86% of enterprise codebases contain open source vulnerabilities
Open source vulnerabilities and licensing headaches continue to put businesses at risk


Security vulnerabilities in open source projects have been a major threat to enterprises for years – and new research shows the issue is still causing havoc.
Research from Black Duck’s annual open source security report found 86% of codebases contained open source vulnerabilities. The report added that 81% of those were classified as high or critical risk, compared to 74% identified in the previous year.
Black Duck said this likely signals an inability among developer organizations to keep track of the vast number of software dependencies they’re using and prioritize the remediation of vulnerabilities.
As increasingly common software supply chain requirements such as SBOM require organizations to get their software estate in order, getting on top of their dependency management is essential.
For example, Black Duck found the average application contains 911 open source dependencies, many of which are out of date or have lost community support.
It also discovered 91% of all codebases contained outdated open source software (OSS) components, with 90% featuring components more than ten versions behind the most current.
Black Duck warned that by failing to properly clean codebases of these dependencies, firms are only giving themselves more work when they have to put together software bill of materials (SBOM) reports and risk evaluations.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The study also suggested that a shift towards web-based multi-tenant SaaS applications was responsible for the higher proportion of high severity vulnerabilities.
The jQuery JavaScript library was identified as a particularly common area for weaknesses, accounting for eight of the top ten high-risk vulnerabilities Black Duck spotted.
It warned this is not necessarily indicative of a particular vulnerability with jQuery but the fact that an increasing number of organizations are adopting applications that leverage jQuery.
Transitive dependencies will bring new licensing headaches for businesses
One of the biggest differences the report observed between this year’s and last year’s study was license conflicts between open source components in the same codebase, noting this has increased the average number of license conflicts from 20 to 69.
The report found 56% of the audited codebases featured license conflicts, adding that ‘transitive dependencies’ were responsible for 30% of the license conflicts it found.
Transitive dependencies describe a situation where different software components indirectly rely on one another to properly function. This creates a complex web of interdependencies within and across codebases that can be very hard to manually keep track of.
Overall, 64% of OSS components in the audited application codebases were transitive dependencies.
RELATED WHITEPAPER
In addition, the report noted that a third of codebases contained open source components with no license or a customized license, which would likely require legal review.
Black Duck emphasized that if one transitive dependency in the chain uses a restrictive license, this can potentially affect the licensing of the entire application even if the direct dependency has a more permissive license.
The firm predicted that businesses can expect to see an increase in license conflicts in the coming years, with AI coding assistants introducing another way for open source components to be introduced into applications without proper source attribute and thus licensing.
MORE FROM ITPRO
- Open source malware surged by 156% in 2024
- Warning issued over prolific 'Ghost' ransomware group
- Flaws in a popular dev library could let hackers run malicious code in your MongoDB database

Solomon Klappholz is a former staff writer for ITPro and ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing, which led to him developing a particular interest in cybersecurity, IT regulation, industrial infrastructure applications, and machine learning.
-
The Race Is On for Higher Ed to Adapt: Equity in Hyflex Learning
By ITPro
-
Google faces 'first of its kind' class action for search ads overcharging in UK
News Google faces a "first of its kind" £5 billion lawsuit in the UK over accusations it has a monopoly in digital advertising that allows it to overcharge customers.
By Nicole Kobie
-
Open source security in the spotlight as UK gov publishes fresh guidance
News The UK government has issued guidance on how organizations should manage their use of open source software components and mitigate supply chain risks.
By Solomon Klappholz
-
Flaws in a popular dev library could let hackers run malicious code in your MongoDB database
News A popular third party library of MongoDB could allow attackers to execute malicious code on company servers.
By Solomon Klappholz
-
Microsoft defends “negligent” security approach that prolonged vulnerability fix for five months
News The tech giant has refuted claims that its practices have left customers “in the dark”
By Ross Kelly
-
Google patches second Chrome browser zero-day of 2022
News Google acted quickly to secure against the type confusion vulnerability that was under active exploitation
By Connor Jones
-
Google Chrome update fixes zero-day under active exploitation
News Google releases a fresh wave of patches for severe vulnerabilities that could facilitate code execution and system takeover via Google Chrome
By Connor Jones
-
CISA updates must-patch bug list for federal agencies
News Latest collection includes bugs up to seven years old that are still exploited in the wild
By Danny Bradbury
-
Visa card holders using Apple Pay warned of payment exploit that bypasses user authentication
News Commuters are being urged to disable Apple Pay express transit mode for Visa cards
By Sabina Weston
-
Google reveals five high-risk flaws in Chrome browser
News Updated Chrome 93 fixes these serious vulnerabilities
By Justin Cupler