Black Duck has released its annual Open Source Security and Risk Analysis (OSSRA) report, analyzing 1,658 examinations of 965 commercial codebases within 16 industries. According to the findings, 86% of codebases had open source software vulnerabilities while 81% had high- or critical-risk vulnerabilities. Furthermore, the average application in 2024 had triple the amount of open source files than the average application in 2020, with 5,300 in 2020 and more than 16,000 in 2024.
Below, Mike McGuire, Senior Manager and OSSRA Data Advisor at Black Duck, delves deeper into the report’s findings.
The state of open source dependencies: Key takeaways
McGuire comments, “The most significant takeaway from my perspective is that blind spots are prevalent when it comes to open source dependency management. We’ve stressed for some time the importance of eliminating these blind spots, but that has become particularly important as more industries and consumers demand complete supply chain visibility. This is underscored by the number of transitive dependencies (71%) identified within the report and the number of dependencies discovered via package manager scanning (60%).”
Frequent source of high-risk vulnerabilities
The report also found that jQuery, a JavaScript library, was the most frequent source of vulnerabilities, as eight of the top 10 high-risk vulnerabilities were found there. Among scanned applications, 43% contained some version of jQuery — oftentimes, an outdated version. An XSS vulnerability affecting outdated versions of jQuery, called CVE-2020-11023, was the most frequently found high-risk vulnerability.
McGuire remarks, “There’s also an interesting shift towards web-based and multi-tenant (SaaS) applications, meaning more high-severity vulnerabilities (81% of audited codebases). We also observed an overwhelming majority of high severity vulnerabilities belonging to jQuery. While this doesn’t really say much about jQuery, it speaks to what most of the audited applications are doing. Another significant observation is that poor dependency management is going to make it increasingly harder to comply with industry and customer software supply chain requirements — like SBOMs. The 2025 OSSRA report found that the average application contains 911 open source dependencies, many of which are out of date or have lost community support.”
Outdated open source components
Among audited codebase, 90% had open source components that were out of date by more than four years. These outdated components can increase security risks, create a larger attack surface for malicious actors and lead to compatibility and compliance problems.
McGuire explains, “Embedded software providers are going to be increasingly focused on the quality, safety and reliability of the software they build. Looking at this year’s data, 79% of the codebases were using components whose latest versions had no development activity in the last two years. This means that these dependencies could become less reliable, so industries, like aerospace and medical devices should look to identify these in their own codebases and start moving on from them.”
Improving visibility
“Enterprise regulated organizations are being forced to align with numerous requirements, including providing SBOMs with their applications. If an SBOM isn’t accurate, it’s useless,” McGuire states. “So, getting a complete and accurate picture of application dependencies is crucial. Only 77% of dependencies are being brought in by package manager, and only 27% are directly included in projects. These organizations need to put serious thought into how they’re eliminating these massive blind spots before they attest that they’re shipping complete SBOMs.”
Security leaders weigh in
Eric Schwake, Director of Cybersecurity Strategy at Salt Security:
The research findings indicate that adopting open-source software widely poses considerable security challenges. Many commercial codebases exhibit critically risky vulnerabilities, indicating a systemic problem. Many outdated open-source components, such as the prevalent yet vulnerable jQuery, significantly increase the attack surface. Additionally, many dependencies remain unknown and could be introduced through practices like AI coding assistants, which worsens the situation. This lack of transparency in the software supply chain makes vulnerabilities linger unnoticed.
Moreover, these vulnerabilities directly affect APIs, which are often built upon and integrated with open-source components. When vulnerable libraries are utilized in APIs, those APIs inherit associated risks. Attackers can leverage these vulnerabilities to compromise API endpoints, access sensitive information without authorization, or disrupt services.
This highlights the necessity for a strong approach to API posture governance. By undertaking thorough API discovery, organizations can locate all APIs, including those using open source components, allowing for comprehensive vulnerability scanning and risk evaluation. Posture governance facilitates establishing and enforcing security policies, ensuring APIs meet best practices regarding authentication, authorization, and data protection. By enhancing visibility into APIs within open source software and applying security policies, organizations can substantially lower their attack surface and mitigate risks tied to vulnerable open-source dependencies.
Jason Soroko, Senior Fellow at Sectigo:
Open source software is both indispensable and dangerously neglected. With 86% of codebases harboring vulnerabilities and a tripling in open source file counts over four years, modern applications have increased their attack surfaces without adequate oversight. Outdated components that are often over four years behind serve as major potential problems, while jQuery’s persistent flaws, notably CVE-2020-11023, are an example of a worrying inertia in maintenance practices. We are dependent on the goodwill of the maintainers of these projects who all have day jobs. License conflicts and untracked dependencies compound the risk, leaving organizations vulnerable not only to exploits but also to legal and compliance pitfalls.
Security teams must overhaul their strategies. Traditional package scanning misses over 20% of dependencies, exposing blind spots introduced by alternate coding practices and even AI tools. This report isn’t just a wake-up call, but it’s a mandate for proactive governance. Rigorous patch management, comprehensive scanning beyond conventional tools and strict adherence to licensing protocols are non-negotiable in mitigating these risks. The open source landscape offers powerful tools that we all use, but only when its dangers are managed with vigilance.
Trey Ford, Chief Information Security Officer at Bugcrowd:
This must-read report underscores why SBOMs are a great thing — knowing exactly what is in software is a win. Their existence is a proxy indicator for software maturity, and creates ideal conditions for maintaining transparency, currency, and improving security outcomes.
Licensing is complicated — SBOMs lower the risk of surprise in M&A scenarios, and can increase confidence in deal discussions.
Projects and the promise of new revenue will always be sexier than maintenance, refactoring and optimization. Hearing that 91% of codebases had out of date components, and a full 90% of all code bases had components more than 10 versions behind comes as no surprise.