An analysis of 965 commercial codebases across 16 industries conducted in 2024 finds 86% of commercial codebases evaluated contained open-source software vulnerabilities, with 81% of them known to be high- or critical risks.
Conducted by Black Duck Software, a provider of code scanning tools, the analysis, more troubling still, finds 90% of audited codebases included open-source components that are more than four years out-of-date.
In total, the analysis finds the number of open-source files in an average application has also tripled in the last four years, from more than 5,300 in 2020 to more than 16,000 in 2024.
Mike McGuire, a senior manager at Black Duck, said while progress has been made in improving software supply chains, the sheer volume of open-source code with known vulnerabilities being added to code bases is becoming overwhelming.
The most frequently found source of vulnerabilities in code bases can be traced back to jQuery, a widely used Javascript library, accounting for eight of the top ten high-risk vulnerabilities. In all, 43% of the applications Black Duck scanned contained some version of jQuery, most of which are outdated.
The issue, of course, is that application developers only have so much time to devote to upgrading and patching software components, and what time is made available is generally allocated to the simplest issues to resolve rather than the most critical.
Most application developers are also hesitant to update applications for fear that one dependency issue or another will cause the application to fail.
The issue is that as organizations become more dependent than ever on software the cost of breach can exceed the cost of any downtime that might be incurred by an application being offline. The only way to address that issue is to proactively test code long before it is added to a software build, said McGuire.
That approach will also make it simple to identify software licensing conflicts that are becoming more common, he added. The Black Duck analysis finds that 56% of the audited codebases contain license conflicts: Transitive dependencies caused nearly 30% of those licensing conflicts. The analysis also finds that 33% of codebases contained open-source code with no license or a customized license. Only 77% of dependencies could be identified via package manager scanning, suggesting that the remainder were introduced to applications by other means, including AI coding assistants, noted McGuire.
At this stage, it’s not especially feasible for most organizations to reduce their dependency on open-source software. Therefore, the only practical option is to more proactively scan that code for vulnerabilities and licensing conflicts that could have a range of potential issues that could impact intellectual property.
Regardless of approach, the one certain thing is cybercriminals count on organizational inertia to continue to provide them with plenty of opportunities to exploit code bases that are riddled with known vulnerabilities. The only wonder is how long it’s taken for them to exploit those vulnerabilities, in a way that will ultimately wreak more havoc than any update to a more secure version of a software component could ever match.
