The Black Duck OSSRA report indicates that a staggering 86% of codebases contain open source software vulnerabilities, with 81% having high or critical risks. The analysis covered 1,658 examinations across various industries, revealing a notable increase in open source files within applications. Mike McGuire emphasizes the prevalence of blind spots in dependency management and the growing demand for supply chain visibility. Recognizing jQuery as a primary source of vulnerabilities, the report underscores the shift towards web-based applications and the corresponding risk landscape.
The most significant takeaway from my perspective is that blind spots are prevalent when it comes to open source dependency management. We've stressed for some time the importance of eliminating these blind spots, but that has become particularly important as more industries and consumers demand complete supply chain visibility.
There's also an interesting shift towards web-based and multi-tenant (SaaS) applications, meaning more high-severity vulnerabilities (81% of audited codebases). We also observed an overwhelming majority of high severity vulnerabilities belonging to jQuery.
Collection
[
|
...
]