Know your code—and know your stuff!

By : Krishna Anindyo | Tuesday, July 07 2020 - 07:00 IWST

An Open Source Audit Digs Into a Codebase to See What’s Inside
An Open Source Audit Digs Into a Codebase to See What’s Inside

INDUSTRY.co.id - The nature of open source use makes it hard to track. Open source in a codebase typically results from the collective decisions of individual developers. A developer faced with a gap in functionality might cast about the internet for a “puzzle piece” — an open source component, a code snippet — that fits. The result: A puzzle completed in less time, with less effort, than if your developers had to craft each piece from scratch.

But some developers are more savvy than others about vetting the components they ingest on their company’s behalf. And without proper vetting, those components can embed quality, security, and license issues into the finished project.

Tracking trends in open source use through audits

It’s a challenge to track open source within companies (though software composition analysis makes the job more manageable). It’s even harder to do so at the industry level. But understanding industry wide open source trends is essential to crafting best practices that keep your development organization ahead of the game.

So how can we get a complete picture of what’s going on in the industry? Through data aggregated from open source software audits. In open source audit, the audit team pries open a codebase to see what’s inside.

The results of one audit are almost always surprising. And when we combine the data from thousands of audits, we see clear patterns in open source use that every development organisation should be aware of.

Making sense of our open source audit data

My Black Duck Audit Services team analyses more code for open source than anyone in the world, across all industries and technologies. Through brute force, for the last four years, we’ve been digging into codebases and aggregating anonymised data on code composition, legal issues, security issues, and other operational factors.

Recently, working with the Synopsys Cybersecurity Research Center (CyRC), we published our 2020 Open Source Security and Risk Analysis report, a great bedtime read for anyone in software.

Below are some highlights of what we found across over 1,250 codebases we reviewed in open source audits in 2019. But you really should download the report to get more details and a breakout by industry.

You may also want to check out our open source in M&A webinar, in which I put the results in the M&A context. “Phil really knows his stuff,” one participant commented at the end. But that’s shooting a compliment at the messenger. The reality is Synopsys knows its stuff when it comes to open source.

Software composition

Virtually every codebase reviewed in an audit last year (99%) included some open source.

Most of the code in these codebases, 70%, was open source.

The average codebase contained about 445 open source components.

License risk

73% of the codebases had at least one license issue.

67% of the codebases contained components with license conflicts, most frequently GNU GPL conflicts.

Security risk

75% of codebases under audit contained open source components with unpatched vulnerabilities.

The percentage of codebases containing high-risk vulnerabilities increased to 49% in 2019.

Yes, Synopsys, with the CyRC and Black Duck Audit Services team, knows its stuff. After you read the report, you’ll know your open source stuff too!

News Comment

Today's Industry

Widodo Sucipto, President Director of PT Hydrotech Metal Indonesia.

Selasa, 19 Oktober 2021 - 15:47 WIB

Hydrotech Metal are Getting Closer to Canada Securities Exchange

PT Hydrotech Metal Indonesia are getting closer to Canada Securities Exchange, after the signing of Share Exchange Agreement with a Canadian company recently. The signing was done virtually…

Vice President Ma’ruf Amin and his spouse Ibu Wury head to Ambon for a working visit, Wednesday (13/10). (Photo by: Vice Presidential Secretariat)

Jumat, 15 Oktober 2021 - 22:10 WIB

VP Ma’ruf Amin to Close 20th PON in Papua

Vice President Ma’ruf Amin, on Friday (15/10), is scheduled to close the 20th National Sports Week (PON) in Papua at the Lukas Enembe Stadium, Jayapura regency. The Vice President, his spouse…

President Joko Widodo and Cabinet Secretary Pramono Anung at Kompas Bajo, Puncak Waringin, Thursday (14/10) afternoon. (Photo by: BPMI/Laily Rachev)

Jumat, 15 Oktober 2021 - 21:32 WIB

President Jokowi Visits Kompas Bajo Creative Hub

Ending his working visit in East Nusa Tenggara Province, President Joko “Jokowi” Widodo and First Lady Ibu Iriana on Thursday (14/10) afternoon took a walk to Kompas Bajo which is located…

President Joko Widodo inaugurates Waringin Peak and Batu Cermin tourism area arrangements and eight road segments in Labuan Bajo, East Nusa Tenggara province, Thursday (14/10). (Photo by: PR of Cabinet Secretariat/Rahmat)

Jumat, 15 Oktober 2021 - 20:30 WIB

President Jokowi Inaugurates Area Arrangements in Labuan Bajo

President Joko “Jokowi” Widodo, Thursday (14/10), inaugurated Waringin Peak and Batu Cermin tourism area arrangements and eight road segments at Waringin Peak, Labuan Bajo village, Komodo…

The Integrated Coordination Meeting on the Acceleration of Welfare Development in Papua and West Papua, at the West Papua Governor’s Office Complex, Manokwari, West Papua, Thursday (14/10). (Photo by: BPMI of Vice Presidential Secretariat)

Jumat, 15 Oktober 2021 - 19:30 WIB

VP Ma’ruf Amin Leads Meeting on Welfare Development in Papua, West Papua

Vice President Ma’ruf Amin Thursday (14/10) at West Papua Governor’s Office Complex, Manokwari in West Papua province, led an integrated coordination meeting discussing measures on the acceleration…