Contents
Summary
Claim: 87% of audited codebases contain at least one known open source vulnerability, with an average of 581 vulnerabilities per codebase representing a 107% year-over-year increase.
Bottom Line: All three figures (87% vulnerability prevalence, 581 average vulnerabilities per codebase, 107% YoY increase) are confirmed from the Black Duck 2026 OSSRA report. However, the sample consists of 947 commercial codebases undergoing M&A audits, not open source projects. This commercial audit sample systematically overrepresents codebases with deferred maintenance and neglected dependency management, making the figures potentially misleading when used to characterize the open source ecosystem generally.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Hypotheses
| ID |
Label |
Status |
| H1 |
|
— |
| H2 |
|
— |
| H3 |
|
— |
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
H1 |
0 |
0 |
| S02 |
H2 |
0 |
0 |
| S03 |
H3 |
0 |
0 |
| S04 |
H2 |
? |
? |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://arxiv.org/html/2602.14572v3 |
High |
High |
| SRC003 |
https://www.blackduck.com/blog/open-source-trends-ossra-repo |
High |
High |
| SRC004 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC005 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
| SRC006 |
https://www.sonatype.com/press-releases/sonatypes-10th-annua |
High |
High |
| SRC007 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC008 |
https://github.com/ossf/scorecard |
High |
High |
| SRC009 |
https://blog.jetbrains.com/teamcity/2025/10/the-state-of-cic |
Medium |
Medium |
| SRC010 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC011 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC012 |
https://thenewstack.io/checking-linuxs-code-with-static-anal |
High |
High |
| SRC013 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Robust |
| Source agreement |
High |
Revisit Triggers
- [data_update] Black Duck publishes the 2027 OSSRA report with updated figures for the same metrics.
- [study] An independent study measures vulnerability rates in actively maintained open source projects (not M&A audit targets) using similar methodology.
- [event] OSSRA methodology changes to include non-M&A audit samples (e.g., randomly sampled open source projects).
- [data_update] NVD or OSV database coverage changes significantly, which could affect vulnerability detection rates.
← Back to run overview