Flexera Releases 2020 Insights on Open Source License Compliance

Flexera’s Software Composition Analysis teams analyzed data from 121 audit projects to evaluate the extent to which companies under-report open source usage—and the resulting license compliance issues and vulnerabilities present in their applications. This global, cross-industry study evaluated more than 2.6 billion lines of code and uncovered 80,157 total issues; compared to the 2019 report, the average number of issues per project jumped over 80 percent, due partially to the number of Node.js packages from NPM, a trend expected to continue in 2020. The report provides valuable insights for security, engineering, and legal teams.

“Open source usage continues to grow while driving increased productivity, faster time to market, and lower cost solutions. Knowing what and how much open source is in use is critically important for any software supplier, as well as their stakeholders, partners—and their customers. The increase in the number of issues uncovered per audit project, as compared to 2019 data, emphasizes the value of having a formal open source management strategy for the entire supply chain,” said Brent Pietrzak, SVP and General Manager of Flexera’s Supplier Division. “While open source isn’t inherently riskier than proprietary code, open source can become a vulnerability when it isn’t managed properly.”

The 2020 report highlights:

• Need for increased awareness. The Flexera audit team found that 45 percent of the scanned codebase files were attributed to open source components. Only 1 percent of the issues that were uncovered during the audit process were disclosed prior to the start of the audit. Automated Software Composition Analysis (SCA) solutions can enable secure risk management through continuous scanning and monitoring to capture information frequently missed through manual or incomplete processes.
• Growth of open source issues. With one issue discovered for every 32,600 lines of scanned code, the 2020 analysis uncovered an average of 662 issues per audit project.
• Severity of license compliance issues. Priority 1 (P1) issues are the most critical and need to be remediated first. This year’s analysis showed that 17 percent of identified issues are P1, meaning they pose a critical threat that demands a culture focused on license compliance, intellectual property (IP) protection, and best-in-class open source software management.
• Fast scans aren’t enough. Fast scans alone don’t reveal all issues; more extensive audits are required to get a full picture of risk. In this research, forensic audits discovered 6 percent more issues per project compared to standard audits and 9 percent more than targeted audits.
• Prevalence of security vulnerabilities. Data from 91 forensic and standard audit services projects identified 45 security vulnerabilities per project. Among those uncovered, 45 percent contained a “high” Common Vulnerability Scoring System (CVSS) risk score.

Resources

• Report: The Flexera 2020 State of Open Source License Compliance
• Webinar registration: Review of 2020 State of Open Source License Compliance
• Blog: Open Source License Compliance: Raising the Bar
• Webinar: Create Trust in the Software Supply Chain
• Webinar Series: Software Composition Analysis in the Engineering Process:
  • Part 1: The A to Z of Software Composition Analysis
  • Part 2: Going Deep: The SCA Inventory Management Lifecycle
  • Part 3: Looking Ahead: 2020 and Beyond