Posted by on Friday, July 8, 2022

Find out what our audit services team unearthed in the 2,400+ codebases we reviewed in 2021.

Spoiler alert: In 2021, audits found open source in 100% of our customer engagements.

Regular readers know that Synopsys recently published the seventh edition of the “Open Source Security and Risk Assessment” (OSSRA) report. We think it provides the best information available about usage of open source in the wild, and the frequency of open source risks. 

The report is based on anonymized and aggregated data pulled from the Black Duck® Audit group’s work. It presents the results in terms of codebases—roughly equivalent to applications—that we audit as part of an M&A transaction. However, because we typically audit multiple codebases in each customer engagement, statistics per codebase are only part of the story.

You can read full M&A story in our “Open Source Risk in M&A by the Numbers” white paper. It covers the same data as the OSSRA report but presents the analysis in the context of transactions. For example, instead of digging into the frequency of high-severity vulnerabilities per codebase, the paper explores the percentage of M&A transactions that include code with high-severity vulnerabilities.

You can also watch this recorded webinar to get an inside look at the data Black Duck Audits complied in 2021 from the 2,400 codebases we audited in tech transactions.