Nearly three-quarters of codebases assessed for risk by Synopsis in 2023 contained open source components with high-risk vulnerabilities, according to a just-released report from the company, a provider of application security testing tools.
While the number of codebases with at least one open source vulnerability remained consistent year over year at 84%, Synopsis said, the number that contained high-risk vulnerabilities increased dramatically, from 48% in 2022 to 74% in 2023. Synopsis defines high-risk vulnerabilities as vulnerabilities that have been exploited, or have documented proof-of-concept exploits, or have been classified as remote code execution vulnerabilities.
These findings were included in the company’s ninth annual Open Source Security and Risk Analysis (OSSRA) report, unveiled on February 27. The report is based on data from a Synopsys Black Duck Audit Services team analysis of anonymized findings from 1,067 codebases across 17 industries in 2023. The team audits thousands of customer codebases annually, with the goal of identifying software risks during merger and acquisition transactions.
Other findings in the Open Source Security and Risk Analysis report:
- Organizations often depend on outdated or inactive open source components, with 91% of codebases containing components that were 10 or more versions out of date, and 49% of codebases containing components that had no development activity within the past two years. Nearly a quarter of codebases had vulnerabilities more than 10 years old.
- The computer hardware and semiconductor industry had the highest percentage of high-risk open source vulnerabilities (88%) followed by manufacturing, industrials, and robotics at 87%. Among AI, business intelligence, machine learning, and big data companies, 66% of codebases were impacted by high-risk vulnerabilities.
- Eight of the top 10 vulnerabilities involved improper neutralization weaknesses, a weakness type that includes cross-site scripting.
- More than half of codebases were using code with open source license conflicts, and 31% had either no discernible license or a customized license.