I Need IT Support Now
Managed IT Houston
Shane

Key Findings From the Black Duck 2025 Open Source Security and Risk Analysis Report

Securing your software supply chain begins with understanding what’s in your code — and your vendors’ code

Report Findings
97% of Codebases Run on Open Source. The Black Duck 2025 Report Shows How Much of It Is Vulnerable.

The tenth annual OSSRA report audited 965 commercial codebases. The headline numbers should reshape how you think about software risk.

TL;DR
The Black Duck 2025 Open Source Security and Risk Analysis (OSSRA) report audited 965 commercial codebases across 16 industries. It found open source in 97% of them, with an average of 911 components per application. But 86% of codebases carried at least one known vulnerability and 81% carried high- or critical-risk flaws. The quiet danger is transitive dependencies - components pulled in automatically by other components, which made up 64% of everything found and introduced nearly half of the high- and critical-risk vulnerabilities. Add in 90% of codebases running components more than four years out of date, and the message is clear: the code you did not write is now the code you most need to watch. Managing that risk across your own apps and your vendors is a supply-chain problem, not just a coding one.

Nearly every application runs on open source code - and most of that code carries known vulnerabilities the business never chose and often cannot see.

The Black Duck OSSRA report is now in its tenth year, and the 2025 edition is built on the audit team's review of 1,658 analyses covering 965 commercial codebases during 2024. It is one of the clearest yearly looks at what is actually inside modern software. For any business that buys, builds, or depends on software - which is every business - the findings matter, because the risk does not stop at your own developers.

Why this is your problem too: even if you never write a line of code, the apps and vendors you rely on are built from thousands of open source components. Their risk becomes your risk.

How Deep Open Source Runs

Open source is not a corner of modern software - it is most of it.

The report found open source in 97% of codebases, averaging 911 components each, with 70% of all scanned code originating in open source.

The scale has grown fast. The number of open source files in a typical application has tripled in four years - from 5,386 in 2020 to 16,082 in 2024. That is thousands of moving parts inside a single app, each one a component someone else maintains, updates, or abandons.

OSSRA 2025 BY THE NUMBERS 97% of codebases contain open source 86% contain a known vulnerability 81% contain a high or critical-risk flaw 90% run components 4+ years out of date
Headline findings from the Black Duck 2025 OSSRA report (965 codebases audited).

What the Report Found on Security

The vulnerabilities are widespread, severe, and often years old.

86% of codebases carried a known vulnerability and 81% carried a high- or critical-risk one - and most sat in outdated, unmaintained components.

  • Severity is the norm, not the exception. 81% of codebases contained high- or critical-risk vulnerabilities; one codebase held 3,548 unique flaws, with a mean of 154 per codebase.
  • Old, familiar libraries dominate. Eight of the ten most common high-risk vulnerabilities were found in jQuery - a reminder that the biggest risks are often well-known components no one updated.
  • The same weaknesses repeat. Improper input validation (CWE-20) was tied to 71% of open source vulnerabilities found, followed by uncontrolled resource consumption (70%) and exposure of sensitive information (60%).
  • Nobody is patching. 90% of codebases ran components more than four years out of date, and 91% included components with no development activity in the past two years.

Risk also varies sharply by industry. Even the lowest-risk sector in the report - Energy and Clean Tech - still had 60% of its codebases carrying high-risk vulnerabilities.

Horizontal bar chart showing the percentage of codebases with high-risk vulnerabilities across 16 technology industries in the Black Duck 2025 OSSRA report
High-risk vulnerabilities by industry. Source: Black Duck 2025 OSSRA report.

The Hidden Risk: Transitive Dependencies

The most dangerous components are the ones nobody chose.

Transitive dependencies made up 64% of all components found and introduced nearly half of the high- and critical-risk vulnerabilities.

A direct dependency is a component your team deliberately added. A transitive dependency is one pulled in automatically because a direct component needs it - and then another, and another, several layers deep. They rarely show up in a basic code review, which is exactly what makes them dangerous.

WHERE THE RISK HIDES: DIRECT VS. TRANSITIVE 36% DIRECT 64% TRANSITIVE Above the line: components your team deliberately added. Below the line: pulled in automatically, layers deep. Nearly HALF of high & critical vulnerabilities hide down here.
64% of open source components were transitive - and they carried a disproportionate share of the serious flaws.

Transitive components also drove roughly 30% of the report's license conflicts. And licensing is its own exposure: 56% of codebases had a license conflict, and 33% contained components with missing or customized license terms. Even permissive licenses like MIT - found in 92% of codebases - carry attribution requirements that must be met.

100% Free

Free Cybersecurity Assessment

Do you know what open source is inside your apps - and your vendors' apps? Get a FREE assessment of your software supply-chain risk.

Get Your Free Assessment

When 97% of software runs on open source and two-thirds of it comes in through the back door as transitive dependencies, you cannot secure what you cannot see. The first job is visibility - knowing what is actually inside the software you and your vendors depend on.
Shane Stevens, CEO, CinchOps - LinkedIn

Your Software Supply Chain Is an Attack Surface

CinchOps helps you see and manage open source risk across your own applications and your vendor ecosystem - software bills of materials, vulnerability monitoring, and vendor risk assessment - as part of our cybersecurity and managed IT services.

Explore CinchOps cybersecurity →

How CinchOps Helps With Vendor and Supply-Chain Risk

CinchOps is a Katy, Texas managed IT services provider serving businesses across the Houston metro, extending your security beyond your own code to the vendors you depend on.

  • Vendor code visibility. Help requesting and reviewing software bills of materials (SBOMs) so you know what open source lives in the products you buy.
  • Third-party risk framework. Assessment questionnaires that check how vendors handle vulnerabilities, license compliance, and component maintenance.
  • Due diligence for deals. Open source risk review for acquisitions and partnerships, where hidden flaws can affect real value.
  • Continuous monitoring. Alerting when new critical vulnerabilities emerge in the third-party software you rely on.
  • Supply-chain security program. Clear vendor requirements for open source management, vulnerability disclosure, and patching timelines.

When 97% of code contains open source, visibility across your whole supply chain is the difference between managed risk and a blind spot. Contact CinchOps to get started.

Frequently Asked Questions

What is the Black Duck OSSRA report?

The Open Source Security and Risk Analysis (OSSRA) report is an annual study from Black Duck. The 2025 edition, its tenth, is based on the audit team's review of 1,658 analyses covering 965 commercial codebases across 16 industries during 2024 - offering a data-backed look at how open source is used and where the risk sits.

What is a transitive dependency, and why does it matter?

A transitive dependency is an open source component your software pulls in automatically because another component requires it - not one your team chose directly. The report found 64% of all components were transitive, and they introduced nearly half of the high- and critical-risk vulnerabilities. Because they are often invisible to basic reviews, they are easy to miss and hard to patch.

My business does not build software. Does this still apply to me?

Yes. Nearly every application you buy or subscribe to is built from open source components - so the vulnerabilities in that code become your exposure. That is why reviewing your vendors' software and their handling of open source matters as much as securing your own systems.

What is an SBOM?

A software bill of materials (SBOM) is an itemized list of the components inside a piece of software, including its open source parts. Requesting SBOMs from vendors gives you the visibility needed to know when a newly discovered vulnerability affects a product you use.

How can a small business start managing open source risk?

Begin with visibility: inventory the software and vendors you depend on, ask vendors for SBOMs, and set up monitoring for new critical vulnerabilities. A managed IT provider can build a vendor risk process and keep those checks running so old or hidden components do not become an open door.

Discover More

Sources

Take Your IT to the Next Level!

Book A Consultation for a Free Managed IT Quote

281-269-6506