Black Duck: 1,180 OSS components per app

Open source software is now so embedded in commercial apps that most teams are no longer really “adding a library.” They’re inheriting an ecosystem. That’s the point behind Black Duck’s latest OSSRA report, released on February 25, 2026 — the company looked at 947 commercial codebases and found that the attack surface is growing faster than most organizations can govern it. The eye-catching part is the jump in vulnerabilities. But the more important part is the compounding complexity around dependencies, licenses, and AI-generated code. ### What is this report actually measuring? Black Duck’s OSSRA is an annual snapshot built from audits of real commercial codebases, not a survey of developer opinions. This year’s edition spans 17 industries and focuses on how open source components, vulnerabilities, license conflicts, and operational risks show up in production-bound software. Open source appeared in 98% of audited codebases, which basically means third-party code is now the default substrate for modern software. (blackduck.com) ### What changed this year? The big shift is speed. Black Duck says the mean number of files per codebase grew 74% year over year, while average open source component counts rose 30%. At the same time, mean open source vulnerabilities per codebase jumped 107% to 581. That combination matters because more code and more components do not scale linearly — each new dependency can pull in several more behind it. ### Why do dependency counts matter so much? (news.blackduck.com) Because a dependency is rarely just one package. A direct dependency often drags in transitive dependencies — packages your team never chose explicitly but still ships, trusts, and has to patch. Black Duck has been warning about this for a while, and its prior OSSRA analysis found 64% of identified open source components were transitive dependencies. That is the hidden part of the software supply chain — the stuff that expands blast radius without showing up clearly in day-one architecture diagrams. (blackduck.com) ### Why is licensing back in the spotlight? Security gets the headlines, but licensing can become a release blocker just as fast. In the 2026 report, 68% of audited codebases contained open source license conflicts, up from 56% a year earlier — the highest rate in the report’s history. Black Duck ties part of that jump to AI-generated code, including cases where coding assistants may reproduce snippets from copyleft-licensed projects without preserving the original licensing context. (blackduck.com) ### Where does AI fit into this? AI is acting like a force multiplier. It helps developers produce code faster, but governance has not kept pace. Black Duck says 57% of organizations are using AI-powered assistants, and only 24% fully evaluate AI-generated code across IP, license, security, and quality risks. So the problem is not just “more code.” It is more code with fuzzier provenance. ### Why are old components such a problem? (news.blackduck.com) Because stale packages turn into “zombie components” — software that remains in production long after maintainers have moved on. Black Duck says 92% of codebases contain components that are at least four years out of date. When a flaw lands in one of those packages, teams often have three bad options: fork it, refactor around it, or live with the risk. None is cheap. ### So what’s the practical takeaway? (blackduck.com) The story is not that open source suddenly became dangerous. It is that modern software assembly has become too layered and too automated for spreadsheet-level tracking. If most applications are built from sprawling dependency trees, then software bills of materials, dependency analysis, and policy checks stop being compliance theater and start being basic operational hygiene. Black Duck is really describing a visibility crisis — one made worse by AI speedups, not created by them. ### Bottom line The scary number is 581 vulnerabilities per codebase. But the more durable lesson is that software risk now lives in the connections — the transitive packages, inherited licenses, and generated snippets teams did not fully see when they shipped. (blackduck.com 1) (blackduck.com 2)