Download the OSSRA
“2025 Open Source Security and Risk Analysis” Report
Insights into open source security trends and recommendations for securing your software supply chain
Open source software (OSS) has revolutionized application development, providing a vast repository of prebuilt components that offer numerous benefits such as cost savings, flexibility, and scalability. However, with all those benefits comes risks that every organization using open source needs to be prepared to acknowledge and address.
The 2025 “Open Source Security and Risk Analysis” (OSSRA) report details key findings from Black Duck® audit data, including security vulnerabilities, licensing issues, component maintenance, and industry trends. Our analysis shows that open source is ubiquitous, and that it can introduce significant risk unless properly identified and managed.
Who Should Read This Report
The findings of this report will be beneficial for a variety of readers, particularly those involved in securing the software supply chain, as well as those directly involved in software development, security and risk management, and merger and acquisition (M&A) activities.
Developers will gain insights into the types of vulnerabilities that we found prevalent in open source software, such as cross-site scripting (XSS) and denial-of-service (DoS) vulnerabilities. For example, the OSSRA report highlights the importance of following input validation and sanitization techniques, which can help developers build more-secure applications.
Further, this report identifies the most common open source components containing vulnerabilities, which will aid developers in making informed decisions when selecting open source libraries and frameworks. For example, development teams should be aware that our data shows that jQuery, jackson-databind, and the Spring Framework often include vulnerabilities that require regular management and patching.
OSSRA 2025 also emphasizes the risks associated with using out-of-date components and the need for all organizations to implement a process for timely updates. As one example, 90% of audited codebases were found to have open source components more than four years out-of-date. Outdated components magnify security risk, provide attackers with an expanded attack surface, and create compliance and compatibility issues. The presence of older open source also suggests that developers are not taking advantage of software improvements and are relying on code that is no longer being maintained.
Readers with a security focus can leverage the data presented in OSSRA 2025 to improve their vulnerability management processes. For example, the report identifies the top common vulnerabilities and exposures (CVEs) found in our audits, as well as their relationship to common software weaknesses (CWEs).
Risk management professionals can use OSSRA data to inform their strategic decisions about open source software adoption and risk mitigation. The ability to compare vulnerability percentages and other metrics across industries can help risk managers pinpoint areas where their organization is performing well or needs improvement.
The OSSRA data, primarily derived from analysis of M&A targets’ code, provides key insights for professionals involved in merger and acquisition transactions into the kinds of issues they may be taking on in their own transactions, such as common open source license conflicts, the security posture of the target company, and potential operational challenges that could impact the target’s IP value.
What You’ll Learn and Why It Matters
There’s much more open source in your software than you think: Ninety-seven percent of the codebases we evaluated contained open source, with an average 911 OSS components found per application. From an industry perspective, the percentages ranged from 100% in the Computer Hardware and Semiconductors, EdTech, and Internet and Mobile Apps sectors, to a “low” of 79% for Manufacturing, Industrials, and Robotics.
Open source codebases are getting bigger and more complicated: Our data shows that the number of open source files in an average application has tripled in just the last four years. One of the reasons behind this is the use of “transitive dependencies”—open source libraries that other software components rely on to function. Open source frequently uses other open source. Our audits found that 64% of open source components identified in our scans were transitive dependencies, most nearly impossible to locate or track without using an automated tool. Finding all instances of a transitive dependency can be like searching for a needle in a haystack when you lack an up-to-date inventory of third-party code.
Where all this open source is coming from: Our audits show that the majority of open source is being downloaded from package manager repositories. Over 280,000 of the nearly 1 million OSS components found in our audits originated from one such repository—npm, a massive public database of JavaScript packages.
Whether you think of open source as “free” or not, it comes at a cost: The odds are better than 80% that an application your organization is using right now contains high- or critical-risk open source vulnerabilities, with nearly half of those introduced by transitive dependencies.
Transitive dependencies present licensing and maintenance issues as well as security challenges: Our audits found that over half the codebases contained license conflicts, many caused by a transitive dependencies’ incompatibility with another component’s license. Nearly 30% of component license conflicts found in our audits were caused by transitive dependencies.
Static application security testing (SAST) and dynamic application security testing (DAST) can help identify coding errors: These testing methods can find errors such as input validation and sensitive information exposure, and mistakes like not encrypting important data when it’s being sent over the internet, outdated or weak encryption methods, and failing to properly protect passwords or other secret information.
Every organization using web applications and services should be evaluating them with software composition analysis (SCA) and DAST tools: Development and security teams need to implement a multifaceted security approach integrating DAST, SAST, and SCA to achieve the comprehensive security coverage modern software demands. Our findings indicate that if such a full-spectrum approach were applied, potential exposure to critical vulnerabilities would be markedly reduced.
Building a software Bill of Materials with Black Duck
Apr 20, 2024/5 min read
A necessary step in securing an application is evaluating the supply chain of each component used to create the application—no matter how many hands were involved in its development. If any links in the supply chain are obscured, it can be difficult to confidently assess the amount of risk that an application is susceptible to. By building a software Bill of Materials (SBOM), a development organization arms itself and consumers with information crucial to better understanding the risk associated with a particular application. From there, they’re better situated to avoid and react to security breaches and policy violations.
Meeting standards and building trust with an SBOM
Black Duck® makes it easier for users to secure the software supply chain by enabling them to quickly build and export SBOMs in formats such as SPDX and CycloneDX. These standardized SBOM formats provide the information necessary to comply with NIST standards, as referenced in Executive Order 14028. This executive order is geared toward providing more transparency between the government and the private sector with respect to software security. One of the steps to achieving this transparency is requiring vendors to provide SBOMs to the purchasers of their products in a standard, machine-readable format.
While the executive order only applies to software being procured and operated by the United States Federal Government, we have every reason to expect certain aspects of it, like the SBOM requirements, will become de facto standards across the entire software development industry. Being prepared to produce the most accurate and compliant SBOM today represents a significant step toward gaining the trust of your consumers.
Importing third-party SBOMs
Before we can discuss exporting SBOMs, we must first acknowledge that a complete and accurate SBOM includes all application dependencies. This means that third-party and custom components should be included, as well as open source libraries included by your development teams. While open source does make up the vast majority of the modern application, many development teams still rely heavily on vendor-supplied components, like libraries, SKDs, drivers, and so on. If these components are not accounted for in the SBOM shipped with the finished application, complete visibility of supply chain risk has not been obtained. The good news is, most vendors can be reasonably expected to provide SBOMs for these components. But, as the consumer of this software, you need the tools and processes for effectively leveraging the information provided by these SBOMs, and making sure it is perpetuated into the SBOMs that you generate.
Black Duck SCA enables teams to import third-party SBOMs so that the included components can be added to relevant projects, continuously analyzed for risk, and added to any reports or SBOMs generated as part of the application lifecycle. Additionally, for custom components that don’t already exist in the open source KnowledgeBase, Black Duck will automatically create an associated component, and identify it in any future scans. With Black Duck, development and security teams can establish complete visibility of their supply chains, so that they can effectively manage risk and communicate application composition to their own consumers.
Exporting an SBOM with Black Duck
When users scan a project or application with Black Duck, they’re provided with a dashboard displaying all the software components identified. Included in this list is information about each component’s license and relationships, among other details. Since an SBOM, in the simplest terms, is a list of ingredients for a piece of software, this dashboard is the most intuitive spot for generating such list. Users simply navigate to the “Reports” tab, choose the option to create an SBOM, and pick the desired format. Within seconds, an SBOM for the project is created and ready to be downloaded.
The screenshots below show how we created an SBOM for a sample application in five easy clicks.
The components dashboard is for our demo application, Insecure Bank. You can see information about which dependencies were identified, how they were introduced into the application, and which license is associated with them. Looks like we’ve discovered some problematic Log4j versions as well!
Any generated reports or SBOMs are saved in the Reports tab. This helps provide a single source of truth, and makes it easier to track any deltas in these SBOMs over time.
Any generated reports or SBOMs are saved in the Reports tab. This helps provide a single source of truth, and makes it easier to track any deltas in these SBOMs over time.
Regardless of whether you choose SPDX or CycloneDX, your resulting SBOM will be a JSON file. This helps it maintain standards and machine readability. There are countless JSON viewers available. Here’s a view of our resulting SBOM in Firefox, which kindly formatted it for us. In this snippet, you can see those problematic Log4J components, and additional information like the related license.
What comes after SBOM generation?
You’ve created or received an SBOM, so what do you do with it? This is a question that can be answered by looking back at our example with the problematic Log4j components. Although most of us have heard of the Log4j zero-day vulnerability disclosed last December, let’s pretend we haven’t. By looking at the screenshot of the SBOM, you see that we have Apache Log4j 2.17.0, but what you don’t see is any information about associated risk.
One of the key considerations when choosing an SBOM generation tool and assembling a software supply chain risk management strategy is how you will put that SBOM to work. SBOMs themselves are crucial aspects of obtaining visibility and mitigating risk, but they do not communicate risk. Even with the increased adoption of supplemental information, like Vulnerability Exploitability eXchange (VEX), the only way to truly connect the dots between an SBOM and associated risk is with a SCA solution.
Building the best SBOM
Your SBOM is only going to be as trustworthy as the methods used to identify dependencies, the tools used to address associated risk, and the sources leveraged to do so. To see how Black Duck is continually innovating to lead the pack in each of those areas, and help teams manage all software supply chain risks, see our blog about the release of our new Supply Chain Edition.
-This blog was reviewed by Patrick Carey.
Download the report now
Black Duck is a Leader in the 2024 Forrester Wave™ for SCA
Black Duck® has been recognized as a Leader in The Forrester Wave™: Software Composition Analysis, Q4 2024, based on an evaluation of Black Duck® SCA, our software composition analysis (SCA) solution.
Based on an evaluation conducted by an independent research firm, this report evaluated the top 10 SCA providers against 25 criteria grouped into two high-level categories.
- Current offering
- Strategy
The report includes how SCA providers were evaluated based on their comprehensive, enterprise-class SCA capabilities, including their ability to prioritize and remediate open source license risk and vulnerabilities, integrate with common SDLC automation tools, generate Software Bills of Materials (SBOMs), and more.
