apache/cxf
https://github.com/apache/cxf
Last updated on Jan 5, 2021
Rating: GOOD
Score: 5.62, where max score value is 10.0
Confidence: Max (10.0, where max confidence value is 10.0)
Details
The rating is based on security score for open-source projects.
The score uses the following sub-scores:
- Security testing: 5.92, confidence is 10.0 (max), importance is 1.0 (high)
- Dependency testing: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
- Static analysis: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
- LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
- How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Security awareness: 4.5, confidence is 10.0 (max), importance is 0.9 (high)
- Unpatched vulnerabilities: 10.0, confidence is 10.0 (max), importance is 0.8 (high)
- Vulnerability discovery and security testing: 0.0, confidence is 10.0 (max), importance is 0.6 (medium)
- Security testing: 5.92, confidence is 10.0 (max), importance is 1.0 (high)
- Dependency testing: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
- Static analysis: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
- LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
- How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Community commitment: 7.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Project activity: 10.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Project popularity: 0.99, confidence is 10.0 (max), importance is 0.5 (medium)
Sub-scores
Below are the details about all the used sub-scores.
Security testing
Score: 5.92, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses the following sub-scores:
- Dependency testing: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
- Static analysis: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
- LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
- How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
Security awareness
Score: 4.5, confidence is 10.0 (max), importance is 0.9 (high)
The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00.
The sub-score uses 17 features:
- Does it have a bug bounty program? No
- Does it have a security policy? No
- Does it have a security team? Yes
- Does it sign artifacts? Yes
- Does it use AddressSanitizer? No
- Does it use Dependabot? No
- Does it use FindSecBugs? No
- Does it use LGTM checks? No
- Does it use MemorySanitizer? No
- Does it use OWASP ESAPI? No
- Does it use OWASP Java Encoder? No
- Does it use OWASP Java HTML Sanitizer? No
- Does it use UndefinedBehaviorSanitizer? No
- Does it use nohttp? No
- Does it use verified signed commits? No
- How is OWASP Dependency Check used? Mandatory
- Is it included to OSS-Fuzz? No
Unpatched vulnerabilities
Score: 10.0, confidence is 10.0 (max), importance is 0.8 (high)
No unpatched vulnerabilities found which is good
The sub-score uses 1 feature:
- Info about vulnerabilities: 31 vulnerabilities
Vulnerability discovery and security testing
Score: 0.0, confidence is 10.0 (max), importance is 0.6 (medium)
The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.
The sub-score uses the following sub-score:
- Security testing: 5.92, confidence is 10.0 (max), importance is 1.0 (high)
- Dependency testing: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
- Static analysis: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
- LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
- How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
- Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
- nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
The sub-score uses 1 feature:
- Info about vulnerabilities: 31 vulnerabilities
Score: 7.0, confidence is 10.0 (max), importance is 0.5 (medium)
The sub-score uses 3 features:
- Does it belong to Apache? Yes
- Does it belong to Eclipse? No
- Is it supported by a company? No
Project activity
Score: 10.0, confidence is 10.0 (max), importance is 0.5 (medium)
The score evaluates how active a project is. It’s based on number of commits and contributors in the last 3 months.
156 commits in the last 3 months results to 10.00 points
9 contributors increase the score value from 10.00 to 12.00
The sub-score uses 2 features:
- Number of commits in the last three months: 156
- Number of contributors in the last three months: 9
Project popularity
Score: 0.99, confidence is 10.0 (max), importance is 0.5 (medium)
The score is based on number of stars and watchers.
Here is how a number of stars contributes to the score:
0 -> 0.00 (min), 2500 -> 2.50, 5000 -> 5.00, 10000 -> 10.00 (max)
Here is how a number of watchers contributes to the score:
0 -> 0.00 (min), 450 -> 1.50, 750 -> 2.50, 3000 -> 10.00 (max)
The sub-score uses 2 features:
- Number of stars for a GitHub repository: 686
- Number of watchers for a GitHub repository: 91
Dependency testing
Score: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses the following sub-scores:
- Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
- OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
Static analysis
Score: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses the following sub-scores:
- LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
- How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
- FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
Fuzzing
Score: N/A, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 2 features:
- A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
- Is it included to OSS-Fuzz? No
Memory-safety testing
Score: N/A, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 4 features:
- A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
- Does it use AddressSanitizer? No
- Does it use MemorySanitizer? No
- Does it use UndefinedBehaviorSanitizer? No
Score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
The sub-score uses 2 features:
- A set of package managers: MAVEN
- Does it use nohttp? No
Dependabot score
Score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 4 features:
- A set of package managers: MAVEN
- A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
- Does it use Dependabot? No
- Does it use GitHub as the main development platform? Yes
OWASP Dependency Check score
Score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 2 features:
- How is OWASP Dependency Check used? Mandatory
- What is the threshold for OWASP Dependency Check? Not specified
LGTM score
Score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 2 features:
- A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
- The worst LGTM grade of the project: D
How a project uses CodeQL
Score: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
The sub-score uses 4 features:
- A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
- Does it use LGTM checks? No
- If a project runs CodeQL checks for commits: Yes
- If a project runs CodeQL scans: Yes
FindSecBugs score
Score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
The sub-score uses 2 features:
- A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
- Does it use FindSecBugs? No
How to improve the rating
- You can ask the project maintainers to enable LGTM checks for pull requests in the project. More info:
- How to enable LGTM checks for pull requests
- You can fix the issues reported by LGTM for the project. More info:
- List of issues on LGTM
- You can open a pull request to add a security policy for the project. More info:
- About adding a security policy to a repository on GitHub
- An example of a security policy
- Suggest a security policy for the project
- You can open a pull request to enable FindSecBugs for the project. More info:
- FindSecBugs home page