C003 — OSSRA Vulnerability Prevalence and Growth Rate — Assessment¶
Contents¶
All three figures (87%, 581, 107%) are confirmed verbatim from the 2026 OSSRA report. However, the figures require significant caveats: the sample is 947 commercial codebases from M&A due diligence (non-representative), the median is only 78 vulnerabilities (vs. 581 mean, showing extreme right-skew), an expert characterizes the 581 as 'largely transitive dependency sprawl,' and the 107% increase is partly attributable to CVE database growth (Linux Kernel CNA adding 5,000+ CVEs in 2024). The researcher should cite these figures accurately but present the caveats to avoid misleading readers.
Evidence Synthesis¶
Evidence quality: Robust — All three figures (87%, 581, 107%) are confirmed verbatim from the 2026 OSSRA report via two independent sources (the Black Duck blog post and SC World news coverage). The report methodology is documented (947 commercial codebases across 17 industries). Additional contextual data is available including the median (78), the maximum (38,998), and the Linux Kernel CNA factor.
Source agreement: High — The Black Duck blog and SC World news coverage agree on all three figures. Both also agree on important context: the sample is commercial M&A audit codebases, and the Linux Kernel CNA addition contributed to the CVE growth. An independent expert (Saumitra Das of Qualys) provides additional context about transitive dependency sprawl.
Independence: Partially derived. The SC World article is independent journalism but reporting on the same OSSRA report. The Qualys expert commentary is independent. Both sources derive from the same underlying OSSRA data.
Probability Assessment¶
- C003-H1: Almost certain(ly) (95-99%)
- All three figures are confirmed verbatim from the 2026 OSSRA report via multiple sources. The figures are accurately reported from the source.
- C003-H2: Almost no chance (01-05%)
- The figures are confirmed verbatim from the OSSRA report. There is no evidence of misquotation or error.
- C003-H3: Very likely (80-90%)
- Strong evidence that the OSSRA sample is non-representative: 947 commercial codebases from M&A due diligence. The median is only 78 vulnerabilities vs. the reported mean of 581, showing extreme right-skew. An expert notes the 581 figure is 'largely transitive dependency sprawl.' The sampling bias and statistical distribution make the headline figures misleading as a representation of 'typical' software.
- C003-H4: Likely (65-80%)
- The Linux Kernel CNA addition in early 2024 produced 5,000+ new CVE disclosures during the audit period. This is explicitly cited as a contributing factor. CVE disclosures jumped 38% YoY from 2023 to 2024 (28K to 40K+). The 107% increase in vulnerabilities per codebase partially reflects this database growth rather than codebases becoming less secure. Verdict: The claim is almost certainly correct as quoted from the OSSRA report (95-99%). However, the figures are very likely misleading without context (80-90%): the sample is M&A audit codebases (non-representative), the median is only 78 (vs. 581 mean), and the 107% increase is partially driven by CVE database growth (Linux Kernel CNA adding 5,000+ CVEs). The researcher should cite the figures accurately but present the caveats.
Evidence Gaps¶
Expected but not found: - Competing vulnerability prevalence data from other SCA vendors (Snyk, Mend) for cross-validation - OSSRA report's own discussion of sample representativeness limitations - Year-over-year comparison controlling for CVE database growth
Unanswered questions: - What would the 107% increase look like if normalized for CVE database growth? - Do other SCA vendor reports show similar vulnerability prevalence rates with different sampling methodologies? - What fraction of the 581 average is direct vs. transitive dependency vulnerabilities?
Impact on confidence: Gaps have minimal impact on confidence in the figures' accuracy (which is high) but moderate impact on confidence in their representativeness (which is already flagged as a concern). Cross-validation against other vendor reports would strengthen the analysis.