Most code bases contain outdated components or “zombie code”, which can result in unpatched vulnerabilities that remain long after they should have been fixed.
According to Synopsys Open source security and risk analysis report, released today, 91% of code bases contain components that are at least 10 versions out of date.
Furthermore, 49% of codebases contain components that have not had any development activity in the last two years.
The average age of open source vulnerabilities in the codebases examined was 2.5 years, although almost a quarter of the codebases had vulnerabilities older than 10 years.
Overall safety has also deteriorated year on year. In Synopsys’ 2022 report, 48% of codebases had high-risk vulnerabilities, and in 2023 the number jumped to 74%. Synopsys attributes this increase to factors such as layoffs affecting technology workers, resulting in fewer developers available to solve these problems.
“This year’s OSSRA report points to an alarming increase in high-risk open source vulnerabilities across a variety of mission-critical industries, leaving them at risk of exploitation by cybercriminals,” said Jason Schmitt, general manager of Synopsys Software Integrity Group. “Increasing pressure on software teams to move faster and do more with less in 2023 likely contributed to this spike in open source vulnerabilities. Malicious actors have noticed this attack vector, so maintaining proper software hygiene by identifying, monitoring and effectively managing open source code is a key element in strengthening software supply chain security.”
Another finding of the report is that companies are struggling to comply with the open source license. Fifty-three percent of codebases have open source license conflicts, and 31% either have no known license or a custom license.
The report also found that eight of the top 10 vulnerabilities can be attributed to one type of vulnerability: Improper neutralization.