apache/commons-collections
https://github.com/apache/commons-collections
Last updated on Jan 5, 2021
Rating: MODERATE
Score: 4.4, where max score value is 10.0
Confidence: High (10.0, where max confidence value is 10.0)
Details
The rating is based on security score for open-source projects.
The score uses the following sub-scores:
- Security testing: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependency testing: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
- Static analysis: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- LGTM score: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
- Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Security awareness: 3.0, confidence is 10.0 (max), importance is 0.9 (high)
- Unpatched vulnerabilities: 10.0, confidence is 10.0 (max), importance is 0.8 (high)
- Vulnerability discovery and security testing: 2.0, confidence is 10.0 (max), importance is 0.6 (medium)
- Security testing: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependency testing: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
- Static analysis: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- LGTM score: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
- Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Project activity: 2.73, confidence is 10.0 (max), importance is 0.5 (medium)
- Community commitment: 7.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Project popularity: 0.71, confidence is 10.0 (max), importance is 0.5 (medium)
Sub-scores
Below are the details about all the used sub-scores.
Security testing
Score: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses the following sub-scores:
- Dependency testing: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
- Static analysis: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- LGTM score: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
- Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
Security awareness
Score: 3.0, confidence is 10.0 (max), importance is 0.9 (high)
The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00.
The sub-score uses 17 features:
- Does it have a bug bounty program? No
- Does it have a security policy? No
- Does it have a security team? Yes
- Does it sign artifacts? No
- Does it use AddressSanitizer? No
- Does it use Dependabot? No
- Does it use FindSecBugs? No
- Does it use LGTM checks? No
- Does it use MemorySanitizer? No
- Does it use OWASP ESAPI? No
- Does it use OWASP Java Encoder? No
- Does it use OWASP Java HTML Sanitizer? No
- Does it use UndefinedBehaviorSanitizer? No
- Does it use nohttp? No
- Does it use verified signed commits? No
- How is OWASP Dependency Check used? Not used
- Is it included to OSS-Fuzz? No
Unpatched vulnerabilities
Score: 10.0, confidence is 10.0 (max), importance is 0.8 (high)
No unpatched vulnerabilities found which is good
The sub-score uses 1 feature:
- Info about vulnerabilities: 2 vulnerabilities
Vulnerability discovery and security testing
Score: 2.0, confidence is 10.0 (max), importance is 0.6 (medium)
The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.
The sub-score uses the following sub-score:
- Security testing: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependency testing: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
- Static analysis: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- LGTM score: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
- Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
The sub-score uses 1 feature:
- Info about vulnerabilities: 2 vulnerabilities
Project activity
Score: 2.73, confidence is 10.0 (max), importance is 0.5 (medium)
The score is based on number of commits and contributors.
Here is how the number of commits contributes to the score (up to 5.10):
0 -> 0.10, 200 -> 2.55, 310 -> 4.59
Here is how the number of contributors contributes to the score (up to 5.10):
0 -> 0.10, 5 -> 2.55, 10 -> 4.59
The sub-score uses 2 features:
- Number of commits in the last three months: 59
- Number of contributors in the last three months: 3
Score: 7.0, confidence is 10.0 (max), importance is 0.5 (medium)
The sub-score uses 3 features:
- Does it belong to Apache? Yes
- Does it belong to Eclipse? No
- Is it supported by a company? No
Project popularity
Score: 0.71, confidence is 10.0 (max), importance is 0.5 (medium)
The score is based on number of stars and watchers.
Here is how a number of stars contributes to the score:
0 -> 0.00 (min), 2500 -> 2.50, 5000 -> 5.00, 10000 -> 10.00 (max)
Here is how a number of watchers contributes to the score:
0 -> 0.00 (min), 450 -> 1.50, 750 -> 2.50, 3000 -> 10.00 (max)
The sub-score uses 2 features:
- Number of stars for a GitHub repository: 458
- Number of watchers for a GitHub repository: 76
Dependency testing
Score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses the following sub-scores:
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
Static analysis
Score: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses the following sub-scores:
- LGTM score: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
Fuzzing
Score: N/A, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 2 features:
- A set of programming languages: JAVA, OTHER
- Is it included to OSS-Fuzz? No
Memory-safety testing
Score: N/A, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 4 features:
- A set of programming languages: JAVA, OTHER
- Does it use AddressSanitizer? No
- Does it use MemorySanitizer? No
- Does it use UndefinedBehaviorSanitizer? No
Score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
The sub-score uses 2 features:
- A set of package managers: MAVEN
- Does it use nohttp? No
Dependabot score
Score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 4 features:
- A set of package managers: MAVEN
- A set of programming languages: JAVA, OTHER
- Does it use Dependabot? No
- Does it use GitHub as the main development platform? Yes
OWASP Dependency Check score
Score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 2 features:
- How is OWASP Dependency Check used? Not used
- What is the threshold for OWASP Dependency Check? Not specified
LGTM score
Score: 4.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 2 features:
- Does it use LGTM checks? No
- The worst LGTM grade of the project: B
FindSecBugs score
Score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 2 features:
- A set of programming languages: JAVA, OTHER
- Does it use FindSecBugs? No