Open Source vs. Security and Risk: An Analysis Report

April 19, 2022

Synopsys’ Open Source Security and Risk Analysis report highlights the good and the bad.

William G. Wong

Related To: Electronic Design

This article is part of the TechXchange: Cybersecurity

What you’ll learn

What types of vulnerabilities exist in open-source software?
What licensing issues are affecting application development?

Synopsys is in the software business and safety and security are areas that the company focuses on.

This year’s annual 2022 Open Source Security and Risk Analysis (OSSRA) report, which you can download, has good and bad things to disclose. The results were based on an audit of 2,409 open-source projects. Many of the issues and observations will be applicable to closed-source solutions as well, but a significant amount of software now depends on open-source support.

The general trend indicates the overall open-source codebase vulnerability is dropping (Fig. 1). There was a 3% decrease in high-risk vulnerabilities per codebase. Unfortunately, “88% of the codebases contained components that had no new development in the past two years, and these were behind in user updates.”

1. According to Synopsys’s report, vulnerability numbers are improving. (Courtesy of Synopsys)

Overall, almost 80% of the codebases were open source and almost the same percentage had at least one vulnerability (Fig. 2). Likewise, a significant number of projects experienced licensing issues. This is often due to the different licenses that are associated with components in an open-source project. A license that covers an application must take into consideration the licenses and limitations of its components.

2. The audit found a significant number of codebases with issues. Over half of the audited codebases had licensing issues as well. (Courtesy of Synopsys)

The report lists the top 10, which include errors like incorrect cryptographic algorithms (CVE-2020-187) and default permissions issues (CVE0-202-8022). The report runs down the CVE numbers as well as Synopsys’s Black Duck Security Advisories (BSDA).

Security, and hence safety, problems continue to plague the software industry. Problems like log4j’s security issue are commonplace and can affect a large number of developers and products because of the widespread use of open-source software, whose maintenance and design is often nebulous.

The advantage of open-source software is availability. The challenge is its quality and maintenance. As noted in Robert Heinlein’s science fiction novel, The Moon is a Harsh Mistress, there’s no such thing as a free lunch (TINSTAAFL).

Certain tools and services can greatly improve the support and maintenance of open-source software. This includes license tracking and management, which can be difficult when a variety of licenses cover different software components.

Read more articles in the TechXchange: Cybersecurity

About the Author

William G. Wong | Senior Content Director - Electronic Design and Microwaves & RF

I am Editor of Electronic Design focusing on embedded, software, and systems. As Senior Content Director, I also manage Microwaves & RF and I work with a great team of editors to provide engineers, programmers, developers and technical managers with interesting and useful articles and videos on a regular basis. Check out our free newsletters to see the latest content.

You can send press releases for new products for possible coverage on the website. I am also interested in receiving contributed articles for publishing on our website. Use our template and send to me along with a signed release form.

Check out my blog, AltEmbedded on Electronic Design, as well as his latest articles on this site that are listed below.

You can visit my social media via these links:

I earned a Bachelor of Electrical Engineering at the Georgia Institute of Technology and a Masters in Computer Science from Rutgers University. I still do a bit of programming using everything from C and C++ to Rust and Ada/SPARK. I do a bit of PHP programming for Drupal websites. I have posted a few Drupal modules.

I still get a hand on software and electronic hardware. Some of this can be found on our Kit Close-Up video series. You can also see me on many of our TechXchange Talk videos. I am interested in a range of projects from robotics to artificial intelligence.