fosstars-rating-core

A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with open source components.

View the Project on GitHub SAP/fosstars-rating-core

curl/curl

https://github.com/curl/curl

Last updated on May 19, 2021

Rating: GOOD

Score: 6.84, max score value is 10.0

Confidence: Max (10.0, max confidence value is 10.0)

Details

The rating is based on security score for open-source projects.

It used the following sub-scores:

  1. Security testing: 6.71 (weight is 1.0)
    1. Dependency testing: N/A (weight is 1.0)
      1. Dependabot score: N/A (weight is 1.0)
      2. OWASP Dependency Check score: N/A (weight is 1.0)
    2. Static analysis: 5.0 (weight is 1.0)
      1. LGTM score: 10.0 (weight is 1.0)
      2. How a project uses CodeQL: 0.0 (weight is 1.0)
      3. FindSecBugs score: N/A (weight is 0.5)
    3. Fuzzing: 10.0 (weight is 1.0)
    4. Memory-safety testing: 8.5 (weight is 1.0)
    5. nohttp tool: 0.0 (weight is 0.5)
  2. Security awareness: 9.0 (weight is 0.9)
  3. Unpatched vulnerabilities: 10.0 (weight is 0.8)
  4. Vulnerability discovery and security testing: 0.0 (weight is 0.6)
    1. Security testing: 6.71 (weight is 1.0)
      1. Dependency testing: N/A (weight is 1.0)
        1. Dependabot score: N/A (weight is 1.0)
        2. OWASP Dependency Check score: N/A (weight is 1.0)
      2. Static analysis: 5.0 (weight is 1.0)
        1. LGTM score: 10.0 (weight is 1.0)
        2. How a project uses CodeQL: 0.0 (weight is 1.0)
        3. FindSecBugs score: N/A (weight is 0.5)
      3. Fuzzing: 10.0 (weight is 1.0)
      4. Memory-safety testing: 8.5 (weight is 1.0)
      5. nohttp tool: 0.0 (weight is 0.5)
  5. Community commitment: 0.0 (weight is 0.5)
  6. Project activity: 10.0 (weight is 0.5)
  7. Project popularity: 10.0 (weight is 0.5)

How to improve the rating

  1. You can ask the project maintainers to enable LGTM checks for pull requests in the project. More info:
    1. How to enable LGTM checks for pull requests
  2. You can open a pull request to enable CodeQL scans in the project. Make sure that the scans are run on pull requests. More info:
    1. How to enable CodeQL checks for pull requests
  3. You can open a pull request to enable CodeQL scans in the project. More info:
    1. How to enable CodeQL checks
  4. You can open a pull request to enable FindSecBugs for the project. More info:
    1. FindSecBugs home page
  5. You can open a pull request to enable MemorySanitizer for the project. More info:
    1. About MemorySanitizer

Sub-scores

Below are the details about all the used sub-scores.

Security testing

Score: 6.71, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. Dependency testing: N/A (weight is 1.0)
    1. Dependabot score: N/A (weight is 1.0)
    2. OWASP Dependency Check score: N/A (weight is 1.0)
  2. Static analysis: 5.0 (weight is 1.0)
    1. LGTM score: 10.0 (weight is 1.0)
    2. How a project uses CodeQL: 0.0 (weight is 1.0)
    3. FindSecBugs score: N/A (weight is 0.5)
  3. Fuzzing: 10.0 (weight is 1.0)
  4. Memory-safety testing: 8.5 (weight is 1.0)
  5. nohttp tool: 0.0 (weight is 0.5)

Security awareness

Score: 9.0, confidence is 10.0 (max), weight is 0.9 (high)

The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00.

This sub-score is based on 17 features:

  1. Does it have a bug bounty program? Yes
  2. Does it have a security policy? Yes
  3. Does it have a security team? No
  4. Does it sign artifacts? No
  5. Does it use AddressSanitizer? Yes
  6. Does it use Dependabot? No
  7. Does it use FindSecBugs? No
  8. Does it use LGTM checks? No
  9. Does it use MemorySanitizer? No
  10. Does it use OWASP ESAPI? No
  11. Does it use OWASP Java Encoder? No
  12. Does it use OWASP Java HTML Sanitizer? No
  13. Does it use UndefinedBehaviorSanitizer? Yes
  14. Does it use nohttp? No
  15. Does it use verified signed commits? No
  16. How is OWASP Dependency Check used? Not used
  17. Is it included to OSS-Fuzz? Yes

Unpatched vulnerabilities

Score: 10.0, confidence is 10.0 (max), weight is 0.8 (high)

No unpatched vulnerabilities found which is good

This sub-score is based on 1 feature:

  1. Info about vulnerabilities: 71 vulnerabilities, details below

Vulnerability discovery and security testing

Score: 0.0, confidence is 10.0 (max), weight is 0.6 (medium)

The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.

This sub-score is based on the following sub-score:

  1. Security testing: 6.71 (weight is 1.0)
    1. Dependency testing: N/A (weight is 1.0)
      1. Dependabot score: N/A (weight is 1.0)
      2. OWASP Dependency Check score: N/A (weight is 1.0)
    2. Static analysis: 5.0 (weight is 1.0)
      1. LGTM score: 10.0 (weight is 1.0)
      2. How a project uses CodeQL: 0.0 (weight is 1.0)
      3. FindSecBugs score: N/A (weight is 0.5)
    3. Fuzzing: 10.0 (weight is 1.0)
    4. Memory-safety testing: 8.5 (weight is 1.0)
    5. nohttp tool: 0.0 (weight is 0.5)

This sub-score is based on 1 feature:

  1. Info about vulnerabilities: 71 vulnerabilities, details below

Community commitment

Score: 0.0, confidence is 10.0 (max), weight is 0.5 (medium)

This sub-score is based on 3 features:

  1. Does it belong to Apache? No
  2. Does it belong to Eclipse? No
  3. Is it supported by a company? No

Project activity

Score: 10.0, confidence is 10.0 (max), weight is 0.5 (medium)

The score evaluates how active a project is. It’s based on number of commits and contributors in the last 3 months.

326 commits in the last 3 months results to 10.00 points 7 contributors increase the score value from 10.00 to 12.00

This sub-score is based on 2 features:

  1. Number of commits in the last three months: 326
  2. Number of contributors in the last three months: 7

Project popularity

Score: 10.0, confidence is 10.0 (max), weight is 0.5 (medium)

The score is based on number of stars and watchers. Here is how a number of stars contributes to the score: 0 -> 0.00 (min), 2500 -> 2.50, 5000 -> 5.00, 10000 -> 10.00 (max) Here is how a number of watchers contributes to the score: 0 -> 0.00 (min), 450 -> 1.50, 750 -> 2.50, 3000 -> 10.00 (max)

This sub-score is based on 2 features:

  1. Number of stars for a GitHub repository: 20669
  2. Number of watchers for a GitHub repository: 702

Dependency testing

Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. Dependabot score: N/A (weight is 1.0)
  2. OWASP Dependency Check score: N/A (weight is 1.0)

Static analysis

Score: 5.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on the following sub-scores:

  1. LGTM score: 10.0 (weight is 1.0)
  2. How a project uses CodeQL: 0.0 (weight is 1.0)
  3. FindSecBugs score: N/A (weight is 0.5)

Fuzzing

Score: 10.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 2 features:

  1. Is it included to OSS-Fuzz? Yes
  2. Programming languages: C, CPP, PYTHON, OTHER

Memory-safety testing

Score: 8.5, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use AddressSanitizer? Yes
  2. Does it use MemorySanitizer? No
  3. Does it use UndefinedBehaviorSanitizer? Yes
  4. Programming languages: C, CPP, PYTHON, OTHER

nohttp tool

Score: 0.0, confidence is 10.0 (max), weight is 0.5 (medium)

This sub-score is based on 2 features:

  1. Does it use nohttp? No
  2. Package managers: None

Dependabot score

Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it use Dependabot? No
  2. Does it use GitHub as the main development platform? Yes
  3. Package managers: None
  4. Programming languages: C, CPP, PYTHON, OTHER

OWASP Dependency Check score

Score: N/A, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 3 features:

  1. How is OWASP Dependency Check used? Not used
  2. Package managers: None
  3. What is the threshold for OWASP Dependency Check? Not specified

LGTM score

Score: 10.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 2 features:

  1. Programming languages: C, CPP, PYTHON, OTHER
  2. The worst LGTM grade of the project: A+

How a project uses CodeQL

Score: 0.0, confidence is 10.0 (max), weight is 1.0 (high)

This sub-score is based on 4 features:

  1. Does it run CodeQL scans? No
  2. Does it use CodeQL checks for pull requests? No
  3. Does it use LGTM checks? No
  4. Programming languages: C, CPP, PYTHON, OTHER

FindSecBugs score

Score: N/A, confidence is 10.0 (max), weight is 0.5 (medium)

This sub-score is based on 2 features:

  1. Does it use FindSecBugs? No
  2. Programming languages: C, CPP, PYTHON, OTHER

Known vulnerabilities

  1. CVE-2000-0973
  2. CVE-2005-0490
  3. CVE-2005-3185
  4. CVE-2005-4077
  5. CVE-2006-1061
  6. CVE-2009-0037
  7. CVE-2010-3842
  8. CVE-2012-0036
  9. CVE-2013-0249
  10. CVE-2013-2617
  11. CVE-2013-1944
  12. CVE-2013-2174
  13. CVE-2013-4545
  14. CVE-2014-0015
  15. CVE-2014-0139
  16. CVE-2014-2522
  17. CVE-2014-3620
  18. CVE-2015-3145
  19. CVE-2015-3153
  20. CVE-2015-3237
  21. CVE-2016-0755
  22. CVE-2016-3739
  23. CVE-2016-4802
  24. CVE-2017-7407
  25. CVE-2017-9502
  26. CVE-2017-1000101
  27. CVE-2017-8816
  28. CVE-2018-1000007
  29. CVE-2017-2628
  30. CVE-2018-1000121
  31. CVE-2016-9586
  32. CVE-2018-1000300
  33. CVE-2018-0500
  34. CVE-2017-2629
  35. CVE-2016-8618
  36. CVE-2016-8619
  37. CVE-2003-1605
  38. CVE-2018-16839
  39. CVE-2019-5435
  40. CVE-2019-5443
  41. CVE-2019-5481
  42. CVE-2016-4606
  43. CVE-2020-8284