The Flexera Software Composition Analysis team recently analyzed data from 134 open source audit projects and found the number of vulnerabilities and license compliance issues that exist in their applications. The results are available in the Flexera 2019 State of Open Source Licence Compliance report.
Highlights of the study include:
Insights Before Audits
The majority of development teams are using open source. A previous Flexera study shows that more than 50 percent of the code found in most commercial software packages is open source. However, if that code is unmanaged and not proactively tracked through a formal structure that turns reactive steps into a proactive strategy, what you don’t know can hurt you. In the Flexera study, only 2 percent of the issues eventually uncovered were initially disclosed
Frequency Security and Compliance Issues
On average, the Flexera audit team found one issue within every 32,873 lines of code. That might sound like a small number, but it’s not, especially when you think about the sheer volume of lines of code that make up your software product. Most applications now have well over 1,000,000 lines of code; with many applications with more than 100,000,000.
Priority Levels: Flexera discovered an average of 367 issues per audit project and that 16 percent of those issues are Priority Level 1 (P1) — requiring immediate attention because they pose a critical security threat. 10 percent of issues founder were P2 (secondary priority issues related to commercial and vanity licenses) and the remaining 71 percent were P3 (low risk hygiene issues related to permissive license issues such as those under BSD, Apache, and MIT).
Open Source Management: Despite the risks, only 37% of companies have policies in place for open source management.
Scans vs Forensic Studies: On average, deeper forensic analysis find 2 times the number of issues found in an Overview. Forensic” audits are ideal when extra caution up front is justified, or when there are circumstances that suggest normal signs of third-party use such as copyrights or license text may have been removed. Forensic analysis include extensive use of source code fingerprint analysis to identify and explain the origin, i.e. partial matches such as cut-and-paste by developers.