Revenera, producer of leading solutions that help technology companies build better
products, accelerate time to value and monetize what matters, today released the Revenera
2021 State of Open Source License Compliance report today.
The report
analyzes data from 2020 audit services projects, evaluating the prevalence of
open source software (OSS), the under-reporting of that use, and the resulting
license compliance issues and security vulnerabilities. This global,
cross-industry study by Revenera's audit services team evaluated more than 2.1 billion lines of code and uncovered
174,334 issues.
"Open source
software's growing popularity is due in part to its ability to give companies
accelerated time-to-market and provide more focus on core competencies for
development teams. However, with that valuable opportunity comes risks that are
often unknown and therefore not addressed," said Alex Rybak, Director, Product
Management, Revenera. "A continuous, automated open source management program
is the best way to proactively monitor code churn throughout the development
process and address any identified compliance issues, especially new security
vulnerabilities-all while embracing open source for the strategic advantages it
provides."
Highlights of the Revenera
2021 State of Open Source License Compliance report:
- Growing use of open source software increases possibility of risk. The average number of issues uncovered per audit project grew to 1,959,
compared to 662 reported the previous year.This new 200 percent growth,
year over year, was fueled by popular ecosystems including PyPI, NPM, RubyGems,
and many others which are bringing in more dependencies into users'
codebases.Binaries-made up of a collection of compiled source code from
various origins-grew 58 percent, year over year, with 1 issue discovered for
every 12,126 lines of code.
- Organizations face more risk than is disclosed.While 55 percent of the scanned codebase files were attributed to open
source (an increase of 10 percent over the past year), only 4 percent of the
issues uncovered through audits were disclosed in advance of audit start.
- Security vulnerabilities are growing.Data from forensic and standard audits identified 89 security
vulnerabilities per project, jumping from 45 in the previous year's findings.
- Critical license compliance issues require immediate attention.Priority 1 (P1) issues are those that pose the most critical threat and
that should be remediated first. The team found 130 P1 issues per project,
representing 5 percent of the total issues uncovered through M&A and
baseline audit projects.
- Multiple types of audit analyses are required to meet users' needs.37 percent of issues were identified through Standard Audit Analysis, which
identifies explicit P1 licenses and large third-party components; 28 percent of
issues discovered came fromForensic Audit Analysis, which provides
an in-depth, deep level scan of all evidence types; and 34 percent of issues
were identified through Targeted Audit Analysis, with custom audits based on
customer need. Audit customers in 2020 expected faster turnaround times due to
an increase in M&A activity.
- Weak copyleft licenses are 20 percent of the scanned codebase.Weak copyleft licenses indicate that the software program is free to use.
However,depending on whether it's modified, how it's linked, and how it's
packaged and distributed, there may be obligations imposed on organizations
beyond simple attribution requirements. In some cases, weak copyleft
requirements extend to all derivative works.Making up 63 percent of the codebase are permissive licenses, with minimal
restrictions. Strong copyleft licenses, which mandate that any distributed
software that links or incorporates such code be licensed under compatible
licenses, represent 12 percent of licenses.