Commercial software is riddled with old critical open source flaws that are largely hidden from the eyes of enterprises, according to Black Duck Software.

The manual audit report The State of Open Source Security in Commercial Applications [PDF] by the open source security tester studied 200 applications over a six month period to March finding 67 percent of open source componentry had unpatched holes, or about 23 holes a piece.

The holes were five years old on average with 40 percent classified as high severity with CVSS scores of seven and above, and 52 percent as medium severity.

Ten percent of the flaws were POODLE (Padding Oracle On Downgraded Legacy Encryption) revealed by El Reg in October.

Well-marketed and iconised flaws LogJam ad FREAK comprised five percent of all open source vulnerable components.

About 45 percent of the company's clients (it did not provide a customer count) were aware of the components used in the software.

Security vice president Mike Pittenger says common customer security tools are ineffective at revealing the flaws so enterprises remain ignorant of their exposure.

"Many of these companies have … tools are not effective at identifying the types of vulnerabilities disclosed every day in popular open source components," Pittenger says in the report.

"More importantly, if a customer is not aware of all of the open source in use, they cannot defend against common attacks against known vulnerabilities in those components.

"This represents a significant risk to organizations deploying these applications."

The tester finds open source in 95 percent of studied client applications with each containing 105 open source components, or about 35 percent of the total codebase of the average app.

In-house apps are up to 75 percent open source. ®