| Open Source Security and Risk Analysis Report 2024 | 3
This report offers recommendations to help creators and consumers of open source software manage it responsibly, especially
in the context of securing the software supply chain. Whether a consumer or provider of software, you are part of the software
supply chain, and need to safeguard the applications you use from upstream as well as downstream risk. In the following pages,
we examine
• Persistent open source security concerns
• Why developers need to improve at keeping open source components up-to-date
• The need for a Software Bill of Materials (SBOM) for software supply chain management
• How to protect against the security and IP compliance risk introduced by AI coding tools
For nearly a decade, the major theme of the “Open Source Security and Risk Analysis” (OSSRA) report has been Do you know
what’s in your code? In 2024, it’s a question more important than ever before. With the prevalence of open source and the rise in
AI-generated code, more and more applications are now built with third-party code.
Without a complete view of what’s in your code, neither you, your vendors, nor your end users can be condent about what risks
your software may contain. Securing the software supply chain begins with knowing what open source components are in your
code, as well as identifying their respective licenses, code quality, and potential vulnerabilities.
About the 2024 OSSRA
In this, its ninth edition, the 2024 OSSRA report delivers an in-depth look at the current state of open source security,
compliance, licensing, and code quality risks in commercial software. The ndings in this report are presented with the goal of
helping security, legal, risk, and development teams better understand the open source security and license risk landscape.
This report uses data from the Synopsys Black Duck
®
Audit Services team’s analysis of anonymized ndings from 1,067
commercial codebases across 17 industries during 2023. The Audit Services team has helped security, development, and
legal teams around the world strengthen their security and license compliance programs for over 20 years. The team audits
thousands of codebases for our customers each year, with the primary aim of identifying software risks during merger and
acquisition (M&A) transactions.
The audits also provide a comprehensive, accurate Software Bill of Materials covering the open source, third-party code, web
services, and application programming interfaces (APIs) in an organization’s applications. The Audit Services team relies on
data from the Black Duck KnowledgeBase™ to identify potential license compliance and security risks. Sourced and curated by
the Synopsys Cybersecurity Research Center (CyRC), the KnowledgeBase includes data on more than 7.8 million open source
components from over 31,000 forges and repositories.
The OSSRA report highlights the prevalence of open source in software as well as the potential dangers of not properly
managing it. Open source is the foundation for all applications that businesses and consumers rely on today. Identifying,
tracking, and managing open source effectively is critical to a successful software security program—as well as a key element
to strengthening the security of the software supply chain.
Executive
Summary
