fosstars-rating-core

A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with open source components.

View the Project on GitHub SAP/fosstars-rating-core

apache/cxf

https://github.com/apache/cxf

Last updated on Jan 5, 2021

Rating: GOOD

Score: 5.62, where max score value is 10.0

Confidence: Max (10.0, where max confidence value is 10.0)

Details

The rating is based on security score for open-source projects.

The score uses the following sub-scores:

  1. Security testing: 5.92, confidence is 10.0 (max), importance is 1.0 (high)
    1. Dependency testing: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
      1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
    2. Static analysis: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
      1. LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
      3. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
    3. Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
    4. Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
    5. nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
  2. Security awareness: 4.5, confidence is 10.0 (max), importance is 0.9 (high)
  3. Unpatched vulnerabilities: 10.0, confidence is 10.0 (max), importance is 0.8 (high)
  4. Vulnerability discovery and security testing: 0.0, confidence is 10.0 (max), importance is 0.6 (medium)
    1. Security testing: 5.92, confidence is 10.0 (max), importance is 1.0 (high)
      1. Dependency testing: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
        1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
        2. OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. Static analysis: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
        1. LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
        2. How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
        3. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
      3. Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
      4. Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
      5. nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
  5. Community commitment: 7.0, confidence is 10.0 (max), importance is 0.5 (medium)
  6. Project activity: 10.0, confidence is 10.0 (max), importance is 0.5 (medium)
  7. Project popularity: 0.99, confidence is 10.0 (max), importance is 0.5 (medium)

Sub-scores

Below are the details about all the used sub-scores.

Security testing

Score: 5.92, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses the following sub-scores:

  1. Dependency testing: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
    1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
    2. OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
  2. Static analysis: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
    1. LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
    2. How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
    3. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
  3. Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
  4. Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
  5. nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)

Security awareness

Score: 4.5, confidence is 10.0 (max), importance is 0.9 (high)

The score shows how a project is aware of security. If the project has a security policy, then the score adds 2.00. If the project has a security team, then the score adds 3.00. If the project uses verified signed commits, then the score adds 0.50. If the project has a bug bounty program, then the score adds 4.00. If the project signs its artifacts, then the score adds 0.50. If the project uses a security tool or library, then the score adds 1.00.

The sub-score uses 17 features:

  1. Does it have a bug bounty program? No
  2. Does it have a security policy? No
  3. Does it have a security team? Yes
  4. Does it sign artifacts? Yes
  5. Does it use AddressSanitizer? No
  6. Does it use Dependabot? No
  7. Does it use FindSecBugs? No
  8. Does it use LGTM checks? No
  9. Does it use MemorySanitizer? No
  10. Does it use OWASP ESAPI? No
  11. Does it use OWASP Java Encoder? No
  12. Does it use OWASP Java HTML Sanitizer? No
  13. Does it use UndefinedBehaviorSanitizer? No
  14. Does it use nohttp? No
  15. Does it use verified signed commits? No
  16. How is OWASP Dependency Check used? Mandatory
  17. Is it included to OSS-Fuzz? No

Unpatched vulnerabilities

Score: 10.0, confidence is 10.0 (max), importance is 0.8 (high)

No unpatched vulnerabilities found which is good

The sub-score uses 1 feature:

  1. Info about vulnerabilities: 31 vulnerabilities

Vulnerability discovery and security testing

Score: 0.0, confidence is 10.0 (max), importance is 0.6 (medium)

The scores checks how security testing is done and how many vulnerabilities were recently discovered. If testing is good, and there are no recent vulnerabilities, then the score value is max. If there are vulnerabilities, then the score value is high. If testing is bad, and there are no recent vulnerabilities, then the score value is low. If there are vulnerabilities, then the score is min.

The sub-score uses the following sub-score:

  1. Security testing: 5.92, confidence is 10.0 (max), importance is 1.0 (high)
    1. Dependency testing: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
      1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)
    2. Static analysis: 4.8, confidence is 10.0 (max), importance is 1.0 (high)
      1. LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
      2. How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
      3. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)
    3. Fuzzing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
    4. Memory-safety testing: N/A, confidence is 10.0 (max), importance is 1.0 (high)
    5. nohttp tool: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)

The sub-score uses 1 feature:

  1. Info about vulnerabilities: 31 vulnerabilities

Community commitment

Score: 7.0, confidence is 10.0 (max), importance is 0.5 (medium)

The sub-score uses 3 features:

  1. Does it belong to Apache? Yes
  2. Does it belong to Eclipse? No
  3. Is it supported by a company? No

Project activity

Score: 10.0, confidence is 10.0 (max), importance is 0.5 (medium)

The score evaluates how active a project is. It’s based on number of commits and contributors in the last 3 months.

156 commits in the last 3 months results to 10.00 points 9 contributors increase the score value from 10.00 to 12.00

The sub-score uses 2 features:

  1. Number of commits in the last three months: 156
  2. Number of contributors in the last three months: 9

Project popularity

Score: 0.99, confidence is 10.0 (max), importance is 0.5 (medium)

The score is based on number of stars and watchers. Here is how a number of stars contributes to the score: 0 -> 0.00 (min), 2500 -> 2.50, 5000 -> 5.00, 10000 -> 10.00 (max) Here is how a number of watchers contributes to the score: 0 -> 0.00 (min), 450 -> 1.50, 750 -> 2.50, 3000 -> 10.00 (max)

The sub-score uses 2 features:

  1. Number of stars for a GitHub repository: 686
  2. Number of watchers for a GitHub repository: 91

Dependency testing

Score: 10.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses the following sub-scores:

  1. Dependabot score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)
  2. OWASP Dependency Check score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)

Static analysis

Score: 4.8, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses the following sub-scores:

  1. LGTM score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)
  2. How a project uses CodeQL: 10.0, confidence is 10.0 (max), importance is 1.0 (high)
  3. FindSecBugs score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)

Fuzzing

Score: N/A, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 2 features:

  1. A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
  2. Is it included to OSS-Fuzz? No

Memory-safety testing

Score: N/A, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 4 features:

  1. A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
  2. Does it use AddressSanitizer? No
  3. Does it use MemorySanitizer? No
  4. Does it use UndefinedBehaviorSanitizer? No

nohttp tool

Score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)

The sub-score uses 2 features:

  1. A set of package managers: MAVEN
  2. Does it use nohttp? No

Dependabot score

Score: 6.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 4 features:

  1. A set of package managers: MAVEN
  2. A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
  3. Does it use Dependabot? No
  4. Does it use GitHub as the main development platform? Yes

OWASP Dependency Check score

Score: 7.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 2 features:

  1. How is OWASP Dependency Check used? Mandatory
  2. What is the threshold for OWASP Dependency Check? Not specified

LGTM score

Score: 2.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 2 features:

  1. A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
  2. The worst LGTM grade of the project: D

How a project uses CodeQL

Score: 10.0, confidence is 10.0 (max), importance is 1.0 (high)

The sub-score uses 4 features:

  1. A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
  2. Does it use LGTM checks? No
  3. If a project runs CodeQL checks for commits: Yes
  4. If a project runs CodeQL scans: Yes

FindSecBugs score

Score: 0.0, confidence is 10.0 (max), importance is 0.5 (medium)

The sub-score uses 2 features:

  1. A set of programming languages: JAVA, RUBY, JAVASCRIPT, OTHER
  2. Does it use FindSecBugs? No

How to improve the rating

  1. You can ask the project maintainers to enable LGTM checks for pull requests in the project. More info:
    1. How to enable LGTM checks for pull requests
  2. You can fix the issues reported by LGTM for the project. More info:
    1. List of issues on LGTM
  3. You can open a pull request to add a security policy for the project. More info:
    1. About adding a security policy to a repository on GitHub
    2. An example of a security policy
    3. Suggest a security policy for the project
  4. You can open a pull request to enable FindSecBugs for the project. More info:
    1. FindSecBugs home page