Unmanaged open source code could put companies at risk
More than half the code found in commercial software packages is open source, but if it isn’t properly tracked businesses might be in the dark on the number of vulnerabilities and license compliance issues that exist in their applications.
Software supply chain specialist Flexera has released a report looking into the state of open source license compliance, based on analyzing data from 134 software audits.
On average, the Flexera audit teams find one issue within every 32,873 lines of code. That might sound like a small number, but most applications now have well over 1,000,000 lines of code. Flexera discovered an average of 367 issues per audit project. 16 percent of those issues are Priority Level 1 (P1) (requiring immediate attention because they pose a critical security threat). 10 percent of issues found were P2 (secondary priority issues related to commercial and vanity licenses) and the remaining 71 percent were P3 (low risk hygiene issues related to permissive license issues such as those under BSD, Apache, and MIT).
Yet despite these risks, only 37 percent of companies have policies in place for open source management. Deeper forensic analysis finds twice the number of issues found in a normal overview. A deeper analysis may be justified where, for example, normal signs of third-party use such as copyrights or license text may have been removed.
The full report is available from the Flexera site and there's an overview of the findings in the infographic below.