The company’s annual Open Source Security and Risk Analysis report finds widespread use of open source components with high-risk vulnerabilities. Credit: RistoH / Shutterstock Nearly three-quarters of codebases assessed for risk by Synopsis in 2023 contained open source components with high-risk vulnerabilities, according to a just-released report from the company, a provider of application security testing tools. While the number of codebases with at least one open source vulnerability remained consistent year over year at 84%, Synopsis said, the number that contained high-risk vulnerabilities increased dramatically, from 48% in 2022 to 74% in 2023. Synopsis defines high-risk vulnerabilities as vulnerabilities that have been exploited, or have documented proof-of-concept exploits, or have been classified as remote code execution vulnerabilities. These findings were included in the company’s ninth annual Open Source Security and Risk Analysis (OSSRA) report, unveiled on February 27. The report is based on data from a Synopsys Black Duck Audit Services team analysis of anonymized findings from 1,067 codebases across 17 industries in 2023. The team audits thousands of customer codebases annually, with the goal of identifying software risks during merger and acquisition transactions. Other findings in the Open Source Security and Risk Analysis report: Organizations often depend on outdated or inactive open source components, with 91% of codebases containing components that were 10 or more versions out of date, and 49% of codebases containing components that had no development activity within the past two years. Nearly a quarter of codebases had vulnerabilities more than 10 years old. The computer hardware and semiconductor industry had the highest percentage of high-risk open source vulnerabilities (88%) followed by manufacturing, industrials, and robotics at 87%. Among AI, business intelligence, machine learning, and big data companies, 66% of codebases were impacted by high-risk vulnerabilities. Eight of the top 10 vulnerabilities involved improper neutralization weaknesses, a weakness type that includes cross-site scripting. More than half of codebases were using code with open source license conflicts, and 31% had either no discernible license or a customized license. Related content analysis Beyond the usual suspects: 5 fresh data science tools to try today The mid-month report includes quick tips for easier Python installation, a new VS Code-like IDE just for Python and R users, and five newer data science tools you won't want to miss. By Serdar Yegulalp Jul 12, 2024 2 mins Python Programming Languages Software Development analysis Generative AI won’t fix cloud migration You’ve probably heard how generative AI will solve all cloud migration problems. It’s not that simple. Generative AI could actually make it harder and more costly. By David Linthicum Jul 12, 2024 5 mins Generative AI Artificial Intelligence Cloud Computing news HR professionals trust AI recommendations HireVue survey finds 73% of HR professionals trust AI to make candidate recommendations, while 75% of workers are opposed to AI making hiring decisions. By Paul Krill Jul 11, 2024 3 mins Technology Industry Careers how-to Safety off: Programming in Rust with `unsafe` What does it mean to write unsafe code in Rust, and what can you do (and not do) with the 'unsafe' keyword? The facts may surprise you. By Serdar Yegulalp Jul 11, 2024 8 mins Rust Programming Languages Software Development Resources Videos