SRC004 — https://www.blackduck.com/blog/open-source-trends-ossra-report.html¶
Contents¶
Metadata¶
| Field | Value |
|---|---|
| URL | https://www.blackduck.com/blog/open-source-trends-ossra-report.html |
| Authors | Black Duck (formerly Synopsys) |
| Date | 2026-02-25 |
Content Summary¶
Summary of the 2026 OSSRA report based on 947 commercial codebase audits across 17 industries. Reports 87% of codebases contain at least one vulnerability, average of 581 vulnerabilities per codebase (107% YoY increase), 78% contain high-risk vulnerabilities, and 93% contain components with no development activity in 2 years.
Reliability: Medium¶
Vendor report from a company that sells SCA tools, but based on actual audit data from 947 codebases.
Relevance: High¶
Primary source for all three statistics in claim C003 (87%, 581, 107%).
Bias Assessment¶
| Domain | Rating | Rationale |
|---|---|---|
| Missing Data | Some concerns | Audit sample composition not fully described; industry breakdown provided but selection methodology not detailed. |
| Measurement | Low risk | Scanning against a comprehensive 10M+ project KnowledgeBase with 317K+ known vulnerabilities. |
| Selective Reporting | Some concerns | Headline figures emphasize alarming trends; less prominent reporting of decrease in high-severity vulnerability rates. |
| Randomization | N/A | Not an RCT. |
| Protocol Deviation | N/A | Not an RCT. |
| Conflict Of Interest | High risk | Black Duck sells the exact SCA tools that would address the problems this report highlights. |