fosstars-rating-core

A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with open source components.

View the Project on GitHub SAP/fosstars-rating-core

apache/httpcomponents-client

https://github.com/apache/httpcomponents-client

Last updated on Jan 5, 2021

Rating: BAD

Score: 3.27, where max score value is 10.0

Confidence: High (10.0, where max confidence value is 10.0)

Details

The rating is based on security score for open-source projects.

The score uses the following sub-scores:

  1. Security testing: 4.4, confidence is 10.0 (max), importance is 1.0 (high)
    1. Dependency testing: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
      1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
    2. Static analysis: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
      1. LGTM score: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
    3. Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
    4. Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
    5. nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
  2. Security awareness: 3.0, confidence is 10.0 (max), importance is 0.9 (high)
  3. Unpatched vulnerabilities: 2.0, confidence is 10.0 (max), importance is 0.8 (high)
  4. Vulnerability discovery and security testing: 2.0, confidence is 10.0 (max), importance is 0.6 (medium)
    1. Security testing: 4.4, confidence is 10.0 (max), importance is 1.0 (high)
      1. Dependency testing: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
        1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
        2. OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. Static analysis: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
        1. LGTM score: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
        2. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
      3. Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
      4. Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
      5. nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
  5. Project activity: 3.21, confidence is 10.0 (max), importance is 0.5 (medium)
  6. Community commitment: 7.0, confidence is 10.0 (max), importance is 0.5 (medium)
  7. Project popularity: 1.36, confidence is 10.0 (max), importance is 0.5 (medium)

Sub-scores

Below are the details about all the used sub-scores.

Security testing

Score: 4.4, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses the following sub-scores:

  1. Dependency testing: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
    1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
    2. OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
  2. Static analysis: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
    1. LGTM score: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
    2. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
  3. Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
  4. Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
  5. nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)

Security awareness

Score: 3.0, confidence is 10.0 (max), importance is 0.9 (high)

The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00.

The sub-score uses 17 features:

  1. Does it have a bug bounty program? No
  2. Does it have a security policy? No
  3. Does it have a security team? Yes
  4. Does it sign artifacts? No
  5. Does it use AddressSanitizer? No
  6. Does it use Dependabot? No
  7. Does it use FindSecBugs? No
  8. Does it use LGTM checks? No
  9. Does it use MemorySanitizer? No
  10. Does it use OWASP ESAPI? No
  11. Does it use OWASP Java Encoder? No
  12. Does it use OWASP Java HTML Sanitizer? No
  13. Does it use UndefinedBehaviorSanitizer? No
  14. Does it use nohttp? No
  15. Does it use verified signed commits? No
  16. How is OWASP Dependency Check used? Not used
  17. Is it included to OSS-Fuzz? No

Unpatched vulnerabilities

Score: 2.0, confidence is 10.0 (max), importance is 0.8 (high)

Found 1 unpatched vulnerabilities with high severity which decreased the score on 8.00 (1 * 8.00)

The sub-score uses 1 feature:

  1. Info about vulnerabilities: 1 vulnerability

Vulnerability discovery and security testing

Score: 2.0, confidence is 10.0 (max), importance is 0.6 (medium)

The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.

The sub-score uses the following sub-score:

  1. Security testing: 4.4, confidence is 10.0 (max), importance is 1.0 (high)
    1. Dependency testing: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
      1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
    2. Static analysis: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
      1. LGTM score: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)
    3. Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
    4. Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
    5. nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)

The sub-score uses 1 feature:

  1. Info about vulnerabilities: 1 vulnerability

Project activity

Score: 3.21, confidence is 10.0 (max), importance is 0.5 (medium)

The score is based on number of commits and contributors. Here is how the number of commits contributes to the score (up to 5.10): 0 -> 0.10, 200 -> 2.55, 310 -> 4.59 Here is how the number of contributors contributes to the score (up to 5.10): 0 -> 0.10, 5 -> 2.55, 10 -> 4.59

The sub-score uses 2 features:

  1. Number of commits in the last three months: 28
  2. Number of contributors in the last three months: 4

Community commitment

Score: 7.0, confidence is 10.0 (max), importance is 0.5 (medium)

The sub-score uses 3 features:

  1. Does it belong to Apache? Yes
  2. Does it belong to Eclipse? No
  3. Is it supported by a company? No

Project popularity

Score: 1.36, confidence is 10.0 (max), importance is 0.5 (medium)

The score is based on number of stars and watchers. Here is how a number of stars contributes to the score: 0 -> 0.00 (min), 2500 -> 2.50, 5000 -> 5.00, 10000 -> 10.00 (max) Here is how a number of watchers contributes to the score: 0 -> 0.00 (min), 450 -> 1.50, 750 -> 2.50, 3000 -> 10.00 (max)

The sub-score uses 2 features:

  1. Number of stars for a GitHub repository: 1008
  2. Number of watchers for a GitHub repository: 106

Dependency testing

Score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses the following sub-scores:

  1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
  2. OWASP Dependency Check score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)

Static analysis

Score: 5.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses the following sub-scores:

  1. LGTM score: 5.0, confidence is 10.0 (max), importance is 1.0 (high)
  2. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)

Fuzzing

Score: N/A, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 2 features:

  1. A set of programming languages: JAVA, OTHER
  2. Is it included to OSS-Fuzz? No

Memory-safety testing

Score: N/A, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 4 features:

  1. A set of programming languages: JAVA, OTHER
  2. Does it use AddressSanitizer? No
  3. Does it use MemorySanitizer? No
  4. Does it use UndefinedBehaviorSanitizer? No

nohttp tool

Score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)

The sub-score uses 2 features:

  1. A set of package managers: MAVEN
  2. Does it use nohttp? No

Dependabot score

Score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 4 features:

  1. A set of package managers: MAVEN
  2. A set of programming languages: JAVA, OTHER
  3. Does it use Dependabot? No
  4. Does it use GitHub as the main development platform? Yes

OWASP Dependency Check score

Score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 2 features:

  1. How is OWASP Dependency Check used? Not used
  2. What is the threshold for OWASP Dependency Check? Not specified

LGTM score

Score: 5.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 2 features:

  1. Does it use LGTM checks? No
  2. The worst LGTM grade of the project: A

FindSecBugs score

Score: 0.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 2 features:

  1. A set of programming languages: JAVA, OTHER
  2. Does it use FindSecBugs? No