The Black Duck Audit Services team at Synopsys conducts open source audits on thousands of codebases for its customers every year. Those audits are driven primarily by merger and acquisition transactions and eventually become the primary source of anonymized data for our annual Open Source Security and Risk Analysis (OSSRA) report. The just-released 2019 OSSRA report examines findings from the data of over 1,200 commercial codebases for organizations wanting to assess their open source license compliance and security risks.
The audits found open source in over 96% of codebases scanned in 2018, with more than 99% of the codebases with over 1,000 files containing open source components. Open source represented 60% of the code analyzed in 2018, up from 57% in 2017. These numbers reflect that the audited codebases were generally from companies whose business is building software. The value of these companies is often in their proprietary code, and the ratio of open source to proprietary code in their codebases tends to be lower.