Toxic Dependencies

☢️ Toxic Dependencies

Researchers at Black Duck have released their annual report on open-source software security. The study analyzed 947 real-world customer codebases, broken down into approximately 2,843 individual projects for more detailed analysis. The research covered the period from November 2024 through October 2025.

Key findings:

🔺The average number of OSS components per application rose from 911 to 1,180, confirming a persistent trend toward greater reliance on open-source software.

🕵🏻‍♂️About 16% of open-source dependencies were detected only through in-depth analysis—methods capable of finding code fragments missed by standard tools (for example, copied snippets or embedded dependencies). Conventional automated scanners (such as those based on SBOMs) may fail to identify these dependencies completely, leaving blind spots in an application's composition analysis.

📚About 64% of the codebases contained transitive (shadow) dependencies—packages automatically pulled in when adding a single library. Developers typically do not select them directly and often remain unaware of their presence, which broadens the attack surface and complicates codebase oversight.

✒️Roughly two-thirds of the codebases involved licensing risks or potential conflicts: each transitive component carries its own license terms (for example, attribution requirements or restrictions on commercial use) that developers may violate if they don't verify license compatibility and distribution terms. Such oversights can lead to long-term legal consequences for organizations.

The report stresses that open source is a valuable resource—but without disciplined dependency management, it brings serious risks, from codebase conflicts to new attack vectors and legal risks. This issue is especially acute in large, fast-moving projects where developers often add libraries "automatically" without checking their origin, licensing, or update history. As a result, an organization may not realize for a long time which components are actually used in its products, creating blind spots both for security and compliance. Effective dependency management—including automated SBOM-based visibility, ongoing vulnerability monitoring, and license governance—is no longer optional but an essential part of the modern development lifecycle.