The Open Source Security and Risk Analysis (OSSRA) 2022 report was prepared by the Synopsys Cybersecurity Research Center (CyRC). Synopsys' Black Duck Audit Services team conducted 2,409 audits of commercial and proprietary code bases in the context of mergers and acquisition transactions. The report highlights trends in the use of open source software in commercial and proprietary applications. At the same time, it provides insights to better understand the interlocking software ecosystem and details the pervasive risks posed by poorly managed open source software components. Including security vulnerabilities, obsolete or orphaned software components and license compliance issues.

The OSSRA 2022 report confirms that open source software is used almost everywhere, in every industry and forms the basis for every application developed today. The four key findings of the latest report are:

• Outdated open source software is still the norm - including vulnerable Log4j versions. From an operational risk and maintenance perspective, 85 percent of the 2,097 code bases analyzed for security risks contain open source software components that are more than four years out of date. 88 percent of the software components used do not correspond to the latest available version. Five percent contain a vulnerable version of Log4j.
• The analyzed codebases show that open source vulnerabilities are decreasing overall. 2,097 of the 2,409 codebases were evaluated in a risk analysis for security and operational risk. The number of codebases with high-risk vulnerabilities in open source software has decreased significantly. 49% of the code bases reviewed this year contain at least one high-risk vulnerability in open source software, compared to 60% in the previous year. In addition, 81 percent of the codebases reviewed contain at least one known vulnerability in open source software. This represents a minimal decrease of three percent compared to the results of the 2021 OSSRA report.
• License conflicts are declining overall. More than half, 53%, of codebases have license conflicts. This is a significant decrease compared to 2020 with 65 percent. Specific license conflicts declined between 2020 and 2021.
• 20% of the code bases examined contain open source software components without or with an adapted license. Licenses regulate the rights associated with the use of software. If software is used without a license, this raises the critical question of whether there is a legal risk associated with its use. In addition, adapted open source licenses sometimes lead to undesirable requirements for the licensee. Companies often require a legal assessment with regard to possible IP problems or other implications.

"Users of SCA (Software Composition Analysis) software have focused on addressing the licensing issues associated with open source and fixing high-risk vulnerabilities," said Tim Mackey, Principal Security Strategist at Synopsys Cybersecurity Research Center. "Nevertheless, the fact remains that over half of the codebases we reviewed still have license conflicts and nearly half have high-risk vulnerabilities. Even more worrying is that 88 percent of the codebases (with risk assessment) contain outdated versions of open source components. This is despite the fact that an update or patch is already available but has not been applied."

Tim Mackey continues: "There are legitimate reasons for not keeping software completely up to date. But if companies fail to keep an accurate and up-to-date inventory of the open source software used in their code, outdated components can be forgotten. Over time, this can lead to them becoming susceptible to a high-risk security vulnerability. And then you have to work hard to find out where the component in question is being used so that you can update it. This is exactly what happened with Log4j. That's why software supply chains and a software bill of materials (SBOM) have become key issues."

The complete report "Open Source Security and Risk Analysis (OSSRA) 2022" can be found on the Synopsys website: www.synopsys.com/software-integrity/resources/analyst-reports/open-source-security-risk-analysis.html?cmp=pr-sig&utm_medium=referral