Over three quarters (78 percent) of the commercial open source codes contain at least one vulnerability, according to the Open Security and Risk Analysis (OSSRA) report by Black Duck at Synopsys.
The report analyzed data from 1,100 commercial codes audited in 2017. Almost all codebases (96 percent) contained open source components, and each database contained an average of 257 open source elements, a 75 percent increase from the previous edition.
Data shows that 78 percent of the codebases contained at least one vulnerability, compared to 67 percent in the previous year. In this context, most bugs (54 percent) were classified as high risk.
17 percent of the codebases included in the OSSRA report contained at least one known vulnerability, such as Heartbleed, POODLE, Logjam, FREAK and DROWN – despite the special attention that these bugs got in the past few years. For example, Heartbleed, a bug that affects the open-source cryptographic library OpenSSL, was found in 4 percent of the scanned codes.
The report also notes that most codebases with high security risks were detected in internet and software infrastructure apps (67 percent), mobile and internet apps (60 percent), virtual reality, games, entertainment and media (50 percent).
Furthermore, according to OSSRA, in 2017 over 5,000 open source vulnerabilities were discovered in 2017, adding up to a total of 40,000 reported since 2000. On the other hand, the number of reported malfunctions increased from 6,400 in 2016 to over 14,700 last year.
The term open source refers to something any user can modify and share because its design is publicly accessible.