Summary
Black Duck's 2026 Open Source Security and Risk Analysis (OSSRA) report, based on 947 codebases across 17 industries, shows open source vulnerabilities per codebase doubled to 581—a 107% increase—driven by AI-assisted development.[1][6] Licensing conflicts hit 68% of codebases, up sharply, with 87% overall at risk and 98% containing open source code.[1][3] The report highlights 'zombie components' in 93% of codebases and warns of unregulated AI models complicating compliance with regs like the EU Cyber Resilience Act.[6]
Key Takeaways
- Open source vulnerabilities per codebase doubled to 581, a 107% YoY increase, with 87% of codebases at risk.[1][6]
- Licensing conflicts reached 68% of codebases, up 12% YoY, exacerbated by AI-generated code lacking attribution.[3]
- 98% of codebases contain open source, with 93% having inactive 'zombie' components and only 7% using latest versions.[6]
- AI models create a new unregulated attack surface, with 97% of orgs using them but lacking tracking.[6]
- Regulatory pressure from EU Cyber Resilience Act demands SBOMs and AI policies to manage risks.[1]
Balanced Perspective
The OSSRA analyzes 947 codebases, documenting a 107% rise in vulnerabilities to 581 per codebase and 68% licensing conflicts, directly tied to AI speeding up code and dependency addition.[1][3] Open source is universal at 98%, with 87% of codebases vulnerable, but data reflects M&A audits rather than all software, limiting broad generalizations.[2] AI introduces untracked risks like model integrations, yet the report provides benchmarks for industries without prescribing solutions beyond better visibility and SBOMs.[6]
Optimistic View
AI-driven development is a net positive, enabling unprecedented productivity gains that outpace risks when paired with modern tools like Black Duck's AI-powered scanning.[1][4] With open source in 98% of codebases proving its indispensable value, this surge signals maturing ecosystems where vulnerabilities are increasingly known and fixable—93% zombie components mean vast low-hanging fruit for quick wins via automated updates.[6] Forward-thinking orgs will thrive under new regs like the EU CRA by treating AI models like components, turning transparency into a competitive edge and accelerating secure innovation.[1]
Critical View
AI's unchecked adoption has ballooned the attack surface—107% more vulnerabilities, 30% more components, 74% more files—leaving 87% of codebases exposed to critical risks like remote code execution.[1][6] Licensing conflicts at 68% and pervasive zombie components (93% inactive) signal a governance crisis, where AI-generated code copies restrictive licenses invisibly, inviting lawsuits and non-compliance with EU AI Act and CRA.[3][6] Without radical shifts, the 'ship and forget' culture will amplify supply chain breaches in a landscape where 17% of components evade scanning.[6]
Source
Originally reported by blackduck.com