Synopsys has released a report that examines the findings of over 2,400 audits of commercial and proprietary codebases resulting from merger and acquisition transactions. The report highlights trends in open source usage in commercial and proprietary applications and provides insights to help developers better understand the interconnected software ecosystem.
Security vulnerabilities, outdated or abandoned components, and licensing compliance difficulties are among the many hazards offered by unmanaged open source, according to the research. The findings highlight the reality that open source is used in every industry and is at the heart of every application produced today.
The use of out-of-date open source is still common, with vulnerable Log4j versions among them. From the perspective of operational risk and maintenance, 85 percent of the 2,097 codebases comprised open source that was more than four years old. 88 percent of the components used were not the most recent version available. A susceptible version of Log4j was found in 5% of the samples.
Open source vulnerabilities are decreasing overall, according to codebases analysed. Security and operational risk evaluations were performed on 2,097 codebases. The number of codebases harbouring high-risk open source vulnerabilities decreased even more dramatically. In comparison to last year, just 49% of audited codebases contained at least one high-risk vulnerability this year, compared to 60% last year. In addition, 81 percent of the codebases analysed had at least one known open source vulnerability, a little decrease of 3% from the findings of the OSSRA in 2021.
Overall, licence conflicts are lessening. Over half of the codebases—53 percent—had licence issues, a significant decline from the 65 percent in 2020. Between 2020 and 2021, specific licence conflicts lessened across the board.
Open source with no licence or a customised licence was found in 20% of the codebases analysed. Because a software licence determines the right to use it, software without one poses the question of whether or not using an open source component is permissible. Furthermore, customised open source licences may impose unfavourable conditions on the licensee and may frequently necessitate legal review for any IP concerns or other ramifications.
“Users of SCA software have focused their attention on reducing open source license issues and addressing high-risk vulnerabilities, and that effort is reflected in the decreases we saw this year in license conflicts and high-risk vulnerabilities,“ says Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center.
“The fact remains that over half of the codebases we audited still contained license conflicts and nearly half still contained high-risk vulnerabilities. Even more troubling was that 88% of the codebases [with risk assessments] contained outdated versions of open source components with an available update or patch that was not applied.”
“There are justifiable reasons for not keeping software completely up-to-date,” Mackey continued. “But, unless an organization keeps an accurate and up-to-date inventory of the open source used in their code, an outdated component can be forgotten until it becomes vulnerable to a high-risk exploit, and then the scramble to identify where it’s being used and to update it is on. This is precisely what occurred with Log4j, and why software supply chains and Software Bill of Materials (SBOM) are such hot topics.”