Synopsys 1253 commercial codebases and concluded that almost all (99%) of the commercial applications reviewed included at least one open source component, and 70% of the code in the reviewed repositories was open source. For comparison, in a similar study in 2015, the share of open source was 36%.
At the same time, in most cases, the used third-party open source code is not updated and contains potential security problems - 91% of the considered codebases have open components that have not been updated for more than 5 years or at least two years are in an abandoned form and are not maintained by developers. As a result, 75% of the open source code identified in the open source repositories has unpatched known vulnerabilities, of which half have a high level of severity. In the sample for 2018, the share of code with vulnerabilities was 60%.
The most common dangerous vulnerability was
problem (remote code execution) in the library for Node.js, vulnerable versions of which have been encountered more than 500 times. The oldest unpatched vulnerability was a problem in the lpd daemon (), corrected in 1999.
In addition to security in the code bases of commercial projects, there is also a negligent attitude towards compliance with the terms of free licenses.
In 73% of codebases, problems were found with the legality of using open source, such as license incompatibilities (generally, GPL code is included in commercial products without opening a derivative product) or using code without specifying a license. 93% of all license problems occur in web and mobile applications. In games, virtual reality systems, multimedia and entertainment programs, violations were noticed in 59% of cases.
In total, the study identified 124 typical open components that are commonly used in all codebases. The most popular ones are: jQuery (55%), Bootstrap (40%), Font Awesome (31%), Lodash (30%) and jQuery UI (29%). In terms of programming languages, the most popular are JavaScript (used in 74% of projects), C++ (57%), Shell (54%), C (50%), Python (46%), Java (40%), TypeScript (36% ), C# (36%); Perl (30%) and Ruby (25%). The total share of programming languages ββis:
JavaScript (51%), C++ (10%), Java (7%), Python (7%), Ruby (5%), Go (4%), C (4%), PHP (4%), TypeScript ( 4%), C# (3%), Perl (2%) and Shell (1%).
Source: opennet.ru