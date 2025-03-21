This report offers recommendations to help creators and consumers of open source software manage it responsibly, especially in the context of securing the software supply chain. Whether a consumer or provider of software, you are part of the software supply chain, and need to safeguard the applications you use from upstream as well as downstream risk. In the following pages, we examine

Persistent open source security concerns

Why developers need to improve at keeping open source components up-to-date

The need for a Software Bill of Materials (SBOM) for software supply chain management

How to protect against the security and IP compliance risk introduced by AI coding tools

For nearly a decade, the major theme of the “Open Source Security and Risk Analysis” (OSSRA) report has been Do you know what’s in your code? In 2024, it’s a question more important than ever before. With the prevalence of open source and the rise in AI-generated code, more and more applications are now built with third-party code.

Without a complete view of what’s in your code, neither you, your vendors, nor your end users can be confident about what risks your software may contain. Securing the software supply chain begins with knowing what open source components are in your code, as well as identifying their respective licenses, code quality, and potential vulnerabilities.

About the 2024 OSSRA

In this, its ninth edition, the 2024 OSSRA report delivers an in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. The...

84%

of codebases assessed for risk contained vulnerabilities

74%

of codebases assessed for risk contained high-risk vulnerabilities