Subscribe
The 2025 āOpen Source Security Risk and Analysisā (OSSRA) report, released last month, provides a comprehensive overview of the current state of open source software, including insights into software security, license, and compliance risks. In this blog post, weāll dive into some of the data from the 2025 OSSRA report to answer some of the most common questions about open source.
How pervasive is open source software in commercial applications?
Open source software (OSS) is exceptionally pervasive; the OSSRA report found that 97% of all codebases evaluated contained open source. In some sectors, like Computer Hardware/Semiconductors, EdTech, and Internet and Mobile Apps, that figure reaches 100%.
Moreover, the volume of open source components within applications is rapidly growing. The number of open source files in an average application has tripled in just the last four years, highlighting the crucial need for enhanced visibility and risk management.
What are transitive dependencies and why are they a problem?
Transitive dependencies are open source components that are indirectly included in a project because they are dependencies of other, directly used components. They are a problem because they create a complex web of interdependencies that are often difficult to track and manage.
In the applications audited for the OSSRA report, 64% of open source components were transitive dependencies. This lack of visibility makes it extremely challenging to identify and remediate vulnerabilities, resolve license conflicts, or ensure code quality with these nested dependencies.
What types of vulnerabilities are commonly found in open source software, and which components are most affected?
The OSSRA report found that 86% of risk-assessed applications contained at least one vulnerable open source component, and 81% had high- or critical-risk vulnerabilities.
The report also found that most prevalent high-risk vulnerabilities are found in the jQuery library. Other frequently vulnerable components include jackson-databind and the Spring Framework. Cross-site scripting (XSS) is a common vulnerability that often stems from improper input validation. The top vulnerability identified, CVE-2020-11023, is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating it is being actively exploited in the wild.
What are the main challenges related to open source software licenses, and how can they impact an organization?
According to the OSSRA report, 56% of audited applications contained license conflicts. This occurs when the licenses of open source components clash with each other or with the overall license of the project.
Thirty-three percent of codebases also had open source software components with no license or with customized license terms. Transitive dependencies are a common source of license conflicts, and customized licenses (like the JSON license) can create issues that result in legal problems, loss of intellectual property, and time-consuming remediation efforts.
What is a Software Bill of Materials and why is it important for managing open source risk?
A Software Bill of Materials (SBOM) is a formal, comprehensive inventory of all the software components and their dependencies used to build an application, including open source libraries, third-party modules, and associated metadata such as licenses and versions. It is essential for managing risk, vulnerabilities, and license compliance. SBOMs enable organizations to achieve the necessary visibility, transparency, security, and integrity within their software supply chains. As such, many customers now require SBOMs from vendors in their contracts.
How do software composition analysis tools assist in managing open source risk, and how do they generate SBOMs?
Software composition analysis (SCA) tools are crucial for generating SBOMs and managing open source risks. They perform various types of code scanning, including manifest, binary, hybrid, and snippet scanning to identify all components and their dependencies. SCA tools then conduct dependency analysis, identifying transitive relationships and comparing identified components against vulnerability databases and license repositories. This analysis allows SCA tools to prioritize vulnerabilities based on severity, exploitability, and potential impact, and the results inform the creation of a comprehensive SBOM.
Why is it important to keep open source components up-to-date, and what operational risks do outdated components present?
Outdated open source components were found in 91% of scanned applications, with 90% of codebases containing components that were more than 10 versions behind the most current version. This lack of maintenance leaves applications vulnerable to known security flaws. These outdated components, often not maintained by large, active communities, lead to potential exploitation and can increase costs due to emergency patching. Itās critical to keep open source software components up-to-date through regular checks, tracking updates, and automated security services.
What does the OSSRA report recommend for effectively managing open source risks, especially in the context of mergers and acquisitions?
The report strongly recommends implementing SCA tools to create SBOMs, identify vulnerabilities, and manage licenses. It emphasizes prioritizing high-risk vulnerabilities, regularly updating open source components, and establishing secure coding practices, including input validation and sanitization. It also suggests tracking open source maintenance and integrating open source management into an organization's secure software development life cycle.
For merger and acquisition (M&A) transactions, the report stresses the use of third-party audits to vet acquisition targets, understand risks, and resolve potential issues before a transaction closes. Proactive sellers can use audits to avoid surprises during due diligence, and acquirers must evaluate potential risks and ensure they can adhere to all license terms.
Conclusion
Whether youāre in the business of developing software or using software to run your business, having a comprehensive view into your code is critical to proactively manage open source risks in your applications. Learn how to strengthen your software supply chain and implement open source security best practices with key recommendations from the 2025 OSSRA report.
What's in your code?
Explore insights into the current state of open source security and get recommendations for securing your open source supply chain
Download the report
Continue Reading
Six takeaways from the 2025 āOpen Source Security and Risk Analysisā report
Feb 25, 2025 / 5 min read