Chart of the Week

OCT 2023: VOLUME 4

Unearthing the Hidden Risks: Critical Inherent Risk Scores in Open-Source Components

Insights into your Software Supply Chain


In today's rapidly evolving tech landscape, open-source software has become the backbone of countless applications and systems. However, a recent study by Lineaje AI Labs has shed light on a concerning statistic - a staggering 40% of open-source software components have a Critical inherent risk score.

Understanding Inherent Risk Score

An inherent risk score measures the potential software supply chain threats and vulnerabilities that are inherent to a software component. It encompasses vulnerabilities, code quality, security posture, open and unfixed issues, age, and other fundamental issues that pose a risk to the security and stability of a software project.

Implications for the Software Ecosystem

This revelation raises important questions about the security posture of the software we rely on. Here are some of the implications we need to consider:

  • Long-term Vulnerabilities: Inherent risks are not easily patched or fixed through routine updates. This means that even seemingly stable open-source components may carry latent “weaknesses” that could be exploited in the future.
  • Complexity Management: Identifying and addressing inherent risks requires a deep understanding of the software's architecture. This can be a challenging task, particularly in projects with a large and diverse codebase.
  • Shift Towards Proactive Security: Focusing solely on vulnerabilities may not be enough. Organizations must now adopt a proactive approach to identifying and mitigating inherent risks from the outset by Shifting Left of "Shift-Left".
  • Dependency Evaluation: Relying on components with high inherent risks can have a cascading effect on the security of the entire software ecosystem. A comprehensive assessment of dependencies is now more critical than ever.


The revelation of a high prevalence of critical inherent risk scores in open-source components represents a startling data point for the industry. It underscores the need for a more nuanced approach to software security, one that goes beyond addressing surface-level vulnerabilities. By embracing proactive measures and truly understanding what's in your software, we can fortify the foundation of the software that powers our digital world.