Skip to content

Latest commit

 

History

History
591 lines (256 loc) · 16.5 KB

fosstars_report.md

File metadata and controls

591 lines (256 loc) · 16.5 KB

Rating: MODERATE

Score: 5.41, max score value is 10.0

Confidence: High (9.65, max confidence value is 10.0)

Details

The rating is based on security score for open-source projects.

It used the following sub-scores:

  1. Security testing: 7.23 (weight is 1.0)

    1. Dependency testing: 10.0 (weight is 1.0)

      1. Dependabot score: 10.0 (weight is 1.0)

      2. Snyk score: 5.0 (weight is 1.0)

      3. OWASP Dependency Check score: 0.0 (weight is 1.0)

    2. Static analysis: 5.91 (weight is 1.0)

      1. How a project uses CodeQL: 10.0 (weight is 1.0)

      2. Bandit score: 0.0 (weight is 0.35)

      3. FindSecBugs score: 0.0 (weight is 0.35)

      4. How a project uses Pylint: 6.0 (weight is 0.35)

      5. GoSec score: N/A (weight is 0.3)

      6. How a project uses MyPy: 6.0 (weight is 0.2)

    3. Fuzzing: N/A (weight is 1.0)

    4. Memory-safety testing: N/A (weight is 1.0)

    5. nohttp tool: 0.0 (weight is 0.2)

  2. Security awareness: 3.5 (weight is 0.9)

  3. Vulnerability discovery and security testing: 10.0 (weight is 0.6)

    1. Security testing: 7.23 (weight is 1.0)

      1. Dependency testing: 10.0 (weight is 1.0)

        1. Dependabot score: 10.0 (weight is 1.0)

        2. Snyk score: 5.0 (weight is 1.0)

        3. OWASP Dependency Check score: 0.0 (weight is 1.0)

      2. Static analysis: 5.91 (weight is 1.0)

        1. How a project uses CodeQL: 10.0 (weight is 1.0)

        2. Bandit score: 0.0 (weight is 0.35)

        3. FindSecBugs score: 0.0 (weight is 0.35)

        4. How a project uses Pylint: 6.0 (weight is 0.35)

        5. GoSec score: N/A (weight is 0.3)

        6. How a project uses MyPy: 6.0 (weight is 0.2)

      3. Fuzzing: N/A (weight is 1.0)

      4. Memory-safety testing: N/A (weight is 1.0)

      5. nohttp tool: 0.0 (weight is 0.2)

  4. Unpatched vulnerabilities: 10.0 (weight is 0.5)

  5. Community commitment: 8.0 (weight is 0.5)

  6. Project activity: 0.0 (weight is 0.5)

  7. Project popularity: 0.09 (weight is 0.5)

  8. Security reviews: 0.0 (weight is 0.2)

## How to improve the rating

You can open a pull request to enable FindSecBugs for the project. More info:

  1. FindSecBugs home page

You can add OWASP Dependency Check to the project's build pipeline. More info:

  1. OWASP Dependnecy Check
  2. How to use OWASP Dependency Check with Maven
  3. How to use OWASP Dependnecy Check with Gradle

You can set a CVSS threshold for vulnerabilities reported by OWASP Dependency Check. More info:

  1. OWASP Dependnecy Check
  2. Configuring OWASP Dependency Check

You can enable NoHttp tool in the project's build pipeline. More info:

  1. NoHttp tool home page

You can open a pull request to run Bandit scans in the project using GitHub action workflow. More info:

  1. GitHub workflow action job config to run Bandit code scanning for a repository.
  2. An example to run Bandit scan check as part of GitHub action workflow.

It would be good to have SecGo as analysis step for all commits, yes initiating it with PR would be great. More info:

  1. GitHub workflow action config to run Bandit code scanning job on every PR of a project.
  2. An eample to trigger Bandit scan check on every pull-request.

You can create Snyk account and configure your project. More info:

  1. Getting started with snyk for open source

You can open a pull request to trigger GoSec scans job in the project using GitHub action workflow for every pull-request. More info:

  1. GitHub workflow action config to run GoSec code scanning job on every PR of a project.

Sub-scores

Below are the details about all the used sub-scores.

Security testing

Score: 7.23, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. Dependency testing: 10.0 (weight is 1.0)

    1. Dependabot score: 10.0 (weight is 1.0)

    2. Snyk score: 5.0 (weight is 1.0)

    3. OWASP Dependency Check score: 0.0 (weight is 1.0)

  2. Static analysis: 5.91 (weight is 1.0)

    1. How a project uses CodeQL: 10.0 (weight is 1.0)

    2. Bandit score: 0.0 (weight is 0.35)

    3. FindSecBugs score: 0.0 (weight is 0.35)

    4. How a project uses Pylint: 6.0 (weight is 0.35)

    5. GoSec score: N/A (weight is 0.3)

    6. How a project uses MyPy: 6.0 (weight is 0.2)

  3. Fuzzing: N/A (weight is 1.0)

  4. Memory-safety testing: N/A (weight is 1.0)

  5. nohttp tool: 0.0 (weight is 0.2)

Security awareness

Score: 3.5, confidence is 10.0 (max), weight is 0.9 (high)

The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00. If the project has executable binaries, then the score subtracts 2.00.

This sub-score is based on 18 features:

  1. Does it have a bug bounty program? No
  2. Does it have a security policy? Yes
  3. Does it have a security team? No
  4. Does it have executable binaries? No
  5. Does it sign artifacts? Yes
  6. Does it use AddressSanitizer? No
  7. Does it use Dependabot? Yes
  8. Does it use FindSecBugs? No
  9. Does it use MemorySanitizer? No
  10. Does it use OWASP ESAPI? No
  11. Does it use OWASP Java Encoder? No
  12. Does it use OWASP Java HTML Sanitizer? No
  13. Does it use Snyk? No
  14. Does it use UndefinedBehaviorSanitizer? No
  15. Does it use nohttp? No
  16. Does it use verified signed commits? No
  17. How is OWASP Dependency Check used? Not used
  18. Is it included to OSS-Fuzz? No

Vulnerability discovery and security testing

Score: 10.0, confidence is 10.0 (max), weight is 0.6 (medium)

The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.

This sub-score is based on the following sub-score:

  1. Security testing: 7.23 (weight is 1.0)

    1. Dependency testing: 10.0 (weight is 1.0)

      1. Dependabot score: 10.0 (weight is 1.0)

      2. Snyk score: 5.0 (weight is 1.0)

      3. OWASP Dependency Check score: 0.0 (weight is 1.0)

    2. Static analysis: 5.91 (weight is 1.0)

      1. How a project uses CodeQL: 10.0 (weight is 1.0)

      2. Bandit score: 0.0 (weight is 0.35)

      3. FindSecBugs score: 0.0 (weight is 0.35)

      4. How a project uses Pylint: 6.0 (weight is 0.35)

      5. GoSec score: N/A (weight is 0.3)

      6. How a project uses MyPy: 6.0 (weight is 0.2)

    3. Fuzzing: N/A (weight is 1.0)

    4. Memory-safety testing: N/A (weight is 1.0)

    5. nohttp tool: 0.0 (weight is 0.2)

This sub-score is based on 1 feature:

  1. Info about vulnerabilities in the project: Not found

Unpatched vulnerabilities

Score: 10.0, confidence is 10.0 (max), weight is 0.5 (medium)

No unpatched vulnerabilities found which is good

This sub-score is based on 1 feature:

  1. Info about vulnerabilities in the project: Not found

Community commitment

Score: 8.0, confidence is 10.0 (max), weight is 0.5 (medium)

This sub-score is based on 3 features:

  1. Does it belong to Apache? No
  2. Does it belong to Eclipse? No
  3. Is it supported by a company? Yes

Project activity

Score: 0.0, confidence is 10.0 (max), weight is 0.5 (medium)

The score evaluates how active a project is. It's based on number of commits and contributors in the last 3 months.

0 commits in the last 3 months results to 0.00 points

This sub-score is based on 2 features:

  1. Number of commits in the last three months: 0
  2. Number of contributors in the last three months: 0

Project popularity

Score: 0.09, confidence is 6.67 (low), weight is 0.5 (medium)

This scoring function is based on number of stars, watchers and dependent projects.

This sub-score is based on 3 features:

  1. Number of projects on GitHub that use an open source project: unknown
  2. Number of stars for a GitHub repository: 61
  3. Number of watchers for a GitHub repository: 9

Security reviews

Score: 0.0, confidence is 10.0 (max), weight is 0.2 (low)

No security reviews have been done

This sub-score is based on 1 feature:

  1. Info about security reviews: 0 security reviews

Dependency testing

Score: 10.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. Dependabot score: 10.0 (weight is 1.0)

  2. Snyk score: 5.0 (weight is 1.0)

  3. OWASP Dependency Check score: 0.0 (weight is 1.0)

Static analysis

Score: 5.91, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. How a project uses CodeQL: 10.0 (weight is 1.0)

  2. Bandit score: 0.0 (weight is 0.35)

  3. FindSecBugs score: 0.0 (weight is 0.35)

  4. How a project uses Pylint: 6.0 (weight is 0.35)

  5. GoSec score: N/A (weight is 0.3)

  6. How a project uses MyPy: 6.0 (weight is 0.2)

Fuzzing

Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 2 features:

  1. Is it included to OSS-Fuzz? No
  2. Programming languages: JAVA, PYTHON, OTHER

Memory-safety testing

Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use AddressSanitizer? No
  2. Does it use MemorySanitizer? No
  3. Does it use UndefinedBehaviorSanitizer? No
  4. Programming languages: JAVA, PYTHON, OTHER

nohttp tool

Score: 0.0, confidence is 10.0 (max), weight is 0.2 (low)

This sub-score is based on 2 features:

  1. Does it use nohttp? No
  2. Package managers: MAVEN

Dependabot score

Score: 10.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use Dependabot? Yes
  2. Does it use GitHub as the main development platform? Yes
  3. Package managers: MAVEN
  4. Programming languages: JAVA, PYTHON, OTHER

Snyk score

Score: 5.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use GitHub as the main development platform? Yes
  2. Does it use Snyk? No
  3. Package managers: MAVEN
  4. Programming languages: JAVA, PYTHON, OTHER

OWASP Dependency Check score

Score: 0.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 3 features:

  1. How is OWASP Dependency Check used? Not used
  2. Package managers: MAVEN
  3. What is the threshold for OWASP Dependency Check? Not specified

How a project uses CodeQL

Score: 10.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 3 features:

  1. Does it run CodeQL scans? Yes
  2. Does it use CodeQL checks for pull requests? Yes
  3. Programming languages: JAVA, PYTHON, OTHER

Bandit score

Score: 0.0, confidence is 10.0 (max), weight is 0.35 (medium)

This sub-score is based on 3 features:

  1. If a project runs Bandit scan checks for commits: No
  2. If a project runs Bandit scans: No
  3. Programming languages: JAVA, PYTHON, OTHER

FindSecBugs score

Score: 0.0, confidence is 10.0 (max), weight is 0.35 (medium)

This sub-score is based on 2 features:

  1. Does it use FindSecBugs? No
  2. Programming languages: JAVA, PYTHON, OTHER

How a project uses Pylint

Score: 6.0, confidence is 10.0 (max), weight is 0.35 (medium)

This sub-score is based on 3 features:

  1. Does it run Pylint scans on all commits? No
  2. Does it run Pylint scans? Yes
  3. Programming languages: JAVA, PYTHON, OTHER

GoSec score

Score: N/A, confidence is 10.0 (max), weight is 0.3 (medium)

The score is N/A because the project uses languages that are not supported by GoSec.

This sub-score is based on 4 features:

  1. Does it run GoSec scans on all pull requests? No
  2. Does it run GoSec scans with rules? No
  3. Does it run GoSec scans? No
  4. Programming languages: JAVA, PYTHON, OTHER

How a project uses MyPy

Score: 6.0, confidence is 10.0 (max), weight is 0.2 (low)

This sub-score is based on 3 features:

  1. Does it run MyPy scans on all commits? No
  2. Does it run MyPy scans? Yes
  3. Programming languages: JAVA, PYTHON, OTHER

Known vulnerabilities

No vulnerabilities found