Google unveiled a significant wave of advancements designed to supercharge how developers build and scale AI applications – from early-stage experimentation right through to large-scale deployment.
Nearly three-quarters of commercial codebases assessed for risk contain open source components impacted by high-risk vulnerabilities, representing a sharp uptick from the previous year, according to the Open Source Security and Risk Analysis (OSSRA) report from Synopsys.
While codebases containing at least one open source vulnerability remained consistent year over year at 84%, significantly more codebases contained high-risk vulnerabilities in 2023. This can potentially be attributed to variables like economic instability and the consequent layoffs of tech workers, reducing the number of resources available to patch vulnerabilities.
According to the data, the percentage of codebases with high-risk open source vulnerabilities — those that have been actively exploited, have documented proof-of-concept exploits or are classified as remote code execution vulnerabilities — increased from 48% in 2022 to 74% in 2023.
"This year's OSSRA report indicates an alarming rise in high-risk open source vulnerabilities across a variety of critical industries, leaving them at risk for exploitation by cybercriminals," said Jason Schmitt, GM, Synopsys Software Integrity Group. "The increasing pressure on software teams to move faster and do more with less in 2023 has likely contributed to this sharp rise in open source vulnerabilities. Malicious actors have taken note of this attack vector, so maintaining proper software hygiene by identifying, tracking and managing open source effectively is a key element to strengthening the security of the software supply chain."
Additional key findings from the 2024 OSSRA report include:
A "zombie code" apocalypse
Organizations are depending on outdated or inactive open source components. 91% of codebases contained components that were 10 or more versions out-of-date, and nearly half (49%) of codebases contained components that had no development activity within the past two years.
The report also found that the mean age of open source vulnerabilities in the codebases was over 2.5 years old, and nearly a quarter of codebases contained vulnerabilities more than 10 years old.
High-risk open source vulnerabilities permeate across critical industries
The Computer Hardware and Semiconductors industry had the highest percentage of codebases with high-risk open source vulnerabilities (88%), followed closely by Manufacturing, Industrials and Robotics at 87%.
Closer to the middle of the pack, the Big Data, AI, BI and Machine Learning industry had 66% of its codebases impacted by high-risk vulnerabilities.
At the bottom of the list, the Aerospace, Aviation, Automotive, Transportation and Logistics industry still had high-risk vulnerabilities in a third (33%) of its codebases.
Open source license challenges remain
License compliance is an important aspect of effective software supply chain management, but the report found that over half (53%) of the codebases contained open source license conflicts, and 31% of codebases were using code with either no discernible license or a customized license.
Once again, the Computer Hardware and Semiconductors industry ranked highest in percentage of codebases containing license conflicts at 92% followed by Manufacturing, Industrials and Robotics at 81%. Just one noncompliant license in software can result in loss of lucrative intellectual property, time-consuming remediation and delays in getting products to market.
Eight of the top 10 vulnerabilities trace back to one common weakness type
The majority of the open source vulnerabilities that were observed most frequently in this research are classified as Improper Neutralization weaknesses (CWE-707). This weakness type includes the various forms of cross-site scripting that, if exploited, can be quite severe.
Methodology: For the 2024 OSSRA report, the Synopsys Cybersecurity Research Center (CyRC) analyzed anonymized findings from more than 1,000 commercial codebase audits across 17 industries.
Industry News
Red Hat announced Red Hat Advanced Developer Suite, a new addition to Red Hat OpenShift, the hybrid cloud application platform powered by Kubernetes, designed to improve developer productivity and application security with enhancements to speed the adoption of Red Hat AI technologies.
Perforce Software announced Perforce Intelligence, a blueprint to embed AI across its product lines and connect its AI with platforms and tools across the DevOps lifecycle.
CloudBees announced CloudBees Unify, a strategic leap forward in how enterprises manage software delivery at scale, shifting from offering standalone DevOps tools to delivering a comprehensive, modular solution for today’s most complex, hybrid software environments.
Azul and JetBrains announced a strategic technical collaboration to enhance the runtime performance and scalability of web and server-side Kotlin applications.
Docker, Inc.® announced Docker Hardened Images (DHI), a curated catalog of security-hardened, enterprise-grade container images designed to meet today’s toughest software supply chain challenges.
GitHub announced that GitHub Copilot now includes an asynchronous coding agent, embedded directly in GitHub and accessible from VS Code—creating a powerful Agentic DevOps loop across coding environments.
Red Hat announced its integration with the newly announced NVIDIA Enterprise AI Factory validated design, helping to power a new wave of agentic AI innovation.
JFrog announced the integration of its foundational DevSecOps tools with the NVIDIA Enterprise AI Factory validated design.
GitLab announced the launch of GitLab 18, including AI capabilities natively integrated into the platform and major new innovations across core DevOps, and security and compliance workflows that are available now, with further enhancements planned throughout the year.
Perforce Software is partnering with Siemens Digital Industries Software to transform how smart, connected products are designed and developed.
Reply launched Silicon Shoring, a new software delivery model powered by Artificial Intelligence.
CIQ announced the tech preview launch of Rocky Linux from CIQ for AI (RLC-AI), an operating system engineered and optimized for artificial intelligence workloads.
The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists.
CodeRabbit is now available on the Visual Studio Code editor.
The integration brings CodeRabbit’s AI code reviews directly into Cursor, Windsurf, and VS Code at the earliest stages of software development—inside the code editor itself—at no cost to the developers.