A majority of codebases contain outdated components, or “zombie code,” which can result in unpatched vulnerabilities lingering long after they should have been fixed.

According to Synopsys’ Open Source Security and Risk Analysis report, which was released today, 91% of codebases contain components that are at least 10 versions out-of-date.

Furthermore, 49% of codebases contain components that haven’t had any development activity in the last two years. 

The mean age of open source vulnerabilities in the codebases surveyed was 2.5 years old, though almost a quarter of the codebases had a vulnerability over 10 years old. 

The overall security has also worsened year-over-year. In Synopsys’ 2022 report, 48% of codebases had high-risk vulnerabilities, and in 2023 the number jumped to 74%. Synopsys attributes this increase to factors such as layoffs affecting tech workers, which has resulted in there being fewer developers available to fix these issues. 

“This year’s OSSRA report indicates an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk for exploitation by cybercriminals,” said Jason Schmitt, general manager of Synopsys Software Integrity Group. “The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities. Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain.”

Another finding of the report is that companies are struggling with open-source license compliance. Fifty-three percent of the codebases have open-source license conflicts and 31% have either no known license or a custom license. 

The report also found that eight of the top 10 vulnerabilities can be attributed to one vulnerability type: Improper Neutralization.