✕ Thank You Thank you! A link to your copy of the report has been sent to the email address you provided.
When development outpaces security
The 2026 “Open Source Security and Risk Analysis” (OSSRA) report reveals the biggest increase yet in open source security, licensing, and operational risk. With the amount of AI-generated code increasing faster than teams can govern it, risk is accelerating across security, legal, and compliance.
What you need to know
Growth in open source vulnerabilities per codebase
Of codebases contained at least one vulnerability
Increase in open source component counts
Of codebases contained open source license conflicts
OSSRA 2026 report highlights
Our expert breaks down the key findings from this year’s report and what it means for your organization.
The complete risk landscape
AI accelerates risk
AI coding assistants offer undeniable speed and productivity. But they’re also creating a backlog of unmanaged threats and driving a historic surge in vulnerabilities.
Licensing risk surges
Last year saw the sharpest surge in licensing conflicts in the report’s history, fueled in part by “license laundering”—AI assistants generating code snippets from copyleft sources without retaining the original license info.
Governance gap
Developers are using AI models but lack the governance to know where and when they’re being used. Without modernized governance to inventory AI, organizations will struggle to meet regulatory demands.
Zombie component problem
Abandoned components pose significant risks because there is no one to fix new vulnerabilities. Teams are forced to fork projects, refactor the app, or accept the risk, none of which are easy or inexpensive.
The pace at which software is created now exceeds the pace at which most organizations can secure it.”
Take control of your AppSec risks
Black Duck SCA
Backed by our comprehensive KnowledgeBase™, Black Duck® SCA offers unmatched insight into open source and AI models by combining multimethod detection with deep vulnerability, license, and supply chain intel.
Black Duck Polaris Platform
Black Duck Polaris™ Platform enables unified SAST, SCA, and DAST scanning with intelligent prioritization, so developers can spend less time sorting through noise and more time fixing the issues that matter—right in their IDE, pipelines, and SCMs.
Black Duck Assist™
Black Duck Assist provides AI-powered fix guidance backed by the industry’s deepest open source KnowledgeBase, providing accurate insights, real-time fixes, and remediation guidance inside existing developer workflows.
Black Duck Signal™
Powered by ContextAI™, with 20+ years of human-curated intelligence, Black Duck Signal delivers AI-driven security for modern dev teams using language-agnostic, agentic AI to find and fix issues without noise or AI hallucinations.
FAQ
-
What is the OSSRA report?
The "Open Source Security and Risk Analysis" (OSSRA) report analyzes open source security trends, vulnerabilities, and compliance issues found in real-world codebases. Now in its tenth edition, the 2025 OSSRA report examines over 900 codebases across 17 industries to help security, legal, risk, and development teams better understand and manage open source risk in their software supply chains.
-
What does OSSRA stand for?
OSSRA stands for Open Source Security and Risk Analysis. The OSSRA report analyzes security vulnerabilities and license compliance risks associated with open source software usage.
-
Who publishes the OSSRA report?
The OSSRA report is published annually by Black Duck, a leader in software composition analysis and open source security solutions.
-
What does the OSSRA report cover?
The OSSRA report provides comprehensive insights into
· Prevalent vulnerability types in open source software
· Current licensing and compliance challenges
· Best practices for securing your software supply chain
· The role of software composition analysis tools in generating accurate Software Bills of Materials
· Industry-specific trends across sectors
-
Who should read the OSSRA report?
The OSSRA report is designed for security teams, legal departments, risk management professionals, and development teams that need to understand and manage open source security and license compliance in their organizations. It's particularly valuable for anyone responsible for software supply chain security, application security, or open source governance.
-
How often is the OSSRA report published?
The OSSRA report is published annually. The 2026 edition represents the eleventh consecutive year of the report, demonstrating more than a decade of tracking open source security and risk trends.
-
Is the OSSRA report free to download?
Yes, the OSSRA report is available as a free download from Black Duck. You can access the full report by completing a download form on the OSSRA landing page.
-
How many codebases does the OSSRA report analyze?
The 2026 OSSRA report examines vulnerabilities and license conflicts found in more than 900 real-world codebases spanning 17 industries, providing a comprehensive view of open source usage patterns, security risks, and compliance challenges across diverse sectors.
-
What industries are covered in the OSSRA report?
The 2026 OSSRA report covers eight vertical industries (Financial, FinTech, ISV, Tech, Healthcare, IoT, Cloud, and Insurance), providing industry-specific insights into open source security and risk trends. This multi-industry analysis helps organizations benchmark their open source practices against sector-specific patterns and identify industry-relevant risks.
-
What is the latest OSSRA report?
The latest OSSRA report is the "2026 Open Source Security and Risk Analysis" report, which represents the eleventh edition of this annual study. It provides the most current insights into open source security vulnerabilities, license compliance issues, and software supply chain risks.
-
Why should I download the OSSRA report?
Download the OSSRA report to learn
· Data-driven insights from analysis of real codebases
· Industry benchmarks to compare your organization's open source practices
· Identification of the most prevalent vulnerability types affecting open source software
· Guidance on licensing and compliance challenges
· Best practices for implementing software composition analysis tools
· Recommendations for creating accurate Software Bills of Materials
· Strategies for proactive open source risk management
-
What is software composition analysis and why is it mentioned in the OSSRA report?
Software composition analysis (SCA) is a methodology for identifying open source components in applications and analyzing their security, license, and quality risks. The OSSRA report emphasizes SCA tools because they are essential for generating accurate Software Bills of Materials and maintaining visibility into open source components—a critical requirement for securing the software supply chain and managing the risks documented throughout the report.
-
What's new in the 2026 OSSRA report?
The 2026 OSSRA report marks the eleventh edition of this annual study, representing over a decade of tracking open source security trends. This edition analyzes over 900 codebases across 17 industries, providing the latest data on vulnerability trends, license compliance challenges, and software supply chain security risks in the era of AI-driven development.
-
How can the OSSRA report help my organization?
The OSSRA report helps organizations by providing evidence-based insights into open source risk patterns, enabling teams to
· Proactively identify and address common vulnerabilities in their open source dependencies
· Understand industry-specific license compliance challenges
· Implement stronger security and compliance practices
· Make informed decisions about open source governance and software composition analysis tools
· Benchmark their practices against real-world data from hundreds of codebases