Skip to content

C003 — OSSRA Vulnerability Figures: Accurate but Contextual — Input

Contents

Original Text

87% of audited codebases contain at least one known open source vulnerability, with an average of 581 vulnerabilities per codebase representing a 107% year-over-year increase.

Clarified for Testability

In the Synopsys/Black Duck Open Source Security and Risk Analysis (OSSRA) report, 87% of codebases audited contained at least one known open source vulnerability, the average count of vulnerabilities per codebase was 581, and this average represented a 107% increase compared to the prior year's report. These figures come from commercial audit data of enterprise codebases.

Embedded Assumptions Surfaced

  • Assumes the source is the Synopsys/Black Duck OSSRA report — the claim does not specify which year's edition, though the candidate evidence points to the 2026 report.
  • Assumes the audited codebases are representative of a broader population, but OSSRA audits are conducted during M&A due diligence and consulting engagements, creating a significant selection bias toward enterprise codebases undergoing transactions.
  • The 107% year-over-year increase could reflect changes in the vulnerability database (more CVEs catalogued) rather than actual degradation of codebase security.
  • Assumes 'known open source vulnerability' means a CVE or equivalent identifier matched to an open source component, but detection methodology affects the count.

Scope

Dimension Value
Domain Software supply chain security — open source vulnerability prevalence in enterprise codebases
Timeframe 2025-2026 (OSSRA report publication cycle)
Testability Testable by obtaining and verifying the specific OSSRA report cited, cross-referencing with other commercial SCA vendor reports (Snyk, Sonatype, Mend), and comparing methodologies.

Vocabulary Map

Primary Terms: open source vulnerability, OSSRA, codebase audit, vulnerability prevalence, SCA

Domain Variants: software composition analysis, dependency vulnerability, CVE, known vulnerability, third-party component risk, Black Duck audit

Related Concepts: vulnerability management, software supply chain risk, open source risk, M&A due diligence, NVD, OSV, vulnerability database

← Back to item overview