C003 — OSSRA Vulnerability Figures: Accurate but Contextual — Almost certainly accurate as quotation (95-99%), contextual factors very likely influential (80-95%)
Contents
Summary
Claim: 87% of audited codebases contain at least one known open source vulnerability, with an average of 581 vulnerabilities per codebase representing a 107% year-over-year increase.
Bottom Line: The claim is almost certainly accurate as a direct quotation from the OSSRA 2026 report. However, the 107% increase is very likely influenced by measurement factors — codebase size grew 74% in files and 30% in components, the CVE database grew 263% over 5 years, and the Linux kernel CNA addition contributed 5,000+ new CVEs during the audit period. The OSSRA sample (947 codebases from M&A due diligence) is not representative of all codebases. Critical/high-severity vulnerability prevalence actually decreased slightly despite the total count increase. The researcher should present these as OSSRA audit findings with full contextual caveats, not as representative of all software.
Results
| Artifact |
Description |
| Input |
Original text, clarification, scope, vocabulary |
| Assessment |
Evidence synthesis, probability assessment, gaps |
| Self-Audit |
Process audit across 4 ROBIS domains |
| Reading List |
Prioritized source list |
Hypotheses
Searches
| ID |
Target |
Returned |
Selected |
| S01 |
H1 |
? |
? |
| S02 |
H2 |
? |
? |
| S03 |
H3 |
? |
? |
| S04 |
H4 |
? |
? |
| S05 |
H2 |
? |
? |
Sources
| ID |
Title |
Reliability |
Relevance |
| SRC001 |
https://mir.cs.illinois.edu/marinov/publications/HiltonETAL1 |
High |
High |
| SRC002 |
https://decan.lexpage.net/files/SANER-2022a.pdf |
High |
High |
| SRC003 |
https://www.sciencedirect.com/science/article/abs/pii/S01641 |
High |
High |
| SRC004 |
https://blog.jetbrains.com/teamcity/2026/03/best-ci-tools/ |
Medium |
Medium |
| SRC005 |
https://www.chainguard.dev/unchained/wolfis-upstream-securit |
Medium |
High |
| SRC006 |
https://www.scworld.com/news/open-source-vulnerabilities-per |
Medium |
High |
| SRC007 |
https://www.sonatype.com/state-of-the-software-supply-chain/ |
Medium |
High |
| SRC008 |
https://arxiv.org/html/2409.07669v2 |
High |
High |
| SRC009 |
https://www.pixee.ai/blog/sast-false-positives-reduction |
Medium |
High |
| SRC010 |
https://embeddedbits.org/how-is-the-linux-kernel-tested-embe |
Medium |
High |
| SRC011 |
https://www.kernel.org/doc/html/v6.5/dev-tools/testing-overv |
High |
High |
| SRC012 |
https://arxiv.org/html/2605.07900v1 |
High |
High |
| SRC013 |
https://www.nist.gov/news-events/news/2026/04/nist-updates-n |
High |
High |
| SRC014 |
https://www.moderne.ai/blog/security-dependency-updates-unma |
Medium |
High |
| SRC015 |
https://contribute.cncf.io/resources/services/hosted-tools/ |
High |
Medium |
| SRC016 |
https://www.linuxfoundation.org/research/maintainer-perspect |
High |
High |
Evidence Snapshot
| Dimension |
Rating |
| Evidence quality |
Robust |
| Source agreement |
High |
Revisit Triggers
- [data_update] OSSRA 2027 report is published, providing the next year-over-year comparison and updated figures.
- [study] An academic study or independent audit organization publishes vulnerability prevalence data from a non-M&A sample for comparison.
- [data_update] NVD/CVE database growth rate normalizes (drops below 20% year-over-year), suggesting measurement expansion has stabilized.
- [event] Linux kernel CNA's annual CVE output stabilizes, removing the one-time surge effect from per-codebase counts.
← Back to run overview