Open source software makes up more than half of enterprise codebases analyzed in 13 out of 17 industries, according to this year’s Open Source Software Risk Assessment study by the Black Duck Audit Services team at code quality analysis software provider Synopsys. But this increase in use also points to increased risk, as patches to close vulnerabilities often are not applied.
Black Duck Audits revealed open source code in 96 percent of the codebases it analyzed, and in 99 percent of codebases consisted of more than 1,000 files. The marketing tech sector led the way, with an average of 78 percent open-source code in enterprise codebases there. Internet and mobile apps were next at 74 percent, and open source accounted for 70 percent of the codebases in cybersecurity.
The most-used open-source component in 2018 was jQuery, found in 56 percent of the codebases and across almost all industries included in the study. The next most-common components found in the analysis were Bootstrap (40 percent), jQuery UI (32%) and Font Awesome (26%). jQuery, though, was also found to be most likely to have identified vulnerabilities, the study found.
The Black Duck team, which has been analyzing open-source software vulnerabilities in this report for more than 15 years, notes that the communities do a good job of issuing patches, but organizations often don’t apply them because in many cases they are not aware of the open-source components developers are bringing in to enterprise code. The Black Duck Audit Services team has found in its work doing M&A diligence that 95% of scans reveal open source that the enterprise didn’t know was there.
This year’s study found that 60 percent of the codebases analyzed had vulnerabilities, down from 78 percent in 2017. Interestingly, the report found that CVE-2000-0388, a 28-year-old high-risk vulnerability in FreeBSD first disclosed in 1990, is the oldest vulnerability found. In fact, 43 percent of the codebases analyzed in 2018 had vulnerabilities that have been known for more than 10 years.
Further, the study revealed that 85 percent of the open-source components found in enterprise codebases were more than four years out of date, and had no development activity in the past two years.
Another challenge of using open-source is that there can be licensing conflicts. The study found that 68 percent of the codebases used components that had license conflicts, with the most common being GNU General Public License violations. The report noted that this could be because the GPL is one of the most commonly used open-source licenses and one of the most likely to conflict due to its terms of use.
It also found that 38 percent of the components found in enterprise codebases were not licensed, and 32 percent had custom licenses created by the components’ developers that could conflict with the licenses of other components.
In the audit’s conclusion, Synopsys wrote: “Open source offers a plethora of benefits to organizations that use it—but only if they track what open source components they’re using and identify any related security and legal compliance issues.”