Open source has become effectively universal, appearing in 98 percent of codebases, meaning almost every application now inherits third-party risk. Meanwhile, AI-generated code and AI model integration have introduced new forms of risk.
The 2026 Open Source Security and Risk Analysis (OSSRA) report from Black Duck, based on analysis of 947 codebases across 17 industries, shows a software ecosystem transformed by AI-assisted development, where code, dependencies, and risks are being introduced at unprecedented speed.
The study shows mean vulnerabilities per codebase jumping 107 percent. Additionally, open source component counts increased 30 percent year-over year, and the number of files per codebase grew 74 percent. According to the report, AI model adoption has also created a new, unregulated attack surface.
AI-generated code also creates new IP and license risks as models may reproduce code governed by restrictive licenses like GPL and AGPL. In fact, the 2026 OSSRA report finds that two-thirds of audited codebases contain license conflicts — the highest rate in OSSRA history. A 12 percent increase identified this year (68 percent compared to 56 percent last year) represents the largest single-year jump the study has recorded.
While 76 percent of surveyed organizations check AI-generated code for security risks, only 54 percent evaluate it for IP and license risks, and just 56 percent assess quality issues. Altogether, only 24 percent perform comprehensive IP, license, security, and quality evaluations for AI-generated code. The report warns that organizations can’t comply with upcoming regulations — such as the EU Cyber Resilience Act (CRA) — unless they track AI models with the same rigor as open source components, improve SBOM accuracy and vulnerability workflows, and develop clear AI usage and retraining policies.
“AI has fundamentally changed the economics of software development — and with it, the economics of software risk,” says Jason Schmitt, CEO at Black Duck. “This year’s OSSRA findings underscore a truth the industry can no longer ignore: the pace at which software is created now exceeds the pace at which most organizations can secure it. Companies that fail to modernize their supply chain governance risk are falling behind not only technologically, but competitively.”
The full 2026 Open Source Security and Risk Analysis (OSSRA) report is available from the Black Duck site.
Image credit: Lishchyshyn/depositphotos.com
