aws/amazon-vpc-cni-k8s
https://github.com/aws/amazon-vpc-cni-k8s
Last updated on Jul 18, 2021
Rating: BAD
Score: 3.36, max score value is 10.0
Confidence: High (9.87, max confidence value is 10.0)
Details
The rating is based on security score for open-source projects.
It used the following sub-scores:
- Security testing: 0.0 (weight is 1.0)
- Dependency testing: N/A (weight is 1.0)
- Dependabot score: N/A (weight is 1.0)
- OWASP Dependency Check score: N/A (weight is 1.0)
- Static analysis: 0.0 (weight is 1.0)
- LGTM score: 0.0 (weight is 1.0)
- How a project uses CodeQL: 0.0 (weight is 1.0)
- FindSecBugs score: N/A (weight is 0.5)
- Fuzzing: N/A (weight is 1.0)
- Memory-safety testing: N/A (weight is 1.0)
- nohttp tool: 0.0 (weight is 0.2)
- Security awareness: 2.0 (weight is 0.9)
- Vulnerability discovery and security testing: 2.0 (weight is 0.6)
- Security testing: 0.0 (weight is 1.0)
- Dependency testing: N/A (weight is 1.0)
- Dependabot score: N/A (weight is 1.0)
- OWASP Dependency Check score: N/A (weight is 1.0)
- Static analysis: 0.0 (weight is 1.0)
- LGTM score: 0.0 (weight is 1.0)
- How a project uses CodeQL: 0.0 (weight is 1.0)
- FindSecBugs score: N/A (weight is 0.5)
- Fuzzing: N/A (weight is 1.0)
- Memory-safety testing: N/A (weight is 1.0)
- nohttp tool: 0.0 (weight is 0.2)
- Unpatched vulnerabilities: 10.0 (weight is 0.5)
- Community commitment: 8.0 (weight is 0.5)
- Project activity: 5.69 (weight is 0.5)
- Project popularity: 1.93 (weight is 0.5)
- Security reviews: 0.0 (weight is 0.2)
How to improve the rating
- You can ask the project maintainers to enable LGTM checks for pull requests in the project.
More info:
- How to enable LGTM checks for pull requests
- You can open a pull request to enable CodeQL scans in the project. Make sure that the scans are run on pull requests.
More info:
- How to enable CodeQL checks for pull requests
- You can open a pull request to enable CodeQL scans in the project.
More info:
- How to enable CodeQL checks
- You can open a pull request to enable FindSecBugs for the project.
More info:
- FindSecBugs home page
- You can enable artifact signing in the project’s build pipeline.
More info:
- Apache Maven Jarsigner Plugin
- You can enable NoHttp tool in the project’s build pipeline.
More info:
- NoHttp tool home page
Sub-scores
Below are the details about all the used sub-scores.
Security testing
Score: 0.0, confidence is 9.52 (high), weight is 1.0 (high)
This sub-score is based on the following sub-scores:
- Dependency testing: N/A (weight is 1.0)
- Dependabot score: N/A (weight is 1.0)
- OWASP Dependency Check score: N/A (weight is 1.0)
- Static analysis: 0.0 (weight is 1.0)
- LGTM score: 0.0 (weight is 1.0)
- How a project uses CodeQL: 0.0 (weight is 1.0)
- FindSecBugs score: N/A (weight is 0.5)
- Fuzzing: N/A (weight is 1.0)
- Memory-safety testing: N/A (weight is 1.0)
- nohttp tool: 0.0 (weight is 0.2)
Security awareness
Score: 2.0, confidence is 10.0 (max), weight is 0.9 (high)
The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00.
This sub-score is based on 17 features:
- Does it have a bug bounty program? No
- Does it have a security policy? Yes
- Does it have a security team? No
- Does it sign artifacts? No
- Does it use AddressSanitizer? No
- Does it use Dependabot? No
- Does it use FindSecBugs? No
- Does it use LGTM checks? No
- Does it use MemorySanitizer? No
- Does it use OWASP ESAPI? No
- Does it use OWASP Java Encoder? No
- Does it use OWASP Java HTML Sanitizer? No
- Does it use UndefinedBehaviorSanitizer? No
- Does it use nohttp? No
- Does it use verified signed commits? No
- How is OWASP Dependency Check used? Not used
- Is it included to OSS-Fuzz? No
Vulnerability discovery and security testing
Score: 2.0, confidence is 9.76 (high), weight is 0.6 (medium)
The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.
This sub-score is based on the following sub-score:
- Security testing: 0.0 (weight is 1.0)
- Dependency testing: N/A (weight is 1.0)
- Dependabot score: N/A (weight is 1.0)
- OWASP Dependency Check score: N/A (weight is 1.0)
- Static analysis: 0.0 (weight is 1.0)
- LGTM score: 0.0 (weight is 1.0)
- How a project uses CodeQL: 0.0 (weight is 1.0)
- FindSecBugs score: N/A (weight is 0.5)
- Fuzzing: N/A (weight is 1.0)
- Memory-safety testing: N/A (weight is 1.0)
- nohttp tool: 0.0 (weight is 0.2)
This sub-score is based on 1 feature:
- Info about vulnerabilities: Not found
Unpatched vulnerabilities
Score: 10.0, confidence is 10.0 (max), weight is 0.5 (medium)
No unpatched vulnerabilities found which is good
This sub-score is based on 1 feature:
- Info about vulnerabilities: Not found
Score: 8.0, confidence is 10.0 (max), weight is 0.5 (medium)
This sub-score is based on 3 features:
- Does it belong to Apache? No
- Does it belong to Eclipse? No
- Is it supported by a company? Yes
Project activity
Score: 5.69, confidence is 10.0 (max), weight is 0.5 (medium)
The score evaluates how active a project is. It’s based on number of commits and contributors in the last 3 months.
37 commits in the last 3 months results to 5.69 points
This sub-score is based on 2 features:
- Number of commits in the last three months: 37
- Number of contributors in the last three months: 1
Project popularity
Score: 1.93, confidence is 10.0 (max), weight is 0.5 (medium)
The score is based on number of stars and watchers.
Here is how a number of stars contributes to the score:
0 -> 0.00 (min), 2500 -> 2.50, 5000 -> 5.00, 10000 -> 10.00 (max)
Here is how a number of watchers contributes to the score:
0 -> 0.00 (min), 450 -> 1.50, 750 -> 2.50, 3000 -> 10.00 (max)
This sub-score is based on 2 features:
- Number of stars for a GitHub repository: 1556
- Number of watchers for a GitHub repository: 111
Security reviews
Score: 0.0, confidence is 10.0 (max), weight is 0.2 (low)
No security reviews have been done
This sub-score is based on 1 feature:
- Info about security reviews: 0 security reviews
Dependency testing
Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)
This sub-score is based on the following sub-scores:
- Dependabot score: N/A (weight is 1.0)
- OWASP Dependency Check score: N/A (weight is 1.0)
Static analysis
Score: 0.0, confidence is 8.0 (low), weight is 1.0 (high)
This sub-score is based on the following sub-scores:
- LGTM score: 0.0 (weight is 1.0)
- How a project uses CodeQL: 0.0 (weight is 1.0)
- FindSecBugs score: N/A (weight is 0.5)
Fuzzing
Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)
This sub-score is based on 2 features:
- Is it included to OSS-Fuzz? No
- Programming languages: GO, OTHER
Memory-safety testing
Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)
This sub-score is based on 4 features:
- Does it use AddressSanitizer? No
- Does it use MemorySanitizer? No
- Does it use UndefinedBehaviorSanitizer? No
- Programming languages: GO, OTHER
Score: 0.0, confidence is 10.0 (max), weight is 0.2 (low)
This sub-score is based on 2 features:
- Does it use nohttp? No
- Package managers: None
Dependabot score
Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)
This sub-score is based on 4 features:
- Does it use Dependabot? No
- Does it use GitHub as the main development platform? Yes
- Package managers: None
- Programming languages: GO, OTHER
OWASP Dependency Check score
Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)
This sub-score is based on 3 features:
- How is OWASP Dependency Check used? Not used
- Package managers: None
- What is the threshold for OWASP Dependency Check? Not specified
LGTM score
Score: 0.0, confidence is 5.0 (low), weight is 1.0 (high)
This sub-score is based on 2 features:
- Programming languages: GO, OTHER
- The worst LGTM grade of the project: unknown
How a project uses CodeQL
Score: 0.0, confidence is 10.0 (max), weight is 1.0 (high)
This sub-score is based on 4 features:
- Does it run CodeQL scans? No
- Does it use CodeQL checks for pull requests? No
- Does it use LGTM checks? No
- Programming languages: GO, OTHER
FindSecBugs score
Score: N/A, confidence is 10.0 (max), weight is 0.5 (medium)
This sub-score is based on 2 features:
- Does it use FindSecBugs? No
- Programming languages: GO, OTHER
Known vulnerabilities
No vulnerabilities found