fosstars-rating-core

A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with open source components.

View the Project on GitHub SAP/fosstars-rating-core

apache/tomcat

https://github.com/apache/tomcat

Last updated on Jul 18, 2021

Rating: MODERATE

Score: 5.44, max score value is 10.0

Confidence: Max (10.0, max confidence value is 10.0)

Details

The rating is based on security score for open-source projects.

It used the following sub-scores:

  1. Security testing: 4.0 (weight is 1.0)
    1. Dependency testing: 6.0 (weight is 1.0)
      1. Dependabot score: 6.0 (weight is 1.0)
      2. OWASP Dependency Check score: 0.0 (weight is 1.0)
    2. Static analysis: 2.8 (weight is 1.0)
      1. LGTM score: 7.0 (weight is 1.0)
      2. How a project uses CodeQL: 0.0 (weight is 1.0)
      3. FindSecBugs score: 0.0 (weight is 0.5)
    3. Fuzzing: N/A (weight is 1.0)
    4. Memory-safety testing: N/A (weight is 1.0)
    5. nohttp tool: 0.0 (weight is 0.2)
  2. Security awareness: 5.0 (weight is 0.9)
  3. Vulnerability discovery and security testing: 0.0 (weight is 0.6)
    1. Security testing: 4.0 (weight is 1.0)
      1. Dependency testing: 6.0 (weight is 1.0)
        1. Dependabot score: 6.0 (weight is 1.0)
        2. OWASP Dependency Check score: 0.0 (weight is 1.0)
      2. Static analysis: 2.8 (weight is 1.0)
        1. LGTM score: 7.0 (weight is 1.0)
        2. How a project uses CodeQL: 0.0 (weight is 1.0)
        3. FindSecBugs score: 0.0 (weight is 0.5)
      3. Fuzzing: N/A (weight is 1.0)
      4. Memory-safety testing: N/A (weight is 1.0)
      5. nohttp tool: 0.0 (weight is 0.2)
  4. Unpatched vulnerabilities: 10.0 (weight is 0.5)
  5. Community commitment: 7.0 (weight is 0.5)
  6. Project activity: 10.0 (weight is 0.5)
  7. Project popularity: 7.09 (weight is 0.5)
  8. Security reviews: 0.0 (weight is 0.2)

How to improve the rating

  1. You can ask the project maintainers to enable LGTM checks for pull requests in the project. More info:
    1. How to enable LGTM checks for pull requests
  2. You can open a pull request to enable CodeQL scans in the project. Make sure that the scans are run on pull requests. More info:
    1. How to enable CodeQL checks for pull requests
  3. You can open a pull request to enable CodeQL scans in the project. More info:
    1. How to enable CodeQL checks
  4. You can fix the issues reported by LGTM for the project. More info:
    1. List of issues on LGTM
  5. You can open a pull request to enable FindSecBugs for the project. More info:
    1. FindSecBugs home page
  6. You can configure Dependabot by creating a configuration file. More info:
    1. Configuration options for dependency updates
  7. You can add OWASP Dependency Check to the project’s build pipeline. More info:
    1. OWASP Dependnecy Check
    2. How to use OWASP Dependency Check with Maven
    3. How to use OWASP Dependnecy Check with Gradle
  8. You can set a CVSS threshold for vulnerabilities reported by OWASP Dependency Check. More info:
    1. OWASP Dependnecy Check
    2. Configuring OWASP Dependency Check
  9. You can enable artifact signing in the project’s build pipeline. More info:
    1. Apache Maven Jarsigner Plugin
  10. You can enable NoHttp tool in the project’s build pipeline. More info: 1. NoHttp tool home page

Sub-scores

Below are the details about all the used sub-scores.

Security testing

Score: 4.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. Dependency testing: 6.0 (weight is 1.0)
    1. Dependabot score: 6.0 (weight is 1.0)
    2. OWASP Dependency Check score: 0.0 (weight is 1.0)
  2. Static analysis: 2.8 (weight is 1.0)
    1. LGTM score: 7.0 (weight is 1.0)
    2. How a project uses CodeQL: 0.0 (weight is 1.0)
    3. FindSecBugs score: 0.0 (weight is 0.5)
  3. Fuzzing: N/A (weight is 1.0)
  4. Memory-safety testing: N/A (weight is 1.0)
  5. nohttp tool: 0.0 (weight is 0.2)

Security awareness

Score: 5.0, confidence is 10.0 (max), weight is 0.9 (high)

The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00.

This sub-score is based on 17 features:

  1. Does it have a bug bounty program? No
  2. Does it have a security policy? Yes
  3. Does it have a security team? Yes
  4. Does it sign artifacts? No
  5. Does it use AddressSanitizer? No
  6. Does it use Dependabot? No
  7. Does it use FindSecBugs? No
  8. Does it use LGTM checks? No
  9. Does it use MemorySanitizer? No
  10. Does it use OWASP ESAPI? No
  11. Does it use OWASP Java Encoder? No
  12. Does it use OWASP Java HTML Sanitizer? No
  13. Does it use UndefinedBehaviorSanitizer? No
  14. Does it use nohttp? No
  15. Does it use verified signed commits? No
  16. How is OWASP Dependency Check used? Not used
  17. Is it included to OSS-Fuzz? No

Vulnerability discovery and security testing

Score: 0.0, confidence is 10.0 (max), weight is 0.6 (medium)

The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.

This sub-score is based on the following sub-score:

  1. Security testing: 4.0 (weight is 1.0)
    1. Dependency testing: 6.0 (weight is 1.0)
      1. Dependabot score: 6.0 (weight is 1.0)
      2. OWASP Dependency Check score: 0.0 (weight is 1.0)
    2. Static analysis: 2.8 (weight is 1.0)
      1. LGTM score: 7.0 (weight is 1.0)
      2. How a project uses CodeQL: 0.0 (weight is 1.0)
      3. FindSecBugs score: 0.0 (weight is 0.5)
    3. Fuzzing: N/A (weight is 1.0)
    4. Memory-safety testing: N/A (weight is 1.0)
    5. nohttp tool: 0.0 (weight is 0.2)

This sub-score is based on 1 feature:

  1. Info about vulnerabilities: 190 vulnerabilities, details below

Unpatched vulnerabilities

Score: 10.0, confidence is 10.0 (max), weight is 0.5 (medium)

No unpatched vulnerabilities found which is good

This sub-score is based on 1 feature:

  1. Info about vulnerabilities: 190 vulnerabilities, details below

Community commitment

Score: 7.0, confidence is 10.0 (max), weight is 0.5 (medium)

This sub-score is based on 3 features:

  1. Does it belong to Apache? Yes
  2. Does it belong to Eclipse? No
  3. Is it supported by a company? No

Project activity

Score: 10.0, confidence is 10.0 (max), weight is 0.5 (medium)

The score evaluates how active a project is. It’s based on number of commits and contributors in the last 3 months.

268 commits in the last 3 months results to 10.00 points 6 contributors increase the score value from 10.00 to 12.00

This sub-score is based on 2 features:

  1. Number of commits in the last three months: 268
  2. Number of contributors in the last three months: 6

Project popularity

Score: 7.09, confidence is 10.0 (max), weight is 0.5 (medium)

The score is based on number of stars and watchers. Here is how a number of stars contributes to the score: 0 -> 0.00 (min), 2500 -> 2.50, 5000 -> 5.00, 10000 -> 10.00 (max) Here is how a number of watchers contributes to the score: 0 -> 0.00 (min), 450 -> 1.50, 750 -> 2.50, 3000 -> 10.00 (max)

This sub-score is based on 2 features:

  1. Number of stars for a GitHub repository: 5474
  2. Number of watchers for a GitHub repository: 486

Security reviews

Score: 0.0, confidence is 10.0 (max), weight is 0.2 (low)

No security reviews have been done

This sub-score is based on 1 feature:

  1. Info about security reviews: 0 security reviews

Dependency testing

Score: 6.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. Dependabot score: 6.0 (weight is 1.0)
  2. OWASP Dependency Check score: 0.0 (weight is 1.0)

Static analysis

Score: 2.8, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. LGTM score: 7.0 (weight is 1.0)
  2. How a project uses CodeQL: 0.0 (weight is 1.0)
  3. FindSecBugs score: 0.0 (weight is 0.5)

Fuzzing

Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 2 features:

  1. Is it included to OSS-Fuzz? No
  2. Programming languages: JAVA, OTHER

Memory-safety testing

Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use AddressSanitizer? No
  2. Does it use MemorySanitizer? No
  3. Does it use UndefinedBehaviorSanitizer? No
  4. Programming languages: JAVA, OTHER

nohttp tool

Score: 0.0, confidence is 10.0 (max), weight is 0.2 (low)

This sub-score is based on 2 features:

  1. Does it use nohttp? No
  2. Package managers: MAVEN

Dependabot score

Score: 6.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use Dependabot? No
  2. Does it use GitHub as the main development platform? Yes
  3. Package managers: MAVEN
  4. Programming languages: JAVA, OTHER

OWASP Dependency Check score

Score: 0.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 3 features:

  1. How is OWASP Dependency Check used? Not used
  2. Package managers: MAVEN
  3. What is the threshold for OWASP Dependency Check? Not specified

LGTM score

Score: 7.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 2 features:

  1. Programming languages: JAVA, OTHER
  2. The worst LGTM grade of the project: B

How a project uses CodeQL

Score: 0.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it run CodeQL scans? No
  2. Does it use CodeQL checks for pull requests? No
  3. Does it use LGTM checks? No
  4. Programming languages: JAVA, OTHER

FindSecBugs score

Score: 0.0, confidence is 10.0 (max), weight is 0.5 (medium)

This sub-score is based on 2 features:

  1. Does it use FindSecBugs? No
  2. Programming languages: JAVA, OTHER

Known vulnerabilities

  1. CVE-2000-0672
  2. CVE-2000-0759
  3. CVE-2001-0590
  4. CVE-2001-0917
  5. CVE-2001-0829
  6. CVE-2001-1563
  7. CVE-2000-1210
  8. CVE-2002-0682
  9. CVE-2002-0493
  10. CVE-2002-0935
  11. CVE-2002-1148
  12. CVE-2002-2272
  13. CVE-2002-1394
  14. CVE-2003-0045
  15. CVE-2002-1567
  16. CVE-2003-0866
  17. CVE-2005-0808
  18. CVE-2005-2090
  19. CVE-2005-3164
  20. CVE-2005-3510
  21. CVE-2005-4838
  22. CVE-2006-3835
  23. CVE-2007-0450
  24. CVE-2006-7197
  25. CVE-2006-7195
  26. CVE-2007-1355
  27. CVE-2007-2450
  28. CVE-2007-3383
  29. CVE-2007-3384
  30. CVE-2007-3382
  31. CVE-2007-4724
  32. CVE-2007-5461
  33. CVE-2007-5342
  34. CVE-2008-0128
  35. CVE-2007-5333
  36. CVE-2008-1947
  37. CVE-2008-1232
  38. CVE-2008-2938
  39. CVE-2008-3271
  40. CVE-2008-4308
  41. CVE-2009-0781
  42. CVE-2008-5519
  43. CVE-2009-0580
  44. CVE-2008-5515
  45. CVE-2009-3548
  46. CVE-2009-2693
  47. CVE-2010-1157
  48. CVE-2010-2227
  49. CVE-2009-2696
  50. CVE-2010-4312
  51. CVE-2010-3718
  52. CVE-2011-0013
  53. CVE-2011-1088
  54. CVE-2011-1183
  55. CVE-2011-1582
  56. CVE-2011-2204
  57. CVE-2011-2526
  58. CVE-2011-2481
  59. CVE-2011-3190
  60. CVE-2011-3376
  61. CVE-2011-4858
  62. CVE-2011-5064
  63. CVE-2012-0022
  64. CVE-2012-2733
  65. CVE-2012-5885
  66. CVE-2012-5568
  67. CVE-2012-4431
  68. CVE-2013-2071
  69. CVE-2013-6357
  70. CVE-2013-2185
  71. CVE-2013-0346
  72. CVE-2013-4286
  73. CVE-2014-0050
  74. CVE-2014-0119
  75. CVE-2013-4444
  76. CVE-2014-0227
  77. CVE-2014-0230
  78. CVE-2016-0763
  79. CVE-2016-3092
  80. CVE-2016-5388
  81. CVE-2016-1240
  82. CVE-2016-5425
  83. CVE-2016-8747
  84. CVE-2016-6816
  85. CVE-2016-9775
  86. CVE-2016-8735
  87. CVE-2017-5647
  88. CVE-2017-5664
  89. CVE-2016-0762
  90. CVE-2016-6796
  91. CVE-2014-9635
  92. CVE-2017-12616
  93. CVE-2017-12617
  94. CVE-2017-15706
  95. CVE-2018-1305
  96. CVE-2018-1304
  97. CVE-2018-8014
  98. CVE-2018-8034
  99. CVE-2018-8037
  100. CVE-2018-11784
  101. CVE-2019-0199
  102. CVE-2019-0232
  103. CVE-2019-0221
  104. CVE-2019-10072
  105. CVE-2019-12418
  106. CVE-2020-1935
  107. CVE-2020-9484
  108. CVE-2020-11996
  109. CVE-2020-8022
  110. CVE-2020-13934
  111. CVE-2020-13943
  112. CVE-2020-17527
  113. CVE-2021-24122
  114. CVE-2021-25329
  115. CVE-2021-30639