86 percent of commercial codebases expose organizations to risk
Analysis of 965 commercial codebases across 16 industries during 2024 by Black Duck Software finds 86 percent contain open source software vulnerabilities and 81 percent high- or critical-risk vulnerabilities.
Black Duck's Open Source Security and Risk Analysis (OSSRA) report also shows that the number of open source files in an average application has tripled from around 5,300 in 2020 to more than 16,000 in 2024.
"The 2025 OSSRA report underscores a critical and ongoing challenge for organizations: managing the security and compliance risks inherent in open source software," said Jason Schmitt, CEO of Black Duck. "As open source adoption continues to grow at an incredible velocity, businesses need to implement robust software composition analysis and risk management strategies to build trust into their applications, data, and intellectual property."
Among the report’s findings are that 90 percent of audited codebases were found to have open source components more than four years out-of-date.
Eight of the top 10 high-risk vulnerabilities were found in jQuery, a widely-used JavaScript library. In fact, 43 percent of the applications Black Duck scanned contained some version of jQuery, frequently an outdated version. The most frequently found high-risk vulnerability is CVE-2020-11023, an XSS vulnerability affecting outdated versions of jQuery, but still present in a third of Black Duck scanned codebases.
Transitive dependencies -- open source libraries that other software components rely on to function -- caused nearly 30 percent of the license conflicts found in the audits. Additionally, 33 percent of codebases contained open source with no license or a customized license.
Only 77 percent of dependencies could be identified via package manager scanning, suggesting that the remainder were introduced to applications by other means, including AI coding assistants. These blind spots are what lead to lingering unpatched vulnerabilities, outdated components, and license conflicts.
You can get the fill OSSRA report from the Black Duck site.
Image credit: Elnur_/depositphotos.com