TL;DR the risks that come with open-source software include vulnerabilities in code, meaning that software could be targeted if not updated, and licence obligations not being met, potentially leading to legal problems.
What are the risks associated with open-source software?
There are many different risks when using open-source code:
The first main risk is using open-source software when the terms and conditions of the licence don't match that of your business/commercial model. For example, when adding software with a GPL component to your code, the terms are when you release your code, it must be delivered with the same or equivalent terms. This would be a problem if you had a closed-source application because the terms of the GPL require the source of your application to be supplied meaning it wouldn't be closed-source anymore. This is known as Copyleft or License Reciprocity.
Vulnerabilities in open-source software
Due to the open nature of open-source, vulnerabilities that are discovered are reported back to the developers through the vast community, which creates both opportunities and problems. Overall, it has a positive impact on security, because anyone can contribute to reporting vulnerabilities and improving the code. The downside of this is that hackers can easily discover the security flaws that exist in older versions, meaning if you aren't up to date, you can easily become a target.
As the world becomes increasingly dependent on technology, software is being used from core national infrastructures, such as telecoms, utilities (water, gas, electricity), aviation, and defence, to smart home devices (heating, kitchen appliances, smart meters, and various other IoT devices). Therefore, it must be safe and secure. If there are vulnerabilities in a system where classified information is being stored, or in a system that holds a company together, and that vulnerability is targeted it could be detrimental or dangerous.
Supply chain attacks
One major attack can be recognised as the Equifax data breach. The multinational consumer credit reporting agency had not updated a third-party patched exploit, therefore resulting in over 150 million customers' private records being compromised. The framework for their website used Apache Struts 2 which had recently found an exploit and encouraged everybody to update. Had Equifax had a system that tracked all their dependencies in external code they had, they would have realised the severity of the exploit and made sure to update their open-source code and save the records being released.
Another example is the Log4j library for Java which had a major vulnerability whilst being used on millions of computers globally. The vulnerability meant that passwords and data could be stolen, and malicious software could be planted in governments, organisations and for individuals. The only way at the time that the fixes could be implemented as if the software was updated, meaning if products and organisations didn't have logs of all their dependencies, they could miss updating the software.
Legal action as a result of non-compliance
The other main risk is legal action if you aren't complying with the obligations or terms within the licences of your open-source dependencies. For example, there was a recent case (2021) between the Software Freedom Conservancy (SFC) and Vizio Inc, in which Vizio didn't comply with GPL (General Public Licence) requirements. Vizio allegedly copied and modified GPL code, however, didn't release the modified version as required by the GPL licence.
Working towards getting an OpenChain certification allows companies to identify the areas in which they need to improve and understand the benefits of open-source, the legal risk and the costs and risks associated with it.