C003 — OSSRA Report: 87% Vulnerable, 581 Avg, 107% Increase — Input¶
Contents¶
Original Text¶
87% of audited codebases contain at least one known open source vulnerability, with an average of 581 vulnerabilities per codebase representing a 107% year-over-year increase.
Clarified for Testability¶
In the Synopsys/Black Duck Open Source Security and Risk Analysis (OSSRA) report (likely the 2024 or 2025 edition), 87% of the commercially audited codebases examined contained at least one known open source vulnerability, and the average number of known vulnerabilities per codebase was 581, representing a 107% year-over-year increase from the prior year's report.
Embedded Assumptions Surfaced¶
- Assumes these figures come from a specific OSSRA report edition and apply to that report's sample of commercially audited codebases, not to all open source projects generally.
- Assumes 'known vulnerability' means a vulnerability with a CVE or equivalent identifier in a vulnerability database (e.g., NVD, OSV).
- Assumes the 107% year-over-year increase compares the same metric between two consecutive annual reports.
- The audited codebases are commercial software projects that incorporate open source components, not open source projects themselves — this is a commercial audit sample.
Scope¶
| Dimension | Value |
|---|---|
| Domain | Software supply chain security — open source vulnerability prevalence in commercial codebases |
| Timeframe | 2024-2026 (OSSRA report editions) |
| Testability | Testable by examining the specific OSSRA report cited, verifying the exact figures, sample size, methodology, and year-over-year comparison baseline. |
Vocabulary Map¶
Primary Terms: open source vulnerability, OSSRA report, known vulnerability, codebase audit, vulnerability prevalence
Domain Variants: software composition analysis findings, SCA audit results, open source risk, CVE density, vulnerability density
Related Concepts: Black Duck audit, Synopsys OSSRA, software bill of materials, SBOM, dependency vulnerabilities, transitive dependencies, NVD, OSV