Open-source software (OSS) has become the backbone of modern applications, driving innovation across industries from finance to manufacturing. However, the latest Open Source Security and Risk Analysis (OSSRA) report from Black Duck reveals a sobering reality: 86% of commercial codebases contain known vulnerabilities, many of them high-risk.
The appeal of OSS is clear. It’s free, flexible, and accelerates development by letting companies build on existing code rather than starting from scratch. As a result, open source now powers the majority of commercial software. But the very factors that make OSS so attractive also introduce significant risks. Outdated components, license conflicts, and hidden dependencies have become common hazards, exposing organizations to attacks.
This paradox—where OSS speeds up innovation while expanding the attack surface—is at the heart of the OSSRA report's findings.
The Vulnerability Epidemic in Open Source
According to the OSSRA report, 81% of the commercial codebases that contain known vulnerabilities are classified as high or critical risk. These are openings that attackers can and do exploit.
Much of this problem stems from the continued reliance on outdated components. Many organizations hesitate to update or replace these elements because doing so can disrupt critical applications. In some cases, development teams lack the resources or visibility needed to manage updates effectively.
Another problem is that security often takes a back seat to rapid development. Projects that promise new revenue are prioritized over routine maintenance and patching. As a result, outdated open-source components remain embedded deep within software supply chains, quietly expanding the attack surface over time.
“Projects and the promise of new revenue will always be sexier than maintenance, refactoring, and optimization,” said Trey Ford, chief information security officer at Bugcrowd. “Hearing that 91% of codebases had out of date components, and a full 90% of all code bases had components more than 10 versions behind, comes as no surprise.”
jQuery: The Persistent Threat in Open Source
The OSSRA report identifies jQuery, the popular JavaScript library designed to simplify web development tasks, as the most common source of vulnerabilities in open-source software, with outdated versions still widespread in commercial codebases. Despite being well-documented, its flaws continue to present significant risks because jQuery is deeply integrated into countless applications.
One particularly concerning vulnerability, CVE-2020-11023, is still present in nearly a third of the applications analyzed in the report. This flaw, which allows cross-site scripting attacks, was disclosed years ago. Yet, many organizations have yet to patch or replace the affected versions, leaving a door wide open for attackers.
“When vulnerable libraries are utilized in APIs, those APIs inherit associated risks,” said Eric Schwake, director of cybersecurity strategy at Salt Security. “Attackers can leverage these vulnerabilities to compromise API endpoints, access sensitive information without authorization, or disrupt services.”
The reason outdated versions of jQuery linger is largely due to compatibility concerns. Updating jQuery often means refactoring large parts of an application, a time-consuming and costly process that many teams avoid.
The Hidden Risks of Transitive Dependencies
Transitive dependencies are a hidden menace in open-source software. The OSSRA report reveals that 64% of OSS components fall into this category—dependencies pulled in automatically by other packages rather than being directly chosen by developers. The problem is that most organizations have little to no visibility into these secondary components, making them nearly impossible to track without automation.
This creates significant blind spots for security teams. When a vulnerability is discovered in a transitive dependency, it often goes unnoticed for months, or even years, because traditional security tools focus primarily on direct dependencies. As a result, are often exposed to risks they don’t even know exist.
AI Coding Assistants: A New Factor in Software Supply Chain Risk
AI coding assistants have quickly become a double-edged sword in software development. While they speed up coding and help developers overcome routine tasks, they also introduce new risks to the software supply chain. According to the OSSRA report, 23% of open-source dependencies were not identified through standard package managers, suggesting that AI-generated code pulls in components under the radar.
The problem lies in how AI assistants work. They often suggest snippets and libraries without clearly documenting their origins. This lack of traceability makes it difficult for security teams to assess the risk associated with these components or even know they exist.
The only effective way to mitigate these risks is through automation. Automated security tools that can analyze the entire codebase—including transitive dependencies and AI-suggested components—are becoming essential. These tools can help flag vulnerabilities early and ensure that every component, no matter how it was introduced, gets the scrutiny it needs. Without this layer of automation, the risks associated with AI-generated code will only continue to grow.
License Conflicts: The Legal and Compliance Minefield
License conflicts are becoming a serious problem in open-source software, with 56% of codebases containing at least one licensing issue, according to the OSSRA report. These conflicts can halt development, complicate mergers and acquisitions, and expose organizations to lawsuits.
A significant portion of these issues—about 30%—stem from transitive dependencies, which are often pulled into projects automatically without developers realizing the licensing implications. Since these secondary components aren’t directly chosen or documented, it’s easy for incompatible licenses to slip through the cracks.
Another growing concern is the rise of custom or missing licenses. Many open-source projects now use custom licenses that aren’t covered by standard scanning tools, making it difficult for organizations to assess compliance. In other cases, components lack licensing information entirely, leaving teams to guess at their legal obligations. Without better visibility and automated tools to handle licensing compliance, these risks are likely to keep escalating.
The Future of Open Source Security: What Needs to Change?
The open-source ecosystem is at a crossroads. The OSSRA report makes it clear that the status quo isn’t sustainable. The sheer scale of open-source adoption—tripling in just four years—has stretched traditional security practices beyond their limits. Without significant changes, the risks will only multiply.
One of the most urgent needs is for real-time inventory tracking. “This must-read report underscores why SBOMs are a great thing—knowing exactly what is in software is a win,” Ford said. “Their existence is a proxy indicator for software maturity, and creates ideal conditions for maintaining transparency, currency, and improving security outcomes.”
Automation can also help monitor for new threats, manage patches, and ensure that both direct and transitive dependencies comply with licensing requirements.
Securing the Future of Open Source
Open-source software has transformed the way organizations build and deploy applications, accelerating innovation at an unprecedented pace. However, as the OSSRA report highlights, that speed has come at a cost.
To protect their software supply chains, organizations must shift from a reactive approach to a proactive strategy focused on prevention. Open-source software isn’t going away—in fact, its role in modern development is only set to grow. Without a more vigilant and proactive approach to managing its risks, the vulnerabilities that have become so common today will continue to expand.
