Nearly three-quarters of all commercial codebases contain open-source software with high-risk vulnerabilities.
Thatâs according to a new report from Synopsys, a cybersecurity vendor, which found that 96 percent of codebases audited, covering 17 industries, contained some open source software.
Meanwhile, 84 percent of company codebases contained at least one vulnerability in the open-source software used, and 74 percent contained high-risk vulnerabilities, according to the ninth edition of the annual âOpen Source Security and Risk Analysisâ report from Synopsys.
The report, based on 1,097 commercial codebase audits done in 2023, noted a sharp increase in organizations using open-source software containing high-risk vulnerabilities compared with 2022, when audits found 48 percent of codebases with high-risk vulnerabilities.
The reason for the huge jump in high-risk vulnerabilities is probably due to several factors, including security staff layoffs during the recent economic downturn, the report said. Ninety-one percent of the audited codebases contained open-source components that were 10 versions or more behind the most current version available.
In addition, 49 percent of the codebases contained components with no development activity within the previous two years.
The report points to the need for companies to patch open- source software and components, said Mike McGuire, senior software solutions manager at Synopsys Software Integrity Group.
âItâs unpatched vulnerabilities that have led to some of the most significant data breaches,â he said. âArguably, itâs the duty of these companies to address vulnerabilities, especially if theyâre a commercial software vendor, or are otherwise handling sensitive information.â
Still, not all vulnerabilities are created equal, and there are probably a âsmall handfulâ of vulnerabilities identified in the report that need to be resolved immediately, outside of a regular release cycle, he added.
âItâs crucial that an organization adopt the processes and resources to not only identify vulnerabilities, but also effectively prioritize which ones need urgent attention,â McGuire said.
Many eyes do help
Advocates of open-source software have long argued that many eyes on code lead to fewer bugs and vulnerabilities, and the report doesnât disprove that assertion, McGuire said.
âIf anything, the report supports that belief,â he said. âThe fact that there are so many disclosed vulnerabilities and CVEs serves as a testament to how active, vigilant, and reactive the open-source community is, especially when it comes to addressing security issues. Itâs this very community that is doing the discovery, disclosure, and patching work.â
However, users of open-source software arenât doing a good job of managing it or implementing the fixes and workarounds provided by the open-source community, he said. The primary purpose of the report is to raise awareness about these issues and to help users of open-source software better mitigate the risks, he said.
âWe would never recommend any software producer avoid using, or tamp down their usage, of open source,â he added. âIn fact, we would argue the opposite, as the benefits of open source far outweigh the risks.â
Open-source software has accelerated digital transformation and allowed companies to develop innovative applications that consumers want, he said. âAny software builder that isnât using open source is bound to be left behind by their industry and their competitors.â
The report found eight of the top 10 open-source vulnerabilities related to improper neutralization, which is number 707 in the Common Weakness Enumeration (CWE) list of software and hardware weaknesses maintained by MITRE. CWE-707 involves security requirements that are not met before data is read from an upstream component or sent to a downstream component. A failure to neutralize input can lead to exploits such as cross-site scripting and SQL injections.
In addition, the audits conducted for the Synopsys report found that 53 percent of the codebases contained open-source software licensing conflicts, potentially leading to copyright and licensing problems. Open-source code canât just be copied at will: It comes with obligations, such as permitting its redistribution under the same terms.
The MIT License was found in 92 percent of the codebases, while the Apache 2.0 License was found in 89 percent. Both are considered relatively permissive licenses, imposing the fewest restrictions on users. Creative Commons licenses were found in the 2023 audits to be the most prevalent cause of license conflict. Creative Commons ShareAlike 3.0 was found to be the cause of 17 percent of the identified license conflicts.
The rising trend of using AI code generation tools, some of which may have been trained on open-source software, can also expose enterprises to licensing risk. The report warns that such tools may produce code with the potential for license violations and intellectual property infringement.