Synopsys Study Highlights Top Challenges in Managing Open Source Risk in Software Supply Chains

Analysis of 2,400+ Commercial and Proprietary Codebases Reveals Decreased Licensing and Open Source Vulnerability Risks, But 88% of Organizations Still Lag in Keeping Open Source Current

MOUNTAIN VIEW, Calif., April 12, 2022 /PRNewswire/ — Synopsys, Inc. (Nasdaq: SNPS) today released the 2022 Open Source Security and Risk Analysis (OSSRA) report. The report, produced by the Synopsys Cybersecurity Research Center (CyRC), examines the results of more than 2,400 audits of commercial and proprietary codebases from merger and acquisition transactions, conducted by the Black Duck® The Audit Services team. The report highlights trends in open source usage in commercial and proprietary applications and provides insights to help developers better understand the interconnected software ecosystem. It also details widespread risks posed by unmanaged open source, including security vulnerabilities, outdated or discontinued components, and licensing compliance issues.

The findings of the OSSRA 2022 report underscore the fact that open source is used everywhere, in every industry, and forms the foundation of every application built today.

  • Outdated open source remains the norm, including the presence of vulnerable versions of Log4j. From an operational/maintenance risk perspective, 85% of the 2,097 codebases contained open source that was obsolete for more than four years. 88% used components that were not the latest version available. 5% contained a vulnerable version of Log4j.
  • Codebases assessed show that open source vulnerabilities are decreasing overall. 2,097 of the codebases assessed included security and operational risk assessments. There has been a more dramatic decrease in the number of codebases containing high-risk open source vulnerabilities. 49% of codebases audited this year contained at least one high-risk vulnerability, up from 60% last year. Additionally, 81% of codebases assessed contained at least one known open source vulnerability, a minimum decrease of 3% from OSSRA 2021 findings.
  • License conflicts are also decreasing overall. More than half (53%) of codebases contained license conflicts, a substantial decrease from the 65% observed in 2020. In general, specific license conflicts generally decreased between 2020 and 2021.
  • 20% of the codebases evaluated contained open source without a license or with a custom license. Since a software license governs the right to use it, unlicensed software presents the dilemma of whether there is any legal risk in using the open source component. Additionally, custom open source licenses may impose undesirable requirements on the licensee and will often require legal assessment for possible intellectual property issues or other implications.

“SCA users focused their attention on reducing open source license issues and fixing high-risk vulnerabilities, and this effort is reflected in the decrease we’ve seen this year in license conflicts and high-risk vulnerabilities, said Tim mackeychief security strategist with the Synopsys Cybersecurity Research Center. “The fact remains that more than half of code bases that we audited still contained license conflicts and almost half still contained high-risk vulnerabilities. Even more disturbing was that 88% of code bases [with risk assessments] contained outdated versions of open source components with an available update or patch that has not been applied.”

“There are justifiable reasons for not keeping the software completely up to date,” Mackey continued. “But unless an organization maintains an accurate and up-to-date inventory of the open source used in its code, an outdated component may be overlooked until it becomes vulnerable to a high-risk exploit, and then the scramble to identify where it is is precisely what happened with Log4j, and why software supply chains and software bill of materials (SBOM) are hot topics.”

To learn more about the potential risks associated with open source software and how to address them, download a copy of the OSSRA 2022 report, read the blog post, or register for the April 28 webinar.

About Synopsys Software Integrity Group

Synopsys Software Integrity Group provides integrated solutions that transform the way development teams create and deliver software, accelerating innovation while addressing business risk. Our industry-leading portfolio of software security products and services is the most comprehensive in the world and interoperates with third-party and open-source tools, allowing organizations to leverage existing investments to create the security program that works best for them. . Only Synopsys offers everything you need to build trust in your software. Learn more about www.synopsys.com/software.

About Synopsys

Synopsys, Inc. (Nasdaq: SNPS) is the Silicon to Software™ partner for innovative companies that develop the electronic products and software applications we rely on every day. As an S&P 500 company, Synopsys has long been a global leader in electronic design automation (EDA) and semiconductor intellectual property and offers the broadest portfolio of testing tools and services in industry application security. Whether you’re a system-on-chip (SoC) designer creating advanced semiconductors or a software developer writing more secure, high-quality code, Synopsys has the solutions to deliver innovative products. Learn more aboutwww.synopsys.com.

Editorial Contact:
Liz Samet
Synopsys, Inc.
336-414-6753
[email protected]

SOURCE Synopsys, Inc.