Security vulnerabilities in open source projects have been a major threat to enterprises for years – and new research shows the issue is still causing havoc.
Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities. The report added that 81% of those were classified as high or critical risk, compared to 74% identified in the previous year.
Black Duck said this likely signals an inability among developer organizations to keep track of the vast number of software dependencies they’re using and prioritize the remediation of vulnerabilities.
As increasingly common software supply chain requirements such as SBOM require organizations to get their software estate in order, getting on top of their dependency management is essential.
For example, Black Duck found the average application contains 911 open source dependencies, many of which are out of date or have lost community support.
It also discovered 91% of all codebases contained outdated open source software (OSS) components, with 90% featuring components more than ten versions behind the most current.
Black Duck warned that by failing to properly clean codebases of these dependencies, firms are only giving themselves more work when they have to put together software bill of materials (SBOM) reports and risk evaluations.
The study also suggested that a shift towards web-based multi-tenant SaaS applications was responsible for the higher proportion of high severity vulnerabilities.
The jQuery JavaScript library was identified as a particularly common area for weaknesses, accounting for eight of the top ten high-risk vulnerabilities Black Duck spotted.
It warned this is not necessarily indicative of a particular vulnerability with jQuery but the fact that an increasing number of organizations are adopting applications that leverage jQuery.
Transitive dependencies will bring new licensing headaches for businesses
One of the biggest differences the report observed between this year’s and last year’s study was license conflicts between open source components in the same codebase, noting this has increased the average number of license conflicts from 20 to 69.
The report found 56% of the audited codebases featured license conflicts, adding that ‘transitive dependencies’ were responsible for 30% of the license conflicts it found.
Transitive dependencies describe a situation where different software components indirectly rely on one another to properly function. This creates a complex web of interdependencies within and across codebases that can be very hard to manually keep track of.
Overall, 64% of OSS components in the audited application codebases were transitive dependencies.
RELATED WHITEPAPER
In addition, the report noted that a third of codebases contained open source components with no license or a customized license, which would likely require legal review.
Black Duck emphasized that if one transitive dependency in the chain uses a restrictive license, this can potentially affect the licensing of the entire application even if the direct dependency has a more permissive license.
The firm predicted that businesses can expect to see an increase in license conflicts in the coming years, with AI coding assistants introducing another way for open source components to be introduced into applications without proper source attribute and thus licensing.
MORE FROM ITPRO
- Open source malware surged by 156% in 2024
- Warning issued over prolific 'Ghost' ransomware group
- Flaws in a popular dev library could let hackers run malicious code in your MongoDB database
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning -
Google faces 'first of its kind' class action for search ads overcharging in UKNews Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
-
Open source security in the spotlight as UK gov publishes fresh guidanceNews The UK government has issued guidance on how organizations should manage their use of open source software components and mitigate supply chain risks.
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB databaseNews A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
-
Microsoft defends “negligent” security approach that prolonged vulnerability fix for five monthsNews The tech giant has refuted claims that its practices have left customers “in the dark”
-
Google patches second Chrome browser zero-day of 2022News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
-
Google Chrome update fixes zero-day under active exploitationNews Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome
-
CISA updates must-patch bug list for federal agenciesNews Latest collection includes bugs up to seven years old that are still exploited in the wild
-
Visa card holders using Apple Pay warned of payment exploit that bypasses user authenticationNews Commuters are being urged to disable Apple Pay express transit mode for Visa cards
-
Google reveals five high-risk flaws in Chrome browserNews Updated Chrome 93 fixes these serious vulnerabilities
