The latest Open Source Security and Risk Analysis (OSSRA) report issued by Black Duck reveals a sharp escalation in software supply chain risk. Driven by explosive dependency growth, duplicated components, and AI-generated code, open-source vulnerabilities per application more than doubled (107%) last year compared to 2025, and 87% of all codebases contained at least one vulnerability.
At the same time, AI-assisted development expanded attack surfaces and legal exposures. In addition, license conflicts reached historic highs as governance processes failed to keep pace.
Randolph Barr, the CISO at Cequence Security, commented on the report: “There are no rules that AI-assisted growth has to follow. It adds code, dependencies, and architectural choices at a speed that is faster than what standard review and fix processes can handle.”
However, application security programs are based on older ways of developing, where changes happen slowly.
Added Barr, “Review boards, approval cycles, processes for fixing problems, and compliance checkpoints were all made so that release patterns could be predicted. Many of these programs still use old control ideas even after being updated with DevSecOps techniques.”
Security and Governance Can’t Keep Up
The Black Duck report and Barr’s comments underscore a structural shift: organizations build software faster than they can effectively govern applications. While most teams scan AI-generated code for security flaws, only a fraction perform comprehensive reviews that include intellectual property, licensing, and quality checks.
This leaves compliance gaps ahead of emerging regulations such as the EU Cyber Resilience Act. The convergence of open-source sprawl and AI acceleration is not simply a tooling problem; it is a governance maturity challenge that demands a new approach to software inventory, dependency management, and risk accountability.
“The key takeaway from this year’s OSSRA research report is that AI has truly changed the scale and speed at which software risk is introduced,” pointed out Diana Kelley, Chief Information Security Officer at Noma Security. “The fact that vulnerabilities per codebase have more than doubled in a single year signals a systemic shift. AI-assisted development is accelerating code creation, dependency sprawl, and model integration faster than traditional security and governance practices can keep up.”
The Speed Gap Between Innovation and Oversight
Open-source coding is foundational to modern software development. But with AI accelerating code production at an unprecedented scale, this widens the gap between development velocity and governance maturity.
In today’s world, organizations simply build software faster than they can secure it.
“AI-assisted development has moved from a productivity experiment—think vibe-coding—to a primary source of systemic risk,” said Ram Varadarajan, CEO at Acalvio. “Organizations are going to need to shift from basic security scanning to comprehensive full-spectrum protection and governance with automated, AI-driven defenses, including IP, licensing, and automated dependency management.”
Vulnerabilities Surge to Historic Levels
In addition to the statistics cited above, the average number of vulnerabilities per application rose last year to a staggering 581. This is caused, in part, by the hidden multiplier effect of duplicated dependencies in software development.
The exponential, often invisible, increase in maintenance, security risks, and build complexities that occur when the same library (or different versions of it) is included multiple times throughout a project, particularly through transitive dependencies. While the immediate effect is a larger codebase, the multiplier acts on software team productivity and system stability—often turning simple updates into a dependency nightmare.
It’s also important to note that vulnerability counts (e.g., total number of CVEs) alone understate systemic exposure. That’s because they focus on the existence of flaws rather than the context, reachability, and impact of those flaws within a system. A high count of low-risk vulnerabilities can distract from a single, unpatched, Internet-facing vulnerability. This creates a false sense of security while leaving critical pathways exposed.
“While 581 vulnerabilities per application sounds dramatic, it’s largely transitive dependency sprawl, inherited multiple layers deep,” observed Saumitra Das, Vice President of Engineering at Qualys. “The 107% year-over-year increase reflects compounding complexity, not careless development. It is also reflecting the dominance of vibe coding using libraries from wherever it can, as quickly as it can, increasing the code surface.”
Dependency Growth, Codebase Expansion, and a Licensing Time Bomb
AI-model adoption introduces new and poorly cataloged attack surfaces. As a result, other key trends uncovered by Black Duck include…
- A 30% increase in open-source component counts.
- 74% growth in the number of files per codebase.
- 68% of audited codebases contain open-source license conflicts (the largest increase in OSSRA history).
This complexity of transitive dependencies and license conflicts creates an operational burden: patching, version drift, and configuration management.
In addition, AI-generated code amplifies IP uncertainty that can lead to legal and contractual implications for enterprises. These include a lack of provenance transparency in AI outputs as well as copyleft and derivative risk concerns.
Governance Has Not Caught Up
As the Black Duck research uncovered, 54% of enterprise software development teams review AI-generated code for intellectual property (IP) and licensing risks. However, only 24% conduct comprehensive IP, security, and quality evaluations.
This creates a major risk: security scanning without licensing or IP review creates blind spots. There are also emerging regulatory pressures, including the EU AI Act and the Cyber Resilience Act. Businesses now face higher stakes in areas of trade fraud, data privacy, environmental regulation, and financial crime—where minor, proactive, and self-disclosed issues are prioritized over full-scale enforcement actions.
Consequently, the concept of putting compliance exposure ahead of enforcement will be defined by a paradox of increased, more targeted, and technology-driven investigations by regulatory bodies, even as some agencies shift to compliance-first frameworks. The days of “ship and forget” software delivery no longer apply. App developers must maintain continuous supply chain transparency—where every component, whether human-written, AI-generated, or open source, is accounted for.
Strategic Implications for Security and Engineering Leaders
With these findings, enterprises must realize that software supply chain risk is no longer limited to third-party libraries. AI models, APIs, and generated code as supply chain inputs also present risks.
This calls for dependency management as a risk-management model:
- Unified visibility across traditional and AI-generated components.
- Continuous software bill of materials discipline.
- Integration of AI governance into DevSecOps pipelines.
- Cross-functional alignment between legal, security, and engineering
- Evolving from vulnerability counting to systemic exposure modeling.
These capabilities enable proactive identification, tracking, and control of third-party libraries, components, and external dependencies. That makes it possible to prevent security vulnerabilities, licensing issues, and operational disruptions.
Governance as a Competitive Advantage
So what’s the key takeaway from all this open-source risk? Software innovation does not need to slow down, but governance programs must mature.
Organizations that institutionalize traceability and comprehensive review will reduce long-term risk—essentially turning governance into a competitive advantage.
Those that do not will accumulate governance debt alongside technical debt. And that will ultimately hamper innovation.
