【开源之播】【永雷Host】BlackDuck 2021开源风险评估报告解读
Closed this issue · 3 comments
BlackDuck 2021新的一年的报告有发布了,作为全球权威的开源风险评估指南,在新的一年里面,开源有哪些变化,开源的趋势是什么,在开源吞噬软件的时代的,我们有准备好了吗?
我也参与了其中中文版本的翻译工作,让我们一起来解读这份国际权威的报告吧
2021 OSSRA Fast Facts:
Open Source Use:
• 98% of codebases scanned contained open source
• On average, there were 528 components per application
• 75% of the average application was comprised of open source
Open Source Security:
• 84% of the codebases contained at least one vulnerability, compared to 75% last year
• 60% of the codebases contained high-risk vulnerabilities
• The average age of vulnerabilities was 2.2 years
Open Source License Compliance:
• 65% of the codebases contained license conflicts
• 26% of the codebases contained open source with no license or a custom license
Open Source Project Sustainability:
• 85% of codebases contained open source components more than four years out of date
• 91% contained components that have had no development activity within the past two years
**Other open source risk trends identified in the 2021 OSSRA report include:
Outdated open source components in commercial software is the norm. 85% of the codebases contained open source dependencies that were more than four years out-of-date. Unlike abandoned projects, these outdated open source components have active developer communities who publish updates and security patches that are not being applied by their downstream commercial consumers. Beyond the obvious security implications of neglecting to apply patches, the use of outdated open source components can contribute to unwieldy technical debt in the form of functionality and compatibility issues associated with future updates.
The prevalence of open source vulnerabilities is trending in the wrong direction. In 2020, the percentage of codebases containing vulnerable open source components rose to 84%—a 9% increase from 2019. Similarly, the percentage of codebases containing high-risk vulnerabilities jumped from 49% to 60%. Several of the top 10 open source vulnerabilities that were found in codebases in 2019 reappeared in the 2020 audits, all with significant percentage increases.
Over 90% of the audited codebases contained open source components with license conflicts, customized licenses, or no license at all. 65% of the codebases audited in 2020 contained open source software license conflicts, typically involving the GNU General Public License. 26% of the codebases were using open source with no license or a customized license. All three issues often need to be evaluated for potential intellectual property infringement and other legal concerns, especially in the context of merger and acquisition transactions.**
个人的感悟:
其中提到了Eric Ramond的Linus's law
In software development, Linus's law is the assertion that "given enough eyeballs, all bugs are shallow". The law was formulated by Eric S. Raymond in his essay and book The Cathedral and the Bazaar, and was named in honor of Linus Torvalds
在软件开发中,Linus的定律是“有足够的眼球,所有错误都是浅表”的主张。 该法律由埃里克·雷蒙德(Eric S. Raymond)在其论文和《大教堂和集市》中制定,并以莱纳斯·托瓦尔兹(Linus Torvalds)的名字命名。