Open-source vulnerabilities widespread in codebases, report finds

The complexity of using open-source tools in development makes the case for SBOM adoption, according to Synopsys.
article cover


· 3 min read

They might seem impenetrable, but every video game boss usually has a weak spot or two. Unfortunately, the same goes for open-source code and the codebases in which they’re integrated. According to a new report from security firm Synopsys, at least 84% of codebases have at least one open-source vulnerability, and 48% have high-risk vulnerabilities, which have known exploits or are classified as allowing remote code execution.

Synopsys’s 2023 Open Source Security and Risk Analysis report found continued evidence that as use of open-source code continues to grow, so too does the amount of that code that is vulnerable or outdated. The data is derived from merger and acquisition audits of 1,481 codebases for vulnerability and compliance (as well as an additional 222 that were audited for compliance only) across 17 industries in 2022. The overwhelming majority (96%) contained open-source code.

Approximately 91% of the codebases analyzed for vulnerabilities contained outdated open-source components, meaning developers had access to updates or patches but had not applied them. An identical percentage contained open-source code that had no development activity within the last two years, indicating that it was likely developers had discontinued maintenance.

Mike McGuire, senior software solutions manager at Synopsys, told IT Brew that open source has skyrocketed in popularity because it allows developers to focus on custom code and beat competitors to market—but it also places the onus for regular maintenance, upgrades, and patching on the user.

“We’re seeing significant numbers of software vulnerabilities, significant numbers of license conflicts, and code quality and maintenance issues,” McGuire said. “And we’re seeing these across every industry. This probably comes down to a simple fact that the scale of open source usage has just extremely outpaced any manual efforts to identify these components and track your obligations.”

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

Developers may decide not to update old open-source code because patches could have downstream impacts on functionality, McGuire told IT Brew, or because they’ve decided certain vulnerabilities aren’t priorities for resolution (such as code running in closed systems). In many cases, they simply lack visibility into which components are outdated, or even what’s in their codebases at all. The codebases in Synopsys’s 2023 report had an average of 595 open source components each, most of which are transitive dependencies required to run more important things.

“Of those 595 components per application, only a few of those, maybe a handful—10, 20, 30, 100 absolute tops—were actually chosen to be brought in by development teams,” McGuire said.

The Synopsys report also found significant progress has been made dealing with another potential issue with open-source code: licensing. Approximately 54% of all codebases audited in 2022 contained open source with license conflicts, down from 65% in 2020. Failure to comply with the terms of open source software—or unlicensed use of snippers or partial components—can expose organizations to the risk of copyright infringement action.

The most common licensing issues observed by Synopsys were some kind of conflict with Creative Commons Attribution ShareAlike 3.0 and 4.0, followed by conflicts with GNU Lesser General Public License and Apache License.—TM

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.