Security vulnerabilities in open source projects have been a major threat to enterprises for years – and new research shows the issue is still causing havoc.
Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities. The report added that 81% of those were classified as high or critical risk, compared to 74% identified in the previous year.
Black Duck said this likely signals an inability among developer organizations to keep track of the vast number of software dependencies they’re using and prioritize the remediation of vulnerabilities.
As increasingly common software supply chain requirements such as SBOM require organizations to get their software estate in order, getting on top of their dependency management is essential.
For example, Black Duck found the average application contains 911 open source dependencies, many of which are out of date or have lost community support.
It also discovered 91% of all codebases contained outdated open source software (OSS) components, with 90% featuring components more than ten versions behind the most current.
Black Duck warned that by failing to properly clean codebases of these dependencies, firms are only giving themselves more work when they have to put together software bill of materials (SBOM) reports and risk evaluations.
The study also suggested that a shift towards web-based multi-tenant SaaS applications was responsible for the higher proportion of high severity vulnerabilities.
The jQuery JavaScript library was identified as a particularly common area for weaknesses, accounting for eight of the top ten high-risk vulnerabilities Black Duck spotted.
It warned this is not necessarily indicative of a particular vulnerability with jQuery but the fact that an increasing number of organizations are adopting applications that leverage jQuery.
Transitive dependencies will bring new licensing headaches for businesses
One of the biggest differences the report observed between this year’s and last year’s study was license conflicts between open source components in the same codebase, noting this has increased the average number of license conflicts from 20 to 69.
The report found 56% of the audited codebases featured license conflicts, adding that ‘transitive dependencies’ were responsible for 30% of the license conflicts it found.
Transitive dependencies describe a situation where different software components indirectly rely on one another to properly function. This creates a complex web of interdependencies within and across codebases that can be very hard to manually keep track of.
Overall, 64% of OSS components in the audited application codebases were transitive dependencies.
In addition, the report noted that a third of codebases contained open source components with no license or a customized license, which would likely require legal review.
Black Duck emphasized that if one transitive dependency in the chain uses a restrictive license, this can potentially affect the licensing of the entire application even if the direct dependency has a more permissive license.
The firm predicted that businesses can expect to see an increase in license conflicts in the coming years, with AI coding assistants introducing another way for open source components to be introduced into applications without proper source attribute and thus licensing.
MORE FROM ITPRO
