fosstars-rating-core

A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with open source components.

View the Project on GitHub SAP/fosstars-rating-core

apache/nifi

https://github.com/apache/nifi

Last updated on Jul 18, 2021

Rating: GOOD

Score: 5.75, max score value is 10.0

Confidence: Max (10.0, max confidence value is 10.0)

Details

The rating is based on security score for open-source projects.

It used the following sub-scores:

  1. Security testing: 2.86 (weight is 1.0)
    1. Dependency testing: 10.0 (weight is 1.0)
      1. Dependabot score: 10.0 (weight is 1.0)
      2. OWASP Dependency Check score: 3.0 (weight is 1.0)
    2. Static analysis: 2.0 (weight is 1.0)
      1. LGTM score: 5.0 (weight is 1.0)
      2. How a project uses CodeQL: 0.0 (weight is 1.0)
      3. FindSecBugs score: 0.0 (weight is 0.5)
    3. Fuzzing: 0.0 (weight is 1.0)
    4. Memory-safety testing: 0.0 (weight is 1.0)
    5. nohttp tool: 0.0 (weight is 0.2)
  2. Security awareness: 10.0 (weight is 0.9)
  3. Vulnerability discovery and security testing: 0.0 (weight is 0.6)
    1. Security testing: 2.86 (weight is 1.0)
      1. Dependency testing: 10.0 (weight is 1.0)
        1. Dependabot score: 10.0 (weight is 1.0)
        2. OWASP Dependency Check score: 3.0 (weight is 1.0)
      2. Static analysis: 2.0 (weight is 1.0)
        1. LGTM score: 5.0 (weight is 1.0)
        2. How a project uses CodeQL: 0.0 (weight is 1.0)
        3. FindSecBugs score: 0.0 (weight is 0.5)
      3. Fuzzing: 0.0 (weight is 1.0)
      4. Memory-safety testing: 0.0 (weight is 1.0)
      5. nohttp tool: 0.0 (weight is 0.2)
  4. Unpatched vulnerabilities: 10.0 (weight is 0.5)
  5. Community commitment: 7.0 (weight is 0.5)
  6. Project activity: 10.0 (weight is 0.5)
  7. Project popularity: 3.3 (weight is 0.5)
  8. Security reviews: 0.0 (weight is 0.2)

How to improve the rating

  1. You can ask the project maintainers to enable LGTM checks for pull requests in the project. More info:
    1. How to enable LGTM checks for pull requests
  2. You can open a pull request to enable CodeQL scans in the project. Make sure that the scans are run on pull requests. More info:
    1. How to enable CodeQL checks for pull requests
  3. You can open a pull request to enable CodeQL scans in the project. More info:
    1. How to enable CodeQL checks
  4. You can fix the issues reported by LGTM for the project. More info:
    1. List of issues on LGTM
  5. You can open a pull request to enable FindSecBugs for the project. More info:
    1. FindSecBugs home page
  6. You can open a pull request to enable AddressSanitizer for the project. More info:
    1. About AddressSanitizer
  7. You can open a pull request to enable MemorySanitizer for the project. More info:
    1. About MemorySanitizer
  8. You can open a pull request to enable UndefinedBehaviorSanitizer for the project. More info:
    1. About UndefinedBehaviorSanitizer
  9. You can include the project to OSS-Fuzz. Then, the project is going to be regularly fuzzed. More info:
    1. The OSS-Fuzz project
  10. You can add OWASP Dependency Check to the project’s build pipeline. More info: 1. OWASP Dependnecy Check 2. How to use OWASP Dependency Check with Maven 3. How to use OWASP Dependnecy Check with Gradle
  11. You can set a CVSS threshold for vulnerabilities reported by OWASP Dependency Check. More info: 1. OWASP Dependnecy Check 2. Configuring OWASP Dependency Check
  12. You can enable artifact signing in the project’s build pipeline. More info: 1. Apache Maven Jarsigner Plugin
  13. You can enable NoHttp tool in the project’s build pipeline. More info: 1. NoHttp tool home page

Sub-scores

Below are the details about all the used sub-scores.

Security testing

Score: 2.86, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. Dependency testing: 10.0 (weight is 1.0)
    1. Dependabot score: 10.0 (weight is 1.0)
    2. OWASP Dependency Check score: 3.0 (weight is 1.0)
  2. Static analysis: 2.0 (weight is 1.0)
    1. LGTM score: 5.0 (weight is 1.0)
    2. How a project uses CodeQL: 0.0 (weight is 1.0)
    3. FindSecBugs score: 0.0 (weight is 0.5)
  3. Fuzzing: 0.0 (weight is 1.0)
  4. Memory-safety testing: 0.0 (weight is 1.0)
  5. nohttp tool: 0.0 (weight is 0.2)

Security awareness

Score: 10.0, confidence is 10.0 (max), weight is 0.9 (high)

The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00.

This sub-score is based on 17 features:

  1. Does it have a bug bounty program? Yes
  2. Does it have a security policy? Yes
  3. Does it have a security team? Yes
  4. Does it sign artifacts? No
  5. Does it use AddressSanitizer? No
  6. Does it use Dependabot? Yes
  7. Does it use FindSecBugs? No
  8. Does it use LGTM checks? No
  9. Does it use MemorySanitizer? No
  10. Does it use OWASP ESAPI? No
  11. Does it use OWASP Java Encoder? No
  12. Does it use OWASP Java HTML Sanitizer? No
  13. Does it use UndefinedBehaviorSanitizer? No
  14. Does it use nohttp? No
  15. Does it use verified signed commits? No
  16. How is OWASP Dependency Check used? Optional
  17. Is it included to OSS-Fuzz? No

Vulnerability discovery and security testing

Score: 0.0, confidence is 10.0 (max), weight is 0.6 (medium)

The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.

This sub-score is based on the following sub-score:

  1. Security testing: 2.86 (weight is 1.0)
    1. Dependency testing: 10.0 (weight is 1.0)
      1. Dependabot score: 10.0 (weight is 1.0)
      2. OWASP Dependency Check score: 3.0 (weight is 1.0)
    2. Static analysis: 2.0 (weight is 1.0)
      1. LGTM score: 5.0 (weight is 1.0)
      2. How a project uses CodeQL: 0.0 (weight is 1.0)
      3. FindSecBugs score: 0.0 (weight is 0.5)
    3. Fuzzing: 0.0 (weight is 1.0)
    4. Memory-safety testing: 0.0 (weight is 1.0)
    5. nohttp tool: 0.0 (weight is 0.2)

This sub-score is based on 1 feature:

  1. Info about vulnerabilities: 27 vulnerabilities, details below

Unpatched vulnerabilities

Score: 10.0, confidence is 10.0 (max), weight is 0.5 (medium)

No unpatched vulnerabilities found which is good

This sub-score is based on 1 feature:

  1. Info about vulnerabilities: 27 vulnerabilities, details below

Community commitment

Score: 7.0, confidence is 10.0 (max), weight is 0.5 (medium)

This sub-score is based on 3 features:

  1. Does it belong to Apache? Yes
  2. Does it belong to Eclipse? No
  3. Is it supported by a company? No

Project activity

Score: 10.0, confidence is 10.0 (max), weight is 0.5 (medium)

The score evaluates how active a project is. It’s based on number of commits and contributors in the last 3 months.

168 commits in the last 3 months results to 10.00 points 14 contributors increase the score value from 10.00 to 12.00

This sub-score is based on 2 features:

  1. Number of commits in the last three months: 168
  2. Number of contributors in the last three months: 14

Project popularity

Score: 3.3, confidence is 10.0 (max), weight is 0.5 (medium)

The score is based on number of stars and watchers. Here is how a number of stars contributes to the score: 0 -> 0.00 (min), 2500 -> 2.50, 5000 -> 5.00, 10000 -> 10.00 (max) Here is how a number of watchers contributes to the score: 0 -> 0.00 (min), 450 -> 1.50, 750 -> 2.50, 3000 -> 10.00 (max)

This sub-score is based on 2 features:

  1. Number of stars for a GitHub repository: 2694
  2. Number of watchers for a GitHub repository: 183

Security reviews

Score: 0.0, confidence is 10.0 (max), weight is 0.2 (low)

No security reviews have been done

This sub-score is based on 1 feature:

  1. Info about security reviews: 0 security reviews

Dependency testing

Score: 10.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. Dependabot score: 10.0 (weight is 1.0)
  2. OWASP Dependency Check score: 3.0 (weight is 1.0)

Static analysis

Score: 2.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. LGTM score: 5.0 (weight is 1.0)
  2. How a project uses CodeQL: 0.0 (weight is 1.0)
  3. FindSecBugs score: 0.0 (weight is 0.5)

Fuzzing

Score: 0.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 2 features:

  1. Is it included to OSS-Fuzz? No
  2. Programming languages: CPP, JAVA, RUBY, PYTHON, JAVASCRIPT, OTHER

Memory-safety testing

Score: 0.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use AddressSanitizer? No
  2. Does it use MemorySanitizer? No
  3. Does it use UndefinedBehaviorSanitizer? No
  4. Programming languages: CPP, JAVA, RUBY, PYTHON, JAVASCRIPT, OTHER

nohttp tool

Score: 0.0, confidence is 10.0 (max), weight is 0.2 (low)

This sub-score is based on 2 features:

  1. Does it use nohttp? No
  2. Package managers: MAVEN, NPM, YARN

Dependabot score

Score: 10.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use Dependabot? Yes
  2. Does it use GitHub as the main development platform? Yes
  3. Package managers: MAVEN, NPM, YARN
  4. Programming languages: CPP, JAVA, RUBY, PYTHON, JAVASCRIPT, OTHER

OWASP Dependency Check score

Score: 3.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 3 features:

  1. How is OWASP Dependency Check used? Optional
  2. Package managers: MAVEN, NPM, YARN
  3. What is the threshold for OWASP Dependency Check? Not specified

LGTM score

Score: 5.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 2 features:

  1. Programming languages: CPP, JAVA, RUBY, PYTHON, JAVASCRIPT, OTHER
  2. The worst LGTM grade of the project: C

How a project uses CodeQL

Score: 0.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it run CodeQL scans? No
  2. Does it use CodeQL checks for pull requests? No
  3. Does it use LGTM checks? No
  4. Programming languages: CPP, JAVA, RUBY, PYTHON, JAVASCRIPT, OTHER

FindSecBugs score

Score: 0.0, confidence is 10.0 (max), weight is 0.5 (medium)

This sub-score is based on 2 features:

  1. Does it use FindSecBugs? No
  2. Programming languages: CPP, JAVA, RUBY, PYTHON, JAVASCRIPT, OTHER

Known vulnerabilities

  1. CVE-2017-7667
  2. CVE-2017-12623
  3. CVE-2017-5636
  4. CVE-2017-12632
  5. CVE-2017-15703
  6. CVE-2018-1310
  7. CVE-2018-17195
  8. CVE-2019-10083
  9. CVE-2020-1928
  10. CVE-2020-1942
  11. CVE-2020-9491
  12. CVE-2021-20190
  13. CVE-2020-27223