In version 2.6.25 we introduced support for the OpenSSF score. This article shall help you to understand what the score is an how to interpret the value.
|The Open Software Security Foundation (OpenSSF) is a project under the Linux Foundation, that takes care for the hygiene of the open source eco system by supporting relevant projects in achieving security for their solution. There is one project having assessed the 1,000,000 most critical - based on dependent projects - open source projects. This list of projects is assessed with the OpenSSF Scorecard, a test designed to get an impression of the project quality by assessing
different indicators across these five domains:
- Code Vulnerabilities
- Continuous Testing
- Source Risk Management
- Build Risk Management
To get a detailed description of the tests and learn how they are performed, read this article.
*The Score* or *scorecard value* is an aggregation across all applicable tests. Thus it is not necessary to understand the value as a "good" or "bad" project decision. It is a valuable indication directing your decision on how much care you will have to apply, when adding a particular project to your solution. A score of 10 shows, that the project is pretty much concerned about security. A low value indicates, that the maintainers leave it more to their users to take care.
PLEASE NOTE: A low score does not at all describe a project as bad or unsuitable for use!! It is just an indication, that you must invest more care in applying the solution you are consuming.
TrustSource integrates the OpenSSF API to access test results for the projects to be available through its Component DB. You will see the overall result presented by the small OpenSSF Duck. `hovering` the duck will display the lastest test details. This will allow you to search for the information on your particular needs.
There is a plethora of literature on OpenSSF and the scorecard. A short but comprehensive introduction can be found in our TrustSource blog. In the near future, we plan to add the option to scan repositories with the scorecard tests upon behalf. Thus you will just need to enter the URL of the repository and TrustSource will download, scan and report the results to you.