Uncovering the Presence of Vulnerable Open-Source Components in Commercial Software

Osterman Research Report

The recent cybersecurity presidential executive order put a spotlight on software supply chain security. The findings in this research report present a serious weakness in the software supply chain of many widely used commercial off-the-shelf software applications. Results found that all applications in five common software categories (web browsers, email, file sharing, online meetings and messaging) contained vulnerable open-source components that put enterprise organizations at risk of cyberattacks.


Exhibit: Vulnerability Severity per Category; Component with the highest CVSS score in a product

Report Highlights

  • Applications in the meeting and email client categories are the most vulnerable
  • 100% of all analyzed applications contain vulnerable open-source components
  • Critical vulnerabilities (CVSS 10.0) are found in 85% of these applications
  • These widely used applications present serious cybersecurity risk to organizations


GrammaTech used its CodeSentry software supply chain security platform to analyze widely used software applications for the presence of open-source components and vulnerabilities. Osterman Research studied the output of the analysis to generate this report.

Download White Paper