Synopsys’ latest OSSRA report unveils a concerning surge in high-risk open source vulnerabilities within commercial codebases, prompting calls for strengthened cybersecurity measures across industries to safeguard against exploitation.
28 February 2024 – Synopsys has unveiled its ninth annual “Open Source Security and Risk Analysis” (OSSRA) report, shedding light on a concerning trend: nearly three-quarters of commercial codebases analyzed for risk contain open source components affected by high-risk vulnerabilities, indicating a significant rise from the previous year. The report, conducted by the Synopsys Cybersecurity Research Center (CyRC), draws insights from over 1,000 commercial codebase audits across 17 industries, providing a comprehensive overview of the open source landscape, including trends, security vulnerabilities, and licensing risks.
While the percentage of codebases with at least one open source vulnerability remained consistent at 84%, the prevalence of high-risk vulnerabilities surged in 2023. Factors such as economic instability and workforce reductions may have contributed to this increase, with the percentage of codebases featuring high-risk open source vulnerabilities rising from 48% in 2022 to a staggering 74% in 2023.
Jason Schmitt, General Manager of Synopsys Software Integrity Group, expressed concern over the uptick in high-risk open source vulnerabilities, emphasizing the critical importance of maintaining proper software hygiene to bolster the security of the software supply chain. The report also uncovers additional alarming trends, including widespread dependence on outdated or inactive open source components, challenges in license compliance, and the prevalence of Improper Neutralization weaknesses, highlighting areas for improvement in cybersecurity practices across industries.
Key findings from the 2024 OSSRA report include:
- “Zombie code” apocalypse: Ninety-one percent of codebases contained outdated or inactive open source components, with nearly half (49%) featuring components that had seen no development activity in the past two years. The mean age of open source vulnerabilities in codebases exceeded 2.5 years, with a significant portion dating back over a decade.
- High-risk vulnerabilities across industries: Critical sectors such as Computer Hardware and Semiconductors and Manufacturing, Industrials, and Robotics were particularly vulnerable, with 88% and 87% of their respective codebases impacted by high-risk open source vulnerabilities. Even industries lower on the list, such as Aerospace, Aviation, Automotive, Transportation, and Logistics, were not immune, with a third (33%) of codebases affected.
- License compliance challenges: Over half (53%) of codebases encountered open source license conflicts, while 31% used code with either no identifiable license or a customized license. Noncompliant licenses pose risks such as intellectual property loss and product delays, underscoring the importance of robust license management practices.
- Common vulnerability weaknesses: Eight of the top 10 vulnerabilities identified trace back to Improper Neutralization weaknesses (CWE-707), including various forms of cross-site scripting vulnerabilities. Addressing these vulnerabilities is crucial to mitigating potential exploitation and safeguarding software integrity.
In light of these findings, Synopsys advocates for enhanced software security measures, urging organizations to prioritize vulnerability management, update outdated components, and ensure compliance with open source licenses to mitigate cybersecurity risks effectively.
