2025 OSSRA Report: Frequently Asked Questions About Open Source Software
28 / Mart / 25
The recently published 2025 Open Source Security and Risk Analysis (OSSRA) Report provides a comprehensive overview of the current state of open source software, including insights into software security, licensing, and compliance risks. In this blog post, we’ll explore some of the most frequently asked questions about open source, supported by key data from the 2025 OSSRA Report.
✅ How Common Is the Use of Open Source Software in Commercial Applications?
Open source software (OSS) is widely used. The OSSRA Report states that 97% of all audited codebases include open source components. In sectors such as Computer Hardware/Semiconductors, EdTech, and Internet & Mobile Applications, this rate even reaches 100%.
Furthermore, the number of open source components within applications continues to grow rapidly. The number of OSS files in an average application has tripled in the last four years, emphasizing the need for better visibility and risk management.
⚠️ What Security Vulnerabilities Are Common in Open Source Software, and Which Components Are Most Affected?
The OSSRA Report reveals that 86% of applications contain at least one vulnerable open source component, and 81% include high or critical risk vulnerabilities.
Among the most frequently affected components, jQuery tops the list of high-risk vulnerabilities. Other commonly impacted libraries include jackson-databind and Spring Framework. A typical vulnerability, such as cross-site scripting (XSS), often stems from improper input validation. One major vulnerability, CVE-2020-11023, is listed in CISA’s Known Exploited Vulnerabilities Catalog.
🧾 What Are the Key Licensing Challenges in Open Source Software and How Can They Impact Organizations?
According to the OSSRA Report, 56% of audited applications contain license conflicts. These conflicts occur when component licenses are incompatible with each other or with the project’s overall license.
Additionally, 33% of codebases include OSS components that either lack licenses or use customized licensing terms. Transitive dependencies are a common source of conflict, and custom licenses (such as the JSON license) can lead to legal disputes, intellectual property issues, and time-consuming remediation processes.
📋 What Is a Software Bill of Materials (SBOM) and Why Is It Important for Managing Open Source Risk?
A Software Bill of Materials (SBOM) is a complete and structured inventory of all software components and dependencies used in an application, including metadata like licenses, versions, open source libraries, and third-party modules.
It is essential for managing security vulnerabilities and ensuring license compliance. SBOMs give organizations the transparency, visibility, and control needed across the software supply chain. That’s why many customers are now requiring SBOMs from their vendors as part of contractual agreements.
🧰 How Do Software Composition Analysis (SCA) Tools Help Manage Open Source Risk and Generate SBOMs?
Software Composition Analysis (SCA) tools are critical for generating SBOMs and managing open source risks. These tools conduct multiple types of code scans to identify all components and their dependencies.
They then perform dependency analysis, comparing the findings against vulnerability databases and license repositories. This enables SCA tools to prioritize vulnerabilities and generate a complete and accurate SBOM.
🔄 Why Is It Important to Keep Open Source Components Up to Date? What Are the Risks of Outdated Components?
The report shows that 91% of applications contain outdated OSS components, and 90% of codebases include components that are over 10 versions behind the latest release.
Lack of maintenance exposes applications to known security flaws. Older components, especially those no longer supported by active communities, are prone to exploitation. They can also drive up operational costs due to emergency patching. That’s why it’s vital to keep open source components updated using regular audits, monitoring tools, and automated security services.
📌 What Does the OSSRA Report Recommend for Managing Open Source Risks During Mergers and Acquisitions?
The OSSRA Report strongly recommends using SCA tools to generate SBOMs, detect vulnerabilities, and manage licensing throughout the software development lifecycle.
Key recommendations include:
● Prioritizing high-risk vulnerabilities
● Regularly updating components
● Following secure coding practices (such as input validation and sanitization)
● Monitoring OSS component maintenance
● Integrating open source governance into secure development workflows
In M&A scenarios, the report highlights the importance of third-party audits to assess target companies, understand risks, and resolve potential issues before closing deals. Proactive vendors can avoid surprises during due diligence, while buyers must ensure compliance with all license terms.
🔍 Conclusion
Whether you’re a software developer or a business relying on software, having clear visibility into your codebase is essential for managing open source risks proactively.
Explore the OSSRA Report’s recommendations to strengthen your software supply chain, improve compliance, and adopt open source security best practices in 2025 and beyond.
