BlackDuck Open Source Risk Analysis Report 2025

Keypoints

• Most cybersecurity reports are structured into main sections such as executive overview, detailed findings, industry analyses, and strategic recommendations, providing a comprehensive understanding of the current security landscape.
• The 2025 OSSRA report reveals that 97% of examined codebases contain open source code, with an average of 911 components per application, indicating widespread reliance on open source technologies.
• A significant trend noted is the tripling of open source files in applications over four years, driven by increased use of transitive dependencies, complicating visibility and management.
• High prevalence of outdated components in 90% of codebases—more than four years old—introduces substantial security and compatibility risks, emphasizing the need for regular updates.
• Static analysis data highlights common vulnerabilities such as cross-site scripting (XSS) and denial-of-service (DoS), often found in popular components like jQuery and Spring Framework.
• Open source component sourcing is primarily from package repositories like npm, with over 280,000 of nearly 1 million components originating from such sources, pointing to reliance on public repositories.
• Recurring themes include the critical importance of software visibility through Software Composition Analysis (SCA) and Software Bill of Materials (SBOMs), and the need for ongoing license compliance management.
• Key findings stress that managing open source licenses and vulnerabilities is vital to reducing operational risks, especially within M&A contexts where code integrity and license conflicts can impact valuation.