The Revenera 2021 State of Open Source License Compliance report released today shows more extensive open source use than organizations disclose, paired with rapid growth in security vulnerabilities.
The report analyzes data from 2020 audit services projects, evaluating the prevalence of open source software (OSS), the under-reporting of that use, and the resulting license compliance issues and security vulnerabilities. This global, cross-industry study by Revenera’s audit services team evaluated more than 2.1 billion lines of code and uncovered 174,334 issues.
“Open source software’s growing popularity is due in part to its ability to give companies accelerated time-to-market and provide more focus on core competencies for development teams. However, with that valuable opportunity comes risks that are often unknown and therefore not addressed,” said Alex Rybak, Director, Product Management, Revenera. “A continuous, automated open source management program is the best way to proactively monitor code churn throughout the development process and address any identified compliance issues, especially new security vulnerabilities—all while embracing open source for the strategic advantages it provides.”
Highlights of the Revenera 2021 State of Open Source License Compliance report:
· Growing use of open source software increases possibility of risk. The average number of issues uncovered per audit project grew to 1,959, compared to 662 reported the previous year. This new 200 percent growth, year over year, was fueled by popular ecosystems including PyPI, NPM, RubyGems, and many others which are bringing in more dependencies into users’ codebases. Binaries—made up of a collection of compiled source code from various origins—grew 58 percent, year over year, with 1 issue discovered for every 12,126 lines of code.
· Organizations face more risk than is disclosed. While 55 percent of the scanned codebase files were attributed to open source (an increase of 10 percent over the past year), only 4 percent of the issues uncovered through audits were disclosed in advance of audit start.
· Security vulnerabilities are growing. Data from forensic and standard audits identified 89 security vulnerabilities per project, jumping from 45 in the previous year’s findings.
· Critical license compliance issues require immediate attention. Priority 1 (P1) issues are those that pose the most critical threat and that should be remediated first. The team found 130 P1 issues per project, representing 5 percent of the total issues uncovered through M&A and baseline audit projects.
· Multiple types of audit analyses are required to meet users’ needs. 37 percent of issues were identified through Standard Audit Analysis, which identifies explicit P1 licenses and large third-party components; 28 percent of issues discovered came fromForensic Audit Analysis, which provides an in-depth, deep level scan of all evidence types; and 34 percent of issues were identified through Targeted Audit Analysis, with custom audits based on customer need. Audit customers in 2020 expected faster turnaround times due to an increase in M&A activity.
· Weak copyleft licenses are 20 percent of the scanned codebase. Weak copyleft licenses indicate that the software program is free to use. However, depending on whether it’s modified, how it’s linked, and how it’s packaged and distributed, there may be obligations imposed on organizations beyond simple attribution requirements. In some cases, weak copyleft requirements extend to all derivative works. Making up 63 percent of the codebase are permissive licenses, with minimal restrictions. Strong copyleft licenses, which mandate that any distributed software that links or incorporates such code be licensed under compatible licenses, represent 12 percent of licenses.
To learn more, you can check out these resources:
· Report: Revenera 2021 State of Open Source License Compliance
· Analyst brief: Addressing the Hidden Cost of Embedding Open Source Software
· Analyst market guide: 2020 Market Guide for Software Composition Analysis
· Blog: Open source is essential. Are you addressing the hidden compliance and security costs?