Deep dependencies add to OSS security, legal risk
Transitive dependencies, where one software component is dependent on another dependent on another, and so on, pose a challenge when it comes to an organization’s visibility into potential OSS risks.Black Duck found that 64% of OSS components found in commercial codebases were transitive dependencies, and that nearly half of the high- and critical-risk vulnerabilities discovered originated from transitive dependencies.These multi-layered dependencies also pose legal risks, with nearly 30% of license conflicts found in codebases coming from transitive dependencies. Overall, 56% of codebases suffered from license conflicts that could raise legal issues and potentially delay products from going to market.“The most significant takeaway from my perspective is that blind spots are prevalent when it comes to open source dependency management. We’ve stressed for some time the importance of eliminating blind spots, and that has become particularly important as more industries and consumers demand complete supply chain visibility,” said McGuire.Automated methods such as software composition analysis (SCA) are needed to fully understand the relationships between software components, including deep transitive dependencies, and generate comprehensive SBOMs.
Top OSS vulnerabilities: jQuery, XSS and DoS
One third of the code bases analyzed by Black Duck for vulnerabilities were vulnerable to jQuery CVE-2020-11023, a medium-severity flaw that could lead to cross-site scripting (XSS) due to improper neutralization of input during web page generation (CWE-79).This flaw affects jQuery versions starting from 1.0.3 and before 3.5.0 and was added to Known Exploited Vulnerabilities (KEV) catalog by the US Cybersecurity and Infrastructure Security Agency (CISA) on January 23, 2025.The patch for CVE-2020-11023 was released in April 2020 and the most recent version of jQuery, 3.7.1, was released in August 2023, demonstrating the prevalence of outdated open source software components in commercial codebases and the risk this poses.A second, similar XSS flaw in jQuery, tracked as CVE-2020-11022, also affected a third of codebases, and weaknesses that could lead to XSS, such as improper input validation (CWE-20), CWE-79 and improper neutralization of script-related HTML tags in a web page (CWE-80) were exceedingly common, affecting 71%, 56% and 44% of codebases, respectively.Weaknesses that could lead to denial of service (DoS) were the second most common, with uncontrolled resource consumption (CWE-400) affecting 70% of commercial codebases, allocation of resources without limits or throttling (CWE-770) impacting 48% and inefficient regular expression complexity (CWE-1333) affecting 36%.Many of these flaws are the result of using outdated or unmaintained OSS components: 90% of codebases were found to be using open source components that were more than four years out of date, 91% used components that have not seen new development in the past two years, and 90% used OSS components that were more than 10 versions behind the most recent release.While keeping all software components 100% up-to-date may be impractical, Black Duck recommends organizations maintain awareness of high-risk flaws, such as those with critical CVSS scores or that have been added to the KEV catalog, by following project websites and repositories, and utilizing package managers, automated monitoring tools and version tracking tools.
