A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with open source components.
View the Project on GitHub SAP/fosstars-rating-core
Improving security ratings for open-source projects
The page shows how security ratings may be improved for specific open-source projects.
Open-source projects in scope
The table below contains a number of open-source projects
and shows how their security ratings have changed in 4 months.
For some projects, several security improvements were done.
The improvements were derived from the detailed rating reports.
Below you can find a list of implemented improvements for specific projects.
Column description:
Project contains a name open-source project.Rating on Sep 1st, 2020 (v1.0.0) baseline contains a baseline security rating that was calculated
with Fosstars Core 1.0.0 version.Improvements contains a link to implemented security improvements for a specific project.Rating on Jan 5th, 2021 (v1.0.0) contains an updated security rating that was calculated
with the same Fosstars Core 1.0.0 version.
This column shows how the security rating has changed after implementing the security improvements.Rating on Jan 5th, 2021 (v1.1.0) contains an updated security rating that was calculated
with the new Fosstars Core 1.1.0.
The new version includes bug fixed and enhancements that were identified while improving
the security ratings for the projects in the table.
| Project |
Rating on Sep 1st, 2020 (v1.0.0) baseline |
Improvements |
Rating on Jan 5th, 2021 (v1.0.0) |
Rating on Jan 5th, 2021 (v1.1.0) |
| Netty |
3.52, BAD |
9 improvements |
4.09, MODERATE :arrow_up: |
6.02, GOOD :arrow_up: |
| Bouncy Castle Java |
3.06, BAD |
3 improvements |
3.18, BAD :arrow_up: |
3.37, BAD :arrow_up: |
| Apache HttpComponents Client |
2.76, BAD |
3 improvements |
3.27, BAD :arrow_up: |
3.64, BAD :arrow_up: |
| Apache CXF |
4.88, GOOD |
1 improvement |
5.05, GOOD :arrow_up: |
5.62, GOOD :arrow_up: |
| Apache Commons Collections |
4.52, MODERATE |
1 improvement |
4.40, MODERATE :arrow_down: |
5.58, GOOD :arrow_up: |
| EclipseLink |
3.28, BAD |
Nothing |
3.42, BAD :arrow_up: |
4.53, MODERATE :arrow_up: |
| Apache HttpComponents Core |
4.01, MODERATE |
Nothing |
3.94, MODERATE :arrow_down: |
4.35, MODERATE :arrow_up: |
| Apache Commons FileUpload |
2.59, BAD |
Nothing |
2.59, BAD |
3.36, BAD :arrow_up: |
| Apache Commons I/O |
5.17, GOOD |
Nothing |
4.53, MODERATE :arrow_down: |
5.61, GOOD :arrow_up: |
| SLF4J |
2.45, BAD |
Nothing |
2.46, BAD :arrow_up: |
2.88, BAD :arrow_up: |
| zlib |
3.07, BAD |
Nothing |
3.14, BAD :arrow_up: |
3.12, BAD :arrow_up: |
Implemented security improvements
Netty
- Fix or suppress LGTM findings by @artem-smotrakov
- Better hash algorithm in FingerprintTrustManagerFactory by @artem-smotrakov
- Suppress warnings about weak hash algorithms by @artem-smotrakov
- Avoid casting numbers to narrower types by @artem-smotrakov
- Fix possible bugs in HTTP/2 Codec by @hyperxpro
- Enable HTTP header validation in HttpServerUpgradeHandler by @artem-smotrakov
- Create codeql-analysis.yml by @normanmaurer
- Enable nohttp check during the build by @artem-smotrakov
- Added a security policy by @artem-smotrakov
BouncyCastle
- Suppress index-out-of-bound false-positives from LGTM by @artem-smotrakov
- Removed redundant fields and null-checks by @artem-smotrakov
- Make BcKeyStoreSpi less predictable by @artem-smotrakov
Apache HttpComponents Client
- Fixed and suppressed several findings from LGTM.com by @artem-smotrakov
- Set up CodeQL scans by @artem-smotrakov
- Added a security policy by @artem-smotrakov
Apache Commons Collections
- Add SECURITY.MD. by @garydgregory
Apache CXF
- Create codeql-analysis.yml by @coheigea