Security score factors

Security scores indicate the level of compliance with security best practices as well as vulnerability information for the repository that includes open and fixed vulnerabilities. Vulnerability information is based on OSV.dev data and Endor Lab’s vulnerability database.

The following factors have a positive contribution to the security score:

  • Critical and high severity vulnerabilities were discovered in the past in the repository but have now been fixed. This indicates that the code base is properly maintained.
  • A SECURITY.md file highlighting security-related information is a sign of repository maturity.
  • A high volume of commits related to vulnerabilities may indicate that the project has a large number of security issues but also that they are actively being addressed. A commit is considered vulnerability-related if it mentions a CVE in its commit message.
  • No vulnerabilities ever discovered in a repository indicate that there are no known security issues in this codebase.
  • Recently fixed vulnerabilities indicate that the repository has lower security risk and is well maintained.

The following factors have a negative contribution to the security score:

  • This package has high activity from invalid accounts.
  • This package calls any of the following sensitive APIs more often than an average package.
    • Access to environment information like environment variables, user and host names. Some of this information may be security sensitive, such as environment variables with API keys.
    • Read or write access to the file system. This can be dangerous in combination with user-provided input, e.g., lead to path traversal vulnerabilities.
    • Start of operating system processes. This can be dangerous in combination with user-provided input, as it can lead to command or parameter injection vulnerabilities.
    • Dynamic programming techniques like introspection, reflection or dynamic code execution through eval() type of functions or script engines.
    • Network functions, e.g. to open connections or listen for incoming connection requests. This can be dangerous in combination with user-provided input, e.g., lead to data leakage or the load of data from untrusted sources.
    • Cryptographic or encoding/decoding functions. Depending on the specific functions used and the data being processed, export control regulations may apply to downstream users.
  • This package contains code patterns or shows behaviors that are known to be used by malware. While this is not a guarantee that this package is malicious, a review of the related code is recommended.
  • A high fraction of critical vulnerabilities among the discovered vulnerabilities indicates an elevated security risk and potentially systematic security issues with this codebase.
  • A high fraction of high-fix priority vulnerabilities among the discovered vulnerabilities indicates an elevated security risk and that the repository needs immediate maintenance. A vulnerability is considered a high priority based on our analysis.
  • A high fraction of high severity or critical vulnerabilities among the discovered vulnerabilities indicates an elevated security risk and potentially systematic security issues with this codebase.
  • Taking more time to fix critical vulnerabilities discovered in a repository indicates a lack of regular maintenance. The analysis only considers vulnerabilities associated with this repository and not its dependencies.
  • A high fraction of releases with high severity vulnerabilities indicates an elevated security risk and potentially systematic security issues with this codebase.
  • The package has a large number of unmerged vulnerability-related pull requests means that the project is not actively maintained and may have security issues.
  • The repository includes recently discovered vulnerabilities indicating that the repository’s security risk is increasing.
  • A high number of critical or unfixed vulnerabilities discovered in a repository indicates an elevated security risk and potentially systematic security issues with this codebase.