Skip to content

C003 — OSSRA Vulnerability Prevalence and Growth Rate — Input

Contents

Original Text

87% of audited codebases contain at least one known open source vulnerability, with an average of 581 vulnerabilities per codebase representing a 107% year-over-year increase.

Clarified for Testability

In a specific audit sample (likely from Synopsys/Black Duck's Open Source Security and Risk Analysis report), 87% of codebases examined contained at least one known vulnerability in their open source dependencies. Among those codebases, the average number of known vulnerabilities per codebase was 581, which represented a 107% increase compared to the previous year's measurement. All three numbers (87%, 581, 107%) are from the same report/study and the same audit sample.

Embedded Assumptions Surfaced

  • Assumes a specific audit sample — the OSSRA report audits a non-random selection of codebases (typically from M&A due-diligence engagements), which may not be representative of all software.
  • Assumes 'known open source vulnerability' means a CVE or equivalent identifier exists in a vulnerability database for a component version present in the codebase.
  • Assumes the 107% year-over-year increase is comparing the same metric across consecutive annual reports, but the audit sample composition may differ year to year.
  • The claim combines three separate statistics as if they are a single finding — they may come from different parts of the report or different subsets of the data.
  • The source (OSSRA) is produced by a company (Synopsys/Black Duck) that sells software composition analysis tools, creating a potential commercial bias toward alarming findings.

Scope

Dimension Value
Domain Software supply chain security — open source vulnerability prevalence
Timeframe Likely from the 2025 or 2026 OSSRA report (covering audits conducted in the previous calendar year)
Testability Testable by examining the specific OSSRA report cited. Cross-validation possible against other SCA vendor reports (Snyk, Sonatype, Mend/WhiteSource).

Vocabulary Map

Primary Terms: open source vulnerability, OSSRA report, software composition analysis, codebase audit, known vulnerability

Domain Variants: SCA findings, third-party component vulnerabilities, dependency vulnerabilities, open source risk, CVE density

Related Concepts: software supply chain risk, vulnerability management, SBOM, software bill of materials, CVE, NVD, dependency scanning

← Back to item overview