Key Findings From the Black Duck 2025 Open Source Security and Risk Analysis Report

The Black Duck 2025 Open Source Security and Risk Analysis (OSSRA) report provides critical insights into the state of open source software usage and associated risks. As organizations increasingly rely on open source components to build applications, understanding these risks becomes paramount for security and compliance.

 Open Source is Ubiquitous

The report reveals just how pervasive open source has become in modern software development:

• 97% of audited codebases contain open source components
• On average, applications contain 911 open source components
• 70% of scanned code had its origin in open source
• The number of open source files in an average application has tripled in the last four years, from 5,386 in 2020 to 16,082 in 2024

(Source: 2025 Open Source Security and Risk Analysis Report)

 Key Security Findings

Security vulnerabilities in open source components present significant risks:

• 86% of codebases contained at least one vulnerability
• 81% contained high or critical-risk vulnerabilities
• Eight of the top ten high-risk vulnerabilities were found in jQuery
• The maximum number of unique vulnerabilities found in a single codebase was 3,548, with a mean of 154 per codebase

The report highlights that many vulnerabilities stem from improper input validation (CWE-20), which was linked to 71% of all open source vulnerabilities found. Other common issues include uncontrolled resource consumption (70%) and exposure of sensitive information (60%).

 Transitive Dependencies: The Hidden Risk

One of the most concerning findings is the prevalence of “transitive dependencies” – components that are not directly imported but are required by other components:

• 64% of open source components identified were transitive dependencies
• Nearly half of high and critical vulnerabilities were introduced by these transitive dependencies
• Nearly 30% of component license conflicts were caused by transitive dependencies

These hidden dependencies are particularly challenging because they’re often invisible to basic code reviews and can introduce vulnerabilities several layers deep.

 Licensing Concerns

License compliance issues were widespread:

• 56% of all codebases had license conflicts
• 33% had open source components with no license or customized license language
• The EdTech and Big Data/AI sectors had the highest rates of license conflicts (71%)

(Source: 2025 Open Source Security and Risk Analysis Report)

The report emphasizes that even permissive licenses like MIT (found in 92% of codebases) still contain attribution requirements that must be met.

 Maintenance Issues

Outdated and unmaintained components present significant operational risks:

• 90% of codebases contained components more than four years out-of-date
• 91% contained components with no development activity in the past two years
• 90% contained components more than 10 versions behind the most current version

These maintenance issues create an expanded attack surface and indicate that developers are relying on code that may no longer be supported.

 Industry Perspectives

The report breaks down findings by industry, with some sectors facing higher risks than others:

• Internet and Mobile Apps, Marketing Tech, and Computer Hardware and Semiconductors had the highest percentages of high-risk vulnerabilities
• EdTech and Big Data/AI sectors had the highest rates of license conflicts
• Even the lowest-risk sector (Energy and Clean Tech) still had 60% of codebases containing high-risk vulnerabilities

(Source: 2025 Open Source Security and Risk Analysis Report)

 How CinchOps Can Help with Vendor and Third-Party Risk Assessment

At CinchOps, we understand that the risks highlighted in the Black Duck report extend beyond your own code to your entire software supply chain. Our vendor and third-party risk assessment services specifically target open source risks in your vendor ecosystem:

1. Vendor Code Audit Support: We help you implement processes to request and review SBOMs from your software vendors, ensuring you understand what open source components exist in the products you purchase and use.
2. Third-Party Risk Framework Development: We develop customized frameworks to evaluate vendor open source practices, including assessment questionnaires that focus on how they manage vulnerabilities, license compliance, and component maintenance.
3. Due Diligence for M&A and Partnerships: As the report notes, open source audits are critical for M&A transactions. We provide specialized services to evaluate potential acquisition targets or partners for hidden open source risks that could affect IP value.
4. Continuous Vendor Monitoring: We implement processes to continually monitor your vendors’ open source components for new vulnerabilities, using tools that can alert you when critical issues emerge in third-party software.
5. Supply Chain Security Program Development: We help you build comprehensive supply chain security programs that include specific requirements for vendors regarding open source management, vulnerability disclosure, and patching timeframes.

The Black Duck report clearly demonstrates that when 97% of code contains open source, visibility across your entire software supply chain is essential. With CinchOps as your partner, you can extend your security posture beyond your organization to include your vendors and third parties, ensuring a more secure and compliant software ecosystem.

Discover more about our enterprise-grade and business protecting cybersecurity services on our Cybersecurity page.

Contact us today to learn how we can help you implement these vendor risk assessment practices and secure your entire software supply chain.