version v7.2.
For up-to-date documentation, see the
latest version.
Obsolescence and Operational Risk
6 minute read
Software Composition Analysis does more than detect known vulnerabilities.
It also helps teams assess the operational risks carried by their dependencies: structural risks that carry no CVE today, but that silently erode the project’s long-term security posture.
Operational Risk is the measure of a project’s ability to react to future vulnerabilities.
Understanding the difference between a vulnerability and operational risk is fundamental:
- A Vulnerability is an Event: It is a specific flaw (CVE) discovered at a point in time. It is a “hole” in the defense that requires a reaction.
- Operational Risk is a State: It is the Loss of Maintainability. It does not appear in a security advisory and often accumulates silently without triggering alerts.
It represents the structural fragility of your foundation.
Obsolescence
Obsolescence is the primary driver of Operational Risk. It is the process by which a component transitions from a maintainable state to a brittle state.
This loss of maintainability occurs across two distinct dimensions:
Version Lag (Internal Risk)
Version Lag is the gap between the version you are using and the latest stable release.
This is essentially technical debt — the component is still supported, but your project has drifted too far from the current standard.
The further you lag, the harder it becomes to apply security patches without breaking functionality.
Lifecycle End & Ecosystem Collapse (External Risk)
Lifecycle End & Ecosystem Collapse occurs when the component itself ceases to be a viable foundation, regardless of which version you use.
This manifests in three ways:
- End-of-Life (EOL): The vendor or maintainer has officially stopped providing updates and security patches.
- Functional Abandonment: The community has stopped maintaining the code.
Zombie trap: do not confuse activity with health.
A component can show recent commits or a high download count while being effectively abandoned no stable releases, no response to security disclosures. Always assess release frequency, not just repository activity.
Obsolescence vs Vulnerability
A vulnerability is something that happens to a component.
Obsolescence is the condition that determines what happens next, it is the precondition that shapes your ability to respond.
| Feature | Vulnerability (CVE) | Obsolescence |
|---|---|---|
| Nature | A specific technical flaw or “hole” in the code (e.g., Buffer Overflow). | A status indicating the component is no longer supported or “alive.” |
| Risk Type | Immediate: Can be exploited by an attacker right now. | Structural: Increases technical debt and prevents future security patching. |
| Remediation | Usually solved by a Patch or a minor version update. | Often requires a major Update or migration to a different library/framework. |
| Predictability | Reactive: You react when a CVE is published. | Proactive: You can plan for an EOL date months in advance. |
A component may have zero known CVEs. However, if a vulnerability is discovered in an obsolete component, no patch will ever be released.
Operational Impact & Risk Assessment
Version Lag
Assessing maintainability loss requires a different approach for each dimension. Version Lag applies to both COTS and OSS components.
Thales projects should determine the obsolescence threshold of a component by evaluating several indicators.
Teams could utilize the following frameworks to evaluate their dependencies:
Black Duck version risk
Black Duck evaluates operational risk by aggregating two dimensions, activity and version into a single score:
- Version age: how long since the current version was released
- Version delta: how many newer versions exist since the one in use
- Community activity: number of commits and contributors over the last 12 months
Understanding Operational Risk in Black Duck
JFrog Xray version risk
Xray calculates operational risk severity by combining multiple independent criteria into an effective risk level:
- EOL status: whether the component has officially reached end of life
- Version age: number of months since the current version was released
- Version delta: number of newer stable versions available since the one in use
- Release cadence: frequency of releases as an indicator of project health
Understanding Operational Risk in JFrog Xray
Practical Application
Both frameworks converge on the same core signals version age and version delta confirming that these are reliable, tool-agnostic indicators of potential lag.
That means that a component version that is significantly older than the latest stable release is generally a signal worth investigating.
The acceptable threshold varies depending on the component’s ecosystem, release cadence, and criticality — the tool frameworks above provide the necessary context to make that judgment.
Where official LTS status is available, it remains the strongest indicator of continued support and should be weighted accordingly.
Lifecycle End
Assessing Lifecycle End requires a different approach depending on the nature of the component.
COTS & Editor-Supported OSS
When a vendor or editor officially manages the component’s lifecycle, EoL and EoS dates are published and trackable. Always verify the official support status before drawing conclusions.
A useful reference for community-maintained but well-documented components is EndOfLife , which aggregates official EoL/EoS dates across a wide range of products.
For Company-name standards, End of Support (EoS) is treated as equivalent to End of Life (EoL). A component under EoS receives no further patches and must be treated as a critical risk.
Community-Only OSS
When no editor governs the lifecycle, there is no published EoL date. Assessment becomes qualitative and relies on observable signals:
- Release frequency: When was the last stable release? Has the cadence slowed significantly?
- Maintainer activity: Are pull requests being reviewed? Are security disclosures being acknowledged?
- Issue tracker health: Are critical issues accumulating without response?
Unlike the 2-year rule, community health assessment is not binary. A component may show weak signals without being fully abandoned.
The goal is to identify components where the risk of receiving no response to a future CVE is high, not to establish a hard pass/fail threshold.
Tool Selection
The Software Factory provides different levels of obsolescence detection capability.
Understanding what each tool covers allows project teams to assess which tool meets their operational risk requirements.
Comparison of Tool Capabilities
| Feature | GitLab SCA | JFrog Xray | Black Duck SCA |
|---|---|---|---|
| Version Lag Detection | ⚠️ Manual custom policies | ✅ Policy-based alerts | ⭐ Automated (Age/Freshness) |
| LTS Awareness | ❌ | ⚠️ Limited | ⭐ Yes (LTS distinction) |
| EoL/EoS Tracking | ⚠️ Limited (via policies) | ✅ Operational Policies | ⭐ Advanced (Lifecycle tracking) |
| Community Health Signals | ❌ | ⚠️ Limited (Download stats) | ⭐ Yes (Release, Maintainer, Issues) |
Why Blackduck for Obsolescence?
Among the available options, Black Duck provides the most comprehensive coverage for obsolescence assessment, addressing both dimensions — Version Lag and Lifecycle End & Ecosystem Collapse — across all four capability areas.
- Operational Risk Metrics: It automatically calculates “Operational Risk” based on how many versions behind we are (directly supporting the Thales 2-year rule).
- LTS Awareness: It distinguishes between a “stale” version and an “LTS” version, preventing false positives on supported older versions.
- Community Health: It tracks the “Single Committer” and “Commit Activity” metrics, allowing Tech Leads to assess if a project is dying (Community Obsolescence) before a CVE even appears.