1、2025 Open Source Securityand Risk Analysis ReportTable of contentsWelcome to the 2025 OSSRA Report .1Who Should Read This Report.1What Youll Learn and Why It Matters.2About This Reports Data and Black Duck Audits .3Our Findings at a Glance.4Looking at Open Source Risk and Vulnerabilities.7Software S

2、ecurity Begins with Visibility into Your Code.7Understanding Risk Management and Gaining Visibility into Your Code.8Enhancing Software Security and Transparency with SCA and SBOMs.8Analyzing the Impact of a Vulnerability.11Log4j and Equifax:Two Lessons on the Need for Visibility into Your Code.12The

3、 Top High-and Critical-Risk Vulnerabilities.13What the Data Tells Us.18Industry-Specific Insights .18Open Source Licensing.19How Conflicts,Variants,and Lack of Licenses Create Risk.19The Impact of Transitive Dependencies on License Conflicts.20The Top 10 Open Source Licenses of 2024.20What Are Permi

4、ssive,Weak Copyleft,and Reciprocal Open Source Licenses?.21How to Manage Open Source License Risk with SCA .21Industry Perspectives on License Conflicts.22If You Anticipate an M&A.23Maintenance and Operational Factors Impacting Risk.25Conclusion:The More Things Change.27Key Recommendations.282025 Op

5、en Source Security and Risk Analysis report|1Welcome to the 2025 OSSRA Report Open source software(OSS)has revolutionized application development,providing a vast repository of prebuilt components that offer numerous benefits such as cost savings,flexibility,and scalability.However,with all those be

6、nefits comes risks that every organization using open source needs to be prepared to acknowledge and address.The 2025“Open Source Security and Risk Analysis”(OSSRA)report details key findings from Black Duck audit data,including security vulnerabilities,licensing issues,component maintenance,and ind