At a time when almost all software contains open source code, at least one known open source vulnerability was detected in 84% of all commercial and proprietary code bases examined by researchers at application security company Synopsys.In addition, 48% of all code bases analyzed by Synopsys researchers contained high-risk vulnerabilities, which are those that have been actively exploited, already have documented proof-of-concept exploits, or are classified as remote code execution vulnerabilities.\u00a0The vulnerability data \u2014 along with information on open source license compliance \u2014 was included in Synopsys' 2023 Open Source Security and Risk Analysis (OSSRA) report, put together by the company's Cybersecurity Research Center (CyRC).The report is based on analysis \u00a0of audits of code bases involved in merger and acquisition transactions and highlights trends in open source usage across 17 industries. (Synopsys' Audit Services unit audits code to identify software risks for companies involved in merger and acquisition deals.)The audits examined 1,481 code bases for vulnerabilities and open source licensing compliance, and 222 other code basess were analyzed only for compliance.Open source vulnerabilities increaseThe OSSRA report is based on code audits done in 2022, in which the number of known open source vulnerabilities rose by 4% from 2021.\u201cOpen source was in nearly everything we examined this year; it made up the majority of the code bases across industries,\u201d the report said, adding that the code bases contained troublingly high numbers of known vulnerabilities that organizations had failed to patch, leaving them vulnerable to exploits.\u00a0All code bases examined from companies in the aerospace, aviation, automotive, transportation, and logistics sectors contained some open source code, with open source code making up 73% of total code. Sixty-three percent of all code in this sector (open source and proprietary) contained vulnerabilities classified as high risk, those with a CVSS severity score of 7 or higher.In the energy and clean tech sector, 78% of the total code was open source and 69% contained high-risk vulnerabilities.Though code bases from companies in these sectors had higher percentages of total vulnerabilities than other sectors, "similar findings, to lesser degrees, played out across all industries," according to the report.Open source adoption jumpsThe percentage of open source code has risen in code bases in all industry verticals over the last five years, according to the OSSRA report. \u00a0Between 2018 and 2022, for example, the percentage of open source code within scanned code bases grew by 163% in technology for the education sector; 97% in aerospace, aviation, automotive, transportation, and logistics; and 74% in manufacturing and robotics.\u00a0\u201cWe attribute EdTech\u2019s explosive open source growth to the pandemic; with education pushed online and software serving as its critical foundation,\u201d the report said.\u00a0High-risk vulnerabilities riseMeanwhile, there has been an increase in high-risk vulnerabilities across all sectors. For instance, aerospace, aviation, automotive, transportation, and logistics companies recorded a 232% increase in high-risk vulnerabilities in the 5-year period.\u201cMuch of the software and firmware used in these industries operate within closed systems, which can reduce the likelihood of an exploit and may lead to a lack of urgency in the need to patch it,\u201d Synopsys said.\u00a0High-risk vulnerabilities in IoT-related code bases have jumped 130% since 2018.\u201cThis is particularly concerning when we think about the utility of IoT devices; we connect many aspects of our lives to these devices and trust in the inherent safety in doing so,\u201d the researchers noted.\u00a0Available patches not applied\u00a0Of the 1,481 code basess examined by the researchers that included risk assessments, 91% contained outdated versions of open-source components, which means an update or patch was available but had not been applied.The reason for this could be that devsecops teams might determine that the risk of unintended consequences outweighs whatever benefit would come from applying the newer version.\u00a0Researchers say that time and resources could also be a reason.\u201cWith many teams already stretched to the limit building and testing new code, updates to existing software can become a lower priority except for the most critical issues,\u201d the report said.In addition, devsecops teams may not know when there is a newer version of an open source component available \u2014 if they are aware of the component at all, the report said.\u00a0SBOMs help maintain code quality, complianceTo avoid vulnerability exploits and keep open source code updated, organizations should use a software bill of materials (SBOM), the report suggests.A comprehensive SBOM lists all open source components in applications as well as \u00a0licenses, versions, and status of patches.\u00a0An SBOM of open source components allows organizations to pinpoint at-risk components quickly and prioritize remediation appropriately, the report added.