The average open source vulnerability is 2.5 years old

Open source software security was analyzed in a recent report by Synopsys. According to the report, nearly three-quarters of commercial codebases assessed for risk contain open source components impacted by high-risk vulnerabilities.

While codebases containing at least one open source vulnerability remained consistent year over year at 84%, significantly more codebases contained high-risk vulnerabilities in 2023. According to the data, the percentage of codebases with high-risk open source vulnerabilities — those that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution vulnerabilities — increased from 48% in 2022 to 74% in 2023.

Ninety-one percent of codebases contained components that were 10 or more versions out-of-date, and 49% of codebases contained components that had no development activity within the past two years. The report also found that the mean age of open source vulnerabilities in the codebases was over 2.5 years old, and nearly a quarter of codebases contained vulnerabilities more than 10 years old.

High-risk open source vulnerabilities permeate across critical industries: The computer hardware and semiconductors industry had the highest percentage of codebases with high-risk open source vulnerabilities (88%), followed closely by manufacturing, industrials and robotics at 87%. Closer to the middle of the pack, the big data, AI, BI and machine learning industry had 66% of its codebases impacted by high-risk vulnerabilities. At the bottom of the list, the aerospace, aviation, automotive, transportation and logistics industry still had high-risk vulnerabilities in a third (33%) of its codebases.

The report found that over half (53%) of the codebases contained open source license conflicts, and 31% of codebases were using code with either no discernible license or a customized license. The majority of the open source vulnerabilities that were observed most frequently in this research are classified as Improper Neutralization weaknesses (CWE-707).

Read the full report here.