Six takeaways from the 2025 “Open Source Security and Risk Analysis” report

Feb 25, 2025 / 5 min read

Table of Contents

Open source trends
Recommendations from OSSRA 2025
Download the report

With data drawn from Black Duck audits of nearly 1,000 commercial applications, the 2025 “Open Source Security and Risk Analysis” (OSSRA) report highlights the pervasive nature of open source software and the significant risks associated with its unmanaged use. While emphasizing that open source software provides myriad benefits, the report also notes that widespread vulnerabilities, license conflicts, and maintenance challenges in open source need to be recognized and addressed.

The core message of OSSRA 2025 is that organizations must have comprehensive visibility into their code, proactively manage open source risk, and adopt robust security and compliance practices. The report emphasizes the critical need for software composition analysis (SCA) tools, Software Bills of Materials (SBOMs), and secure coding practices by developers.

Open source trends

Ubiquitous open source, hidden risks

The 2025 OSSRA report found that open source software is nearly universal in commercial applications, with 97% of all applications evaluated for the report containing open source. Most of the open source is being downloaded from package manager repositories, with most components originating from npm, a massive public database of JavaScript packages. The report also indicates a significant increase in the number of open source files found in an average application, which has tripled over the last four years. Furthermore, 64% of these open source components were transitive dependencies; that is, open source components that other components rely on. This can create significant visibility problems, with the reporting noting, “Finding all instances of transitive dependencies can be like searching for a needle in a haystack when you lack an up-to-date inventory of third-party code.”

87% of the codebases contained open source

Prevalence of vulnerabilities

Given the time-to-market, cost savings, and development advantages of leveraging open source components, it’s no surprise that companies rely so heavily on them as part of their software development process. But the large number of discrete open source components in any given application speaks to the challenge of tracking it all. The report found 86% of audited applications contained open source vulnerabilities, with 81% of the applications containing high- or critical-risk vulnerabilities. The most prevalent high-risk vulnerabilities were found in jQuery components, with 8 of the top 10 high-risk vulnerabilities found in jQuery. The report notes that those vulnerabilities impacted outdated versions of jQuery and had available patches. The top vulnerability identified (CVE-2020-11023) affecting jQuery is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating active exploitation.

Many of the top vulnerabilities identified in OSSRA 2025 are related to cross-site scripting (XSS). An equally large number are linked to improper input validation. The report recommends that software developers prioritize input validation and sanitization techniques to prevent cross-site scripting and other injection attacks noting, “Utilizing security analysis tools such as Coverity® Static Analysis and Continuous Dynamic™ to identify potential vulnerabilities arising from inadequate checks on user-submitted data, like form inputs or API parameters, can help ensure that only expected data formats and values are accepted, thereby mitigating risks like SQL injection, cross-site scripting, and other injection attacks.”

Licensing and compliance challenges

The 2025 OSSRA indicated that license conflicts are widespread, affecting over half of the audited applications: 56% of all audited applications had license conflicts and 33% had open source software components with no license or a customized license. Transitive dependencies are also a major contributor to license conflicts. According to OSSRA 2025, "Nearly 30% of component license conflicts found in our audits were caused by transitive dependencies."

The report notes that it is not uncommon for developers to make code publicly available without specific license terms. The use of AI-assisted coding tools has also resulted in code being added to software without proper attribution.

56% of all codebases had license conflicts

Maintenance and operational risks

The most widely used open source today is developed and maintained by only a handful of contributors, according to the Linux Foundation’s Census II of Free and Open Source Software report. This small number of contributors working to ensure updates, including security and stability updates, decreases over time on almost all open source software projects. The OSSRA findings show that 91% of audited applications contain outdated open source software components, and 90% of the applications contain components more than 10 versions behind the most current version.

The importance of SBOMs

The report calls SBOMs essential for achieving visibility into code and managing software risk. According to OSSRA 2025, SBOMs are becoming a requirement in many vendor contracts and facilitate risk management, vulnerability management, license compliance, and software quality improvements.

Industry-specific insights

As the OSSRA report findings show, open source components and libraries form the backbone of nearly every application in every industry. By industry, the percentages of open source in the codebases ranged from 100% to a “low” of 79%. Industries with the highest rates of vulnerabilities in their audited codebases were the Internet and Mobile Apps, Marketing Tech, and Computer Hardware/Semiconductors sectors. The industries with the highest rates of license conflicts include Big Data, AI, EdTech, and Financial Services.

Key recommendations from OSSRA 2025

Effective open source management practices are critical for ensuring both compliance and security of your software applications. The OSSRA report identifies several key strategies to help your organization navigate the complexity of open source software.

Implement SCA tools. Use an SCA tool to create SBOMs and identify open source vulnerabilities and licenses.
Prioritize risk management. Focus on high-risk issues that can impact your business.
Regularly update open source software. Patch vulnerabilities in a timely manner.
Establish secure coding practices. Focus on input validation and sanitation when writing code.
Monitor open source software maintenance. Track updates and ensure healthy open source projects are being used in your code.
Create SBOMs. Require details on the components, licenses, versions, etc. in the software used by your organizations, whether created internally or supplied by third parties.
Integrate open source software management. Include these activities as part of your organization's standard software development life cycle.

The 2025 OSSRA report makes clear that using open source software requires active, comprehensive, and continuous management. The report emphasizes that organizations must gain visibility into their software supply chains, secure their code, proactively manage licenses, and maintain up-to-date software to avoid potential security, operational, and legal problems. Failing to manage risk is not an option. Organizations need to know without question what's in their code.