2025年度开源安全和风险分析报告英文版 .docxVIP

2025OpenSourceSecurityandRiskAnalysisReport

Tableofcontents

Welcometothe2025OSSRAReport1WhoShouldReadThisReport1

WhatYou’llLearnandWhyItMatters2

AboutThisReport’sDataandBlackDuckAudits3

OurFindingsataGlance4

LookingatOpenSourceRiskandVulnerabilities7SoftwareSecurityBeginswithVisibilityintoYourCode7

UnderstandingRiskManagementandGainingVisibilityintoYourCode8

EnhancingSoftwareSecurityandTransparencywithSCAandSBOMs8

AnalyzingtheImpactofaVulnerability11

Log4jandEquifax:TwoLessonsontheNeedforVisibilityintoYourCode12

TheTopHigh-andCritical-RiskVulnerabilities13

WhattheDataTellsUs18

Industry-SpecificInsights18

OpenSourceLicensing19HowConflicts,Variants,andLackofLicensesCreateRisk19

TheImpactofTransitiveDependenciesonLicenseConflicts20

TheTop10OpenSourceLicensesof202420

WhatArePermissive,WeakCopyleft,andReciprocalOpenSourceLicenses?21

HowtoManageOpenSourceLicenseRiskwithSCA21

IndustryPerspectivesonLicenseConflicts22

IfYouAnticipateanMA23

MaintenanceandOperationalFactorsImpactingRisk25

Conclusion:TheMoreThingsChange27KeyRecommendations28

Welcometothe2025OSSRAReport

Opensourcesoftware(OSS)hasrevolutionizedapplicationdevelopment,providingavastrepositoryofprebuiltcomponentsthatoffernumerousbenefitssuchascostsavings,flexibility,andscalability.However,withallthosebenefitscomesrisksthateveryorganizationusingopensourceneedstobepreparedtoacknowledgeandaddress.

The2025“OpenSourceSecurityandRiskAnalysis”(OSSRA)reportdetailskeyfindingsfromBlackDuck?auditdata,includingsecurityvulnerabilities,licensingissues,componentmaintenance,

andindustrytrends.Ouranalysisshowsthatopensourceisubiquitous,andthatitcanintroducesignificantriskunlessproperlyidentifiedandmanaged.

“Hewillwinwhohaspreparedhimself.”

—SunTzu

WhoShou