Synopsys Open Source Risk Analysis Report 2024

Keypoints

• Annual cybersecurity reports from major vendors, such as Synopsys OSSRA, typically include sections like Executive Summary, Overview, Vulnerability Analysis, License Management, Industry Trends, and Recommendations, providing a comprehensive view of current security challenges and practices.
• Key statistics highlight that approximately 96% of analyzed codebases contain open source components, with 84% having at least one known vulnerability, and 74% of these vulnerabilities classified as high-risk, reflecting rising exposure to exploits.
• Notable trends include a 54% increase in codebases with high-risk vulnerabilities from 2022 to 2023, and a significant proportion of open source components—over 90%—being multiple versions behind their latest updates, indicating widespread maintenance gaps.
• Major findings reveal that common vulnerability types, such as cross-site scripting (XSS), are prevalent, often stemming from outdated JavaScript libraries like jQuery, emphasizing the need for regular updates and automated security testing throughout development.
• Reports consistently stress the importance of creating and maintaining an accurate Software Bill of Materials (SBOM), ensuring license compliance, and managing operational risks, including issues introduced by AI coding tools and unsupported open source projects.
• Recurring themes include the criticality of proactive open source management, continuous monitoring for vulnerabilities, and integrating security policies into the software development supply chain to mitigate both technical and legal risks.