Professional Documents
Culture Documents
Overview.................................................................................................................................................................................. 5
Open source in 2020..................................................................................................................................................................................................................... 6
Terminology used in this report.................................................................................................................................................................................................................7
Industry sectors and open source.............................................................................................................................................................................................................8
Licensing............................................................................................................................................................................... 15
Open source licensing................................................................................................................................................................................................................ 16
Understanding license risk........................................................................................................................................................................................................................17
Sustainability......................................................................................................................................................................... 19
Open source sustainability......................................................................................................................................................................................................... 20
The price of popularity...............................................................................................................................................................................................................................21
Conclusion............................................................................................................................................................................. 23
The Peter Parker principle.......................................................................................................................................................................................................... 24
Mistakes versus malice.............................................................................................................................................................................................................................25
Coverity Scan data......................................................................................................................................................................................................................................25
NGINX Open Source: A Coverity Scan Case Study.............................................................................................................................................................. 26
Create demand for a Bill of Materials.....................................................................................................................................................................................................27
Coda..............................................................................................................................................................................................................................................................27
Further reading............................................................................................................................................................................................................................ 28
References.................................................................................................................................................................................................................................. 28
2 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
INTRODUCTION
ABOUT THE CYRC AND THE 2021 Audit Services. Our SCA solutions help organizations Duck Binary Analyses and Coverity Scan®. The
INTRODUCTION
identify and track open source code and automate 2020 audit data analysis used in this report was
OPEN SOURCE SECURITY AND RISK
the enforcement of open source policies through conducted by the CyRC’s Belfast and Boston teams.
ANALYSIS REPORT integration with currently used DevOps tools and In addition to validating data used in the OSSRA, the
The Synopsys Cybersecurity Research Center’s processes. Our Audit Services team conducts Belfast team’s work forms the basis of Black Duck
(CyRC) mission is to publish security advisories and audits on thousands of codebases for customers Security Advisories (BDSAs), which offer enhanced
research to help organizations better develop and each year, both to support merger and acquisition vulnerability information that the team publishes as a
consume secure, high-quality software. Our most (M&A) transactions and to provide customers with service to commercial Black Duck customers.
recent security and software quality reports include a comprehensive, up-to-date Bill of Materials of the
This year, the CyRC teams examined anonymized
“Peril in a Pandemic: The State of Mobile Application open source, third-party code, web services, and APIs
audit findings from over 1,500 commercial
Security,” an analysis of the most popular Android used in their applications.
codebases in 17 industries. You need look no
apps used during the COVID-19 pandemic; and The audit data is cross-referenced with the Black further than the pages of this report to see that
“DevSecOps Practices and Open Source Management Duck KnowledgeBase™ to identify potential license open source libraries are the foundation for literally
in 2020,” a survey of software professionals on open compliance and security risks as well as other factors every application in every industry. But paralleling
source management and DevSecOps. that may affect the overall codebase. Curated by the the popularity of open source is a growth in risk—
This research, the CyRC’s annual “Open Source CyRC, the KnowledgeBase houses data on millions specifically around open source licensing, security,
Security and Risk Analysis” (OSSRA) report, provides of open source libraries from over 24,000 forges and code quality, and maintenance.
an in-depth snapshot of the current state of open repositories.
This sixth edition of our report, the 2021 OSSRA,
source security, compliance, licensing, and code Audits are the primary source of data for the 2021 includes recommendations to help open source
quality risk in commercial software. OSSRA report. Additional data used in the report developers and consumers better understand the
For over 17 years, security, development, and legal (specifically in the “Parallels between the ‘State of software ecosystem they are part of, as well as
teams around the globe have relied on Black Duck® Mobile Application Security’ and OSSRA reports” the risks that come with unmanaged open source
software composition analysis (SCA) solutions and section and the conclusion) comes from Black development and use.
4 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
OVERVIEW
Open source in 2020
OVERVIEW
OF CODEBASES
CODEBASES
CODEB
HAD AT LEAST ONE
E
URC
VULNERABILITY
AUDITED IN 2020 PERCENT OF
WITH AN AVERAGE OF
AS
SO
S
CO EN
E
NTA I N E D O P
PER CODEBASE
THE AVERAGE
OF CODEBASES VULNERABILITY
FOUND WAS
HAD LICENSE
17 INDUSTRIES REPRESENTED CONFLICTS
YEARS OLD
OF ALL CODEBASES WERE
COMPOSED OF OPEN SOURCE
6 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
OVERVIEW
7 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
INDUSTRY SECTORS AND OPEN SOURCE
OVERVIEW
Aerospace, Aviation, Auto, Big Data, AI, BI, Computer Hardware and Cyber Security Ed Tech
Transportation, Logistics Machine Learning Semiconductors
Energy and Clean Tech Enterprise Software/SaaS Financial Services and Healthcare, Health Tech, Internet and Mobile Apps
FinTech Life Sciences
Internet and Software Internet of Things Manufacturing, Marketing Tech Retail and E-Commerce
Infrastructure Industrials, Robotics
57% 76%
8 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
VULNERABILITIES
AND SECURITY
OPEN SOURCE VULNERABILITIES Vulnerabilities in Codebases Percentage of codebases
VULNERABILITIES AND SECURITY
100
Percentage of high-risk
A full 84% of the 1,500+ codebases Black Duck vulnerabilities per codebases
Audit Services audited in 2020 contained at least
one public open source vulnerability—a 9% increase
84%
from the 75% of 2019 and the second-highest
increase seen since 2017. Similarly, the percentage
78%
of codebases containing high-risk open source 75%
vulnerabilities increased to 60% in 2020, a dramatic
67% 77%
11% increase from the 49% of the 2019 audits.
“High-risk” indicates that a vulnerability has been
actively exploited, has documented proof-of-concept
exploits, or has been classified as a remote code 60% 60%
execution vulnerability. Several of the top 10 open
source vulnerabilities that were found in codebases
in 2019 reappeared in the 2020 audits, all with
53%
significant percentage increases.
49%
40%
0
2016 2020
10 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
PARALLELS BETWEEN ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
VULNERABILITIES AND SECURITY
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
APPLICATION SECURITY’
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
Android applications containing open source
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
11 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
Despite lockdowns and work-from-home policies, Percentage of Codebases With Open Source Vulnerabilities 2020
VULNERABILITIES AND SECURITY
12 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
The top 10 vulnerabilities Percentage of Codebases With Top 10 CVEs/BDSAs
VULNERABILITIES AND SECURITY
Several of the top 10 open source vulnerabilities— 20% 40% 60% 80% 100%
including one that is a high-risk vulnerability— BDSA-2019-1138 (CVE-2019-11358)
appearing in the 2019 codebases reappeared in 15% increase since 2019
the 2020 audits, some with significant increases in BDSA-2017-2930 (CVE-2015-9251)
percentages. CVE-2019-10744, a lodash vulnerability 16% increase since 2019
rated by the National Vulnerability Database (NVD)
BDSA-2014-0063*
as “critical” and affecting all versions of the popular
9% increase since 2019
JavaScript library prior to 4.17.12, appeared in 29%
of both years’ codebase audits. BDSA-2015-0567**
CVE-2018-3721 2020
2019
*
BDSA-2014-0063 is a high-severity vulnerability in which jQuery is vulnerable to cross-site scripting (XSS) due to lack of
validation of user-supplied input. A fix is available.
**
BDSA- 2015-0567 affects all jQuery versions that use an unpatched UglifyJS parser, opening them to arbitrary code
execution through crafted JavaScript files. A fix is available.
13 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
It’s also possible that the knowledge that the Percentage of Codebases With Top 10 High-Risk CVEs/BDSAs
VULNERABILITIES AND SECURITY
CVE-2020-8022
CVE-2017-1000487
CVE-2020-7598
14 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
LICENSING
OPEN SOURCE LICENSING Percentage of Codebases With License Conflicts
LICENSING
100
2020 audited codebases contained open source with
license conflicts, a slight decrease from 2019. Nearly
three-quarters of the codebases with a license
conflict were specifically in conflict with one version
or another of the GNU General Public License.
Twenty-six percent of the codebases were found
to be using open source with no license or a
customized license. Codebases with customized
open source licenses need to be evaluated for
possible IP and other legal issues. The JSON license,
for example, essentially uses the permissive MIT
license with the addition, “The Software shall be
used for Good, not Evil.” Owners of many popular
projects—notably, Apache Foundation projects—have 85%
removed code using the JSON license because of
the license’s ambiguity; that is, although “software” is
a defined term, “good” and “evil” are open to arguable
interpretation. 68%
67%
Codebases that include open source dependencies 65%
with no discernable license also may require
a decision about whether to replace those
dependencies altogether.
Broken down by industry, the sectors with the highest
60
16 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
Understanding license risk Percentage of Codebases With Licensing Conflicts, by Industry 2020
LICENSING
2019
According to copyright law, using software in any Aerospace, Aviation, Automotive,
way requires permission in the form of a license Transportation, Logistics
Virtual Reality, Gaming,
describing the rights conveyed to users and the Entertainment, Media 100% Big Data, AI, BI, Machine Learning
obligations users must meet. Even the friendliest
open source licenses include obligations the user Telecommunications Computer Hardware
takes on in return for use of the software. and Wireless 80% and Semiconductors
Internet of Enterprise
Things Software/SaaS
17 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
Sometimes an open source component has a so- Percentage of Codebases Containing Open Source With No License or Custom License
LICENSING
40
their own licensing language or added language to
a standard license. Such license additions are often
well-intentioned but can raise concerns, especially in
merger and acquisition transactions.
Whether open source or not, if third-party code
doesn’t have a license, serious legal issues can arise.
In the U.S. and many other jurisdictions, creative
work—including software—is placed under exclusive 33%
copyright by default. Unless there’s a license that
specifies otherwise (or the copyright holders grant
permission), no other party can use, copy, distribute,
or modify the software without the risk of litigation.
26%
20 25%
2018 2020
18 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
SUSTAINABILITY
OPEN SOURCE SUSTAINABILITY Percentage of Codebases Containing Components That Have Had No Development Activity
SUSTAINABILITY
100
contained open source dependencies that had
had no development activity in the last two years.
That figure means 91% of the codebases audited
contained dependencies with no feature upgrades,
no code improvements, and no security issues fixed
over the past two years.
One of the reasons behind the popularity of open
source is the volunteer communities continuously
updating code and addressing vulnerabilities. 91%
Software developer and author Eric Raymond calls
this Linus’s Law in action: with many eyes looking at
code, “all bugs become shallow.” A Purdue University
study showed that Linus’s Law does work4—open 88%
source communities regularly issue patches faster
than their proprietary software counterparts. But
there’s no guarantee that the volunteer community
behind any given open source project will continue
85%
maintaining the code indefinitely or that the
community will continue to have members who are
knowledgeable about the project’s code.
80
2018 2020
20 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
THE PRICE OF POPULARITY
SUSTAINABILITY
21 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC. 22
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
OUT-OF-DATE
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
than four years behind the latest versions?
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
SOURCE COMPONENTS
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
fix it”? Were they even aware of the version of the
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
an update? Was their thinking “if it ain’t broke, don’t
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
CONTAINED OPEN
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
determine that the risk was low enough to put off
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
been available since July 2019. Did the developers
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
CODEBASES
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
of the library that addresses the vulnerability has
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
contained CVE-2019-10744, even though an upgrade
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
OF AUDITED
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
codebases in both the 2020 and 2019 audits
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
in the “Top 10 vulnerabilities” section, 29% of the
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
Returning to the lodash vulnerability mentioned
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
keep their open source dependencies up-to-date.
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
it’s clear that development teams are struggling to
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
with many newer versions available. As noted earlier,
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
source library with newer versions available—often
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
of-date. That is, the codebases were using an open
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
dependencies that were more than four years out-
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
Audit Services examined in 2020 had open source
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
SUSTAINABILITY
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●
Eighty-five percent of the codebases Black Duck
CONCLUSION
THE PETER PARKER PRINCIPLE of building software—65%—have policies in place Does your organization have a published
CONCLUSION
allowing their developers to contribute to open policy for its developers to make open source
“With great power comes great responsibility.”
source projects. contributions?
—anon., often attributed to Stan Lee
As this report has stated, paralleling the growth of (“DevSecOps Practices and Open Source Management in
How does it feel to be part of a revolution? As the 2020” survey)
open source is a growth in risk—specifically around
data in the 2021 OSSRA report demonstrates, it’s
open source security, code quality, and sustainability.
rare today to find an application that isn’t dependent
Part of the reason is that the increased use of open
on the power of open source. Not only is more
source makes managing a dynamic, changing risk Yes
open source in use, but more developers are writing
landscape more difficult. To meet the challenge,
open source. The 2020 FOSS Contributor Report
development teams need to have reliable and timely
sponsored by the Linux Foundation notes that nearly
vulnerability information, a comprehensive inventory
half of respondents to its survey were being paid
of the open source dependencies their software
by their organizations to contribute to open source
uses, accurate guidance on vulnerability severity and
projects.6 A CyRC survey (“DevSecOps Practices
exploitability, and clear direction on how to patch the
and Open Source Management in 2020”) indicates
affected open source.
that the majority of organizations in the business
24 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
Mistakes versus malice
CONCLUSION
BILLION LINES
coding rules to uncover common coding errors.
Synopsys offers a free static analysis service for
OF CODE
open source developers who have registered their
projects with scan.coverity.com. Coverity Scan is
SCANNED
powered by the same engine used by Synopsys’
commercial Coverity static analysis tool to help
identify code defects for fast and easy remediation.
Respondents to the Linux Foundation survey
“overwhelmingly cited Coverity Scan and clang
security checkers” as the primary static analysis Top 10 defects/vulnerabilities found in the scans
tools they use.8 The next page details a case study
Resource leaks Uninitialized variables
on how Coverity Scan helps ensure code quality and
security for NGINX Open Source. Null pointer dereferences Cross-site scripting
Memory corruptions Extra argument error in call
Error handling issues Insecure data handling
Control flow issues Uncaught exception
25 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
NGINX OPEN than 400 million websites. Sysoev cofounded “High-impact” outstanding defects
CONCLUSION
x”) is known for its high performance, stability, rich NGINX Unit, a dynamic application server.
feature set, simple configuration, and low resource Various ● (1)
consumption. Other members of the NGINX Open The problem: Ensuring open source code
Source family include NGINX JavaScript (njs), quality and security
a module adding JavaScript support to NGINX; “We integrated Coverity Scan into our CI/CD vulnerabilities that GitHub sent alerts on from 2019
and NGINX Unit, a dynamic application server pipeline soon after establishing NGINX,” said Maxim through 2020 were due to coding errors rather than
supporting applications written in Perl, Python, Konovalov, one of the company’s cofounders and malicious intent.
Ruby, Node.js, Go, Java, and PHP.njs. now VP of engineering. “We’ve been submitting
But malicious attacks do exploit flaws in code, and
NGINX build artifacts daily since 2012.”
Developers for all three NGINX Open Source developers need to embrace proactive detection
projects use Coverity Scan® to find and fix defects “In many cases, NGINX acts as an internet front tools to uncover bugs in the code they write. Static
in their code. A free online service provided by end,” continued Konovalov. “Its security and stability analysis examines source code against a set of
Synopsys and powered by the same engine used by are essential to its users. My team is passionate coding rules to uncover common coding errors.
Synopsys’ commercial Coverity static analysis tool, about code quality and are always looking for best
Scan helps open source developers identify code practices and tools to help us improve it. Static The results: 658,000 lines of code scanned
defects for fast and easy remediation. code analyzers such as Coverity Scan provide a with a defect density of 0.02%
great help to us.” In the January 2021 Coverity Scan of a NGINX build,
“I have a strong belief in the power of open
658,665 lines of code were analyzed, and various
source,” said Igor Sysoev, the software’s author and NGINX takes its role as a foundational technology
code defects uncovered, including two CWE Top
cofounder of NGINX in a 2014 interview. “NGINX to millions of apps and websites very seriously.
25 defects. Thanks to F5’s regular use of Coverity
was an experiment focused on a very specific Code quality and security are part of its ethos, and
Scan, the NGINX project has a defect density
problem—how to handle more customers on a the tools that help support that mission are integral
(number of defects per 1,000 lines of code) of only
single, existing server. It turned out to be a universal to its development practices.
0.02%.
problem. As soon as I realized NGINX really helps to
improve web performance, I wanted people to use it, The solution: Static code analysis with “Coverity Scan provides an invaluable service to
so I made it open source.” Coverity Scan us,” says Maxim Konovalov. “I regularly recommend
Contrary to popular opinion, most software Coverity Scan and its ability to provide specific defect
A web server that can also be used as a reverse
vulnerabilities are the result of coding mistakes, IDs in code commits. And in fact, I’m a member of
proxy, load balancer, mail proxy, and HTTP cache,
not malicious attacks. According to the “2020 the FreeBSD committers group, and we use Coverity
the open source version of NGINX powers more
State of the Octoverse” security report, 83% of the Scan for code analyses of FreeBSD as well.”
26 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
Create demand for a Bill of Materials If software vendors can anticipate that their Coda
CONCLUSION
27 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
FURTHER READING REFERENCES
CONCLUSION
• Backstabber’s Knife Collection: A Review of 1. Tyler Clifford, Veeva Systems sees product usage increase
tenfold as biotech companies race to find COVID-19 cure, CNBC,
Open Source Software Supply Chain Attacks 3/26/2020.
• Dependency Confusion: How I Hacked 2. David Sharp, L.L. Bean Sees Sales Boom Amid Pandemic’s Push
Into Apple, Microsoft and Dozens of Other to Outdoors, U.S. News, 3/19/2021.
Companies 3. Wikipedia, Open source license litigation, accessed 3/26/2021.
• DevSecOps Practices and Open Source 4. Kemal Altinkemer, Jackie Rees, and Sanjay Sridhar;
Management in 2020 Vulnerabilities and Patches of Open Source Software: An
Empirical Study, Krannert Graduate School of Management, The
• Finding Critical Open Source Projects (Google Center for Education and Research in Information Assurance
blog) and Security, Purdue University; 1/2005.
5. Explain xkcd, 2347: Dependency, 8/17/2020.
- Related: Finding Critical Open Source
6. Frank Nagle et al, Report on the 2020 FOSS Contributor Survey,
Projects (Top 10 list) The Linux Foundation, 12/8/2020.
• Get earlier, actionable vulnerability insights 7. GitHub, Nicole Forsgren et al, The 2020 State of the Octoverse,
2020.
from Black Duck Security Advisories
8. Frank Nagle et al, Report on the 2020 FOSS Contributor Survey,
• How the Linux Foundation’s Software Signing
The Linux Foundation, 12/8/2020.
Combats Supply Chain Attacks
9. Mark Horvath, Dionisio Zumerle, and Dale Gardner, Magic
- Related: What is sigstore? Quadrant for Application Security Testing, Gartner, 4/29/2020.
28 2021 OPEN SOURCE SECURITY AND RISK ANALYSIS REPORT | ©2021 SYNOPSYS, INC.
The Synopsys difference
Synopsys helps development teams build secure, high-quality software, minimizing risks while maximizing speed and productivity. Synopsys, a recog-
nized leader in application security, provides static analysis, software composition analysis, and dynamic analysis solutions that enable teams to quickly
find and fix vulnerabilities and defects in proprietary code, open source components, and application behavior. With a combination of industry-leading
tools, services, and expertise, only Synopsys helps organizations optimize security and quality in DevSecOps and throughout the software development
life cycle.
About CyRC
The Synopsys Cybersecurity Research Center (CyRC) works to accelerate access to information around the identification, severity, exploitation, mitigation,
and defense against software vulnerabilities. Operating within the greater Synopsys mission of making the software that powers our lives safer and of
the highest quality, CyRC helps increase awareness of issues by publishing research supporting strong cybersecurity practices. For more information, go
to www.synopsys.com/software .
Synopsys, Inc. Contact us: ©2021 Synopsys, Inc. All rights reserved. Synopsys is a
690 E Middlefield Rd, U.S. Sales: 800.873.8193 trademark of Synopsys, Inc. in the United States and other
Mountain View, CA 94043 USA International Sales: +1 415.321.5237 countries. A list of Synopsys trademarks is available at
Email: sig-info@synopsys.com www.synopsys.com/copyright.html . All other names
mentioned herein are trademarks or registered trademarks
of their respective owners. April 2021.