C003 — OSSRA Vulnerability Prevalence and Growth Rate — The claim is almost certainly correct as quoted (95-99%) but very likely misleading without context (80-90%).
Contents
Summary
Claim: 87% of audited codebases contain at least one known open source vulnerability, with an average of 581 vulnerabilities per codebase representing a 107% year-over-year increase.
Bottom Line: All three figures (87%, 581, 107%) are confirmed verbatim from the 2026 OSSRA report. However, the figures require significant caveats: the sample is 947 commercial codebases from M&A due diligence (non-representative), the median is only 78 vulnerabilities (vs. 581 mean, showing extreme right-skew), an expert characterizes the 581 as 'largely transitive dependency sprawl,' and the 107% increase is partly attributable to CVE database growth (Linux Kernel CNA adding 5,000+ CVEs in 2024). The researcher should cite these figures accurately but present the caveats to avoid misleading readers.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Hypotheses
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
H1 |
0 |
0 |
| S02 |
H3 |
0 |
0 |
| S03 |
H4 |
0 |
0 |
| S04 |
H2 |
0 |
0 |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC002 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC003 |
https://github.com/ossf/scorecard |
High |
High |
| SRC004 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
Medium |
High |
| SRC005 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC006 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC007 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC008 |
https://www.moderne.ai/blog/security-dependency-updates-unma |
Medium |
High |
| SRC009 |
https://konvu.com/compare/semgrep-vs-codeql |
Medium |
High |
| SRC010 |
https://arxiv.org/html/2605.07900v1 |
High |
High |
| SRC011 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC012 |
https://openssf.org/blog/2024/01/31/maintainer-motivations-c |
High |
High |
| SRC013 |
https://link.springer.com/article/10.1007/s10664-023-10369-w |
High |
Medium |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Robust |
| Source agreement |
High |
Revisit Triggers
- [data_update] The 2027 OSSRA report is published with updated vulnerability prevalence figures
- [study] A competing SCA vendor (Snyk, Mend) publishes vulnerability prevalence data from a different sampling methodology for cross-validation
- [event] The NVD/CVE database growth rate changes significantly (accelerates or stabilizes)
- [event] The Linux Kernel CNA's initial backlog of CVE disclosures is exhausted, changing the YoY comparison baseline
← Back to run overview