A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with open source components.

View the Project on GitHub SAP/fosstars-rating-core

Improving security ratings for open-source projects

The page shows how security ratings may be improved for specific open-source projects.

Open-source projects in scope

The table below contains a number of open-source projects and shows how their security ratings have changed in 4 months. For some projects, several security improvements were done. The improvements were derived from the detailed rating reports. Below you can find a list of implemented improvements for specific projects.

Column description:

Project Rating on Sep 1st, 2020 (v1.0.0) baseline Improvements Rating on Jan 5th, 2021 (v1.0.0) Rating on Jan 5th, 2021 (v1.1.0)
Netty 3.52, BAD 9 improvements 4.09, MODERATE :arrow_up: 6.02, GOOD :arrow_up:
Bouncy Castle Java 3.06, BAD 3 improvements 3.18, BAD :arrow_up: 3.37, BAD :arrow_up:
Apache HttpComponents Client 2.76, BAD 3 improvements 3.27, BAD :arrow_up: 3.64, BAD :arrow_up:
Apache CXF 4.88, GOOD 1 improvement 5.05, GOOD :arrow_up: 5.62, GOOD :arrow_up:
Apache Commons Collections 4.52, MODERATE 1 improvement 4.40, MODERATE :arrow_down: 5.58, GOOD :arrow_up:
EclipseLink 3.28, BAD Nothing 3.42, BAD :arrow_up: 4.53, MODERATE :arrow_up:
Apache HttpComponents Core 4.01, MODERATE Nothing 3.94, MODERATE :arrow_down: 4.35, MODERATE :arrow_up:
Apache Commons FileUpload 2.59, BAD Nothing 2.59, BAD 3.36, BAD :arrow_up:
Apache Commons I/O 5.17, GOOD Nothing 4.53, MODERATE :arrow_down: 5.61, GOOD :arrow_up:
SLF4J 2.45, BAD Nothing 2.46, BAD :arrow_up: 2.88, BAD :arrow_up:
zlib 3.07, BAD Nothing 3.14, BAD :arrow_up: 3.12, BAD :arrow_up:

Implemented security improvements


  1. Fix or suppress LGTM findings by @artem-smotrakov
  2. Better hash algorithm in FingerprintTrustManagerFactory by @artem-smotrakov
  3. Suppress warnings about weak hash algorithms by @artem-smotrakov
  4. Avoid casting numbers to narrower types by @artem-smotrakov
  5. Fix possible bugs in HTTP/2 Codec by @hyperxpro
  6. Enable HTTP header validation in HttpServerUpgradeHandler by @artem-smotrakov
  7. Create codeql-analysis.yml by @normanmaurer
  8. Enable nohttp check during the build by @artem-smotrakov
  9. Added a security policy by @artem-smotrakov


  1. Suppress index-out-of-bound false-positives from LGTM by @artem-smotrakov
  2. Removed redundant fields and null-checks by @artem-smotrakov
  3. Make BcKeyStoreSpi less predictable by @artem-smotrakov

Apache HttpComponents Client

  1. Fixed and suppressed several findings from by @artem-smotrakov
  2. Set up CodeQL scans by @artem-smotrakov
  3. Added a security policy by @artem-smotrakov

Apache Commons Collections

  1. Add SECURITY.MD. by @garydgregory

Apache CXF

  1. Create codeql-analysis.yml by @coheigea