At least one open-source vulnerability found in 84% of code bases
In the current scenario where almost all software uses open-source code, at least one known open-source vulnerability was detected in 84% of them. The researchers at the application security company Synopsys investigated and found vulnerabilities in all commercial and proprietary code bases.
Additionally, Synopsys researchers also discovered that high-risk vulnerabilities were present in 48% of the code bases they analyzed. These vulnerabilities have been exploited actively, already have documented proof-of-concept exploits, or are categorized as remote code execution vulnerabilities.
Synopsys’s Open Source Security and Risk Analysis (OSSRA) 2023 report includes data on both open-source license compliance and vulnerability information. Moreover, their Audit Services team conducted the audits of code bases included in merger and acquisition transactions. The report features trends in open-source usage across 17 different industries.
A total of 1,481 code bases were analyzed for vulnerabilities and open-source licensing compliance, while an additional 222 code bases were examined solely for compliance.
Open-source vulnerability increases
The OSSRA report shows that the number of known open-source vulnerabilities increased by 4% from the previous year. All code bases examined in the study were obtained from companies in the aerospace, aviation, automotive, transportation, and logistics industries. Altogether, it is found that 73% of the total code includes open-source code.
The OSSRA report also indicates that the percentage of open-source code has been increasing in code bases across all industry verticals over the past five years. Between 2018 and 2022, the proportion of open-source code within examined code bases increased by 163% in the education technology sector.
In the aerospace, aviation, automotive, transportation, and logistics sectors, it rose by 97%. While in the manufacturing and logistics sectors, the percentage increased by 163%.
According to the report, there has been a surge in high-risk vulnerabilities across all industries. Companies in the aerospace, aviation, automotive, transportation, and logistics industries saw a 232% increase in high-risk vulnerabilities in 5 years. High-risk vulnerabilities in IoT-related code bases have risen by 130% since 2018.
Several high-risk vulnerabilities were detected in 63% of all codes having a CVSS severity score of 7 or higher. In the energy and clean tech sector, 78% of the total code was open source, and out of that 69% possess high-risk vulnerabilities.
Patches available but not applied
Out of the 1,481 code bases analyzed by the researchers, 91% had outdated versions of open-source components. This indicates that an update or patch was available but not applied.
One possible explanation for this is that DevSecOps teams may consider the risk of unintended consequences to be greater than the potential benefits of applying the newer version. Additionally, researchers suggest that time and resources could also be contributing factors.
The report highlighted that devsecops teams may not be aware of newer versions of open-source components that are available. While in some cases, they may not even know the existence of these components.
Software bill of materials (SBOMs)
According to the report, utilizing a software bill of materials (SBOM) can assist organizations in preventing vulnerability exploits and maintaining up-to-date open-source code.
A comprehensive SBOM groups all open-source components utilized in applications, alongside information on licenses, versions, and patch statuses. By creating an SBOM of open-source components, organizations can rapidly identify high-risk components and prioritize necessary remediation effectively.
These statistics of open-source vulnerabilities are concerning, as it indicates that a large number of organizations are neglecting crucial measures to protect their code, which may expose them to potential security threats. By utilizing appropriate tools and establishing effective processes, organizations can safeguard their code and shield themselves from possible security breaches.
The sources for this article include a story from CSO.