; CVE-2014-0050, a denial-of-service (DoS) issue impacting Apache Tomcat, JBoss Web, and others; and CVE-2017-15708, a remote code execution bug in Apache Synapse.

The most common bug present in codebases was CVE-2012-6708, a medium-severity XSS problem impacting versions of jQuery before 1.9.0.

Organizations should focus their open source vulnerability management and mitigation efforts on CVSS scores and the availability of exploits, not only on “day zero” of a vulnerability disclosure but over the life cycle of the open-source component, the researcher said.

Open source licensing conflicts

According to the report, open source license compliance continues to be a challenge, with 68 percent of codebases audited containing components with conflicts, and 38 percent containing components with no identifiable license.

But again, this number is slightly better than the 74 percent seen in last year’s OSSRA report.

“The main takeaway from this report is that the security and license compliance risk associated with the use of open source is very real, but it is the risk that can be managed with a proactive open source governance policy, automated tools like software composition analysis and an effective patching strategy,” Tim Mackey, senior technical evangelist at Synopsys, told LinuxInsider.


(With inputs from ZDNet and LinuxInsider)


Please enter your comment!
Please enter your name here