A decade of open source risk: Reflecting on 10 years of OSSRA report insights

Kevin Collins

Authored by Kevin Collins

May 16, 2025 / 3 min read

Table of Contents

The OSSRA report: 10 years later

Black Duck recently published the tenth Open Source Security and Risk Analysis” (OSSRA) report, an invaluable source of insights into how open source is used and the risks that come with it. As we hit this decade mark, it’s a great time to look back to when it all started and how the software industry has evolved.

In 2015, Black Duck had been auditing code for merger and acquisition (M&A) deals for almost a decade. At that time, acquirers’ main concerns were unknown open source code and potential legal exposure related to open source license compliance. Much of that concern came from a much-publicized GPL license infringement lawsuit that Cisco inherited with its half-billion-dollar acquisition of Linksys. Beyond M&A issues, tech companies were coming to accept their own developers’ use of open source and had begun to manage the process internally.

What's in your code?

Explore insights into the current state of open source security and get recommendations for securing your open source supply chain

Download the report
2025 Open Source Security Report Cover

Heartbleed, data gaps, and the birth of OSSRA

In 2014, the software world learned of the Heartbleed vulnerability in OpenSSL, a library that secured millions of web servers. This vulnerability served as a wake-up call; it exposed many websites to even amateur hackers and sparked a lot of discussion in stand-up scrums and boardrooms about open source use and risks. But at the time, available data about the issues was mostly anecdotal. Black Duck had a treasure trove of data from our years of M&A experience, and we decided to share our insights in the first OSSRA report.

How open source usage has grown since 2015

The first report was pretty slim—just four pages. Black Duck had seen open source use ramping up for a decade. The 2015 report highlighted that 35% of a typical application was made up of open source, with an average of 105 open source components per app.

Fast forward to 2025, and those numbers have exploded. Now, over 70% of a typical application is made up of open source and there are 981 open source components per app. This surge is largely due to the rise of open source frameworks and package managers like npm, which have made it easier to incorporate open source code. Package managers have also led to the average file count of applications quadrupling in the last five years.

Licensing risk: Improvements and ongoing challenges

The 2015 report found that 75% of codebases had license conflicts—use of components in ways incompatible with their license terms. That number is down to 56% in the 2025 report, which is a sign of progress. However, the current report adds that 30% of codebases include code with no license or unclear terms that require legal review.

 

Security vulnerabilities: Then and now

Open source vulnerabilities were found in 67% of applications in 2015. Even after all the publicity, Heartbleed was still in 10% of applications. In the 2025 report, the prevalence of vulnerabilities has grown to 86%, and the average number of vulnerabilities per app jumped from 22 to 154.

Why risk management is still hard

Part of this increase is due to the growing complexity and size of applications, but it also speaks to the challenge of managing open source vulnerabilities, which can pop up at any time. Companies have gotten better at staying on top of security issues; the average age of vulnerabilities has dropped from five years to just under three years. However, 90% of codebases still contain components that are more than four years out-of-date—a clear indication that open source update management remains a struggle.

 

What’s next for OSSRA and the software industry

Looking ahead, we expect that the supply of open source will continue to multiply and applications will become more complex. The portion of a codebase that is open source has stabilized at 70% to 75% for tech companies in M&A transactions, though it is higher for internal enterprise apps. Future OSSRA reports will likely focus on how open source is incorporated, with package managers becoming even more important. Tools like Black Duck® SCA will become more popular.

AI, open source, and the future of software risk

AI in software development is also already shaking things up. Generative AI is increasingly being used in code development, and AI models, including many open source ones, are being integrated into applications. This brings new challenges but also opportunities for better management. While the effects of AI might eventually play a bigger role in our findings with the OSSRA report, human insights will still be crucial for the next few editions.

So here’s to the future of open source and the insights that the OSSRA report will continue to provide.

Learn More

Continue Reading

Three steps to ensuring the reliability and security of your C++ projects

Three steps to ensuring the reliability and security of your C++ projects

Corey Hamilton
By Corey Hamilton

Jun 03, 2025 / 3 min read

Tags: SCA, Build Security into DevOps, SAST, DevSecOps
Black Duck Logo on Dark Background

How to secure AI-generated code with DevSecOps best practices

Steven Zimmerman
By Steven Zimmerman

May 08, 2025 / 3 min read

Tags: Artificial Intelligence, Build Security into DevOps, DevSecOps
security automation and integration

Security automation and integration can smooth AppSec friction

Steven Zimmerman
By Steven Zimmerman

Jan 23, 2025 / 6 min read

Tags: Agile, CI/CD, Build Security into DevOps, DevSecOps
Vulnerability Background Thumbnail

Overcome AST noise to find and fix software vulnerabilities

Steven Zimmerman
By Steven Zimmerman

Jan 06, 2025 / 6 min read

Tags: Agile, CI/CD, Build Security into DevOps, DevSecOps
AI widens gap between security and dev thumbnail

Artificial intelligence widens the gap between security and development

Steven Zimmerman
By Steven Zimmerman

Dec 01, 2024 / 7 min read

Tags: Artificial Intelligence, Build Security into DevOps, DevSecOps
Global DevSecOps Background Thumbnail Alt

Key insights from Black Duck’s 2024 Global State of DevSecOps report

Fred Bals
By Fred Bals

Oct 08, 2024 / 5 min read

Tags: Security News & Trends, DevSecOps

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security