Security score factors

Security scores indicate the level of compliance with security best practices as well as vulnerability information for the repository that includes open and fixed vulnerabilities. Vulnerability information is based on OSV.dev data and Endor Lab’s vulnerability database.

The following factors have a positive contribution to the security score:

  • Critical and high severity vulnerabilities were discovered in the past in the repository but have now been fixed. This indicates that the code base is properly maintained.
  • A SECURITY.md file highlighting security-related information is a sign of repository maturity.
  • A high volume of commits related to vulnerabilities may indicate that the project has a large number of security issues but also that they are actively being addressed. A commit is considered vulnerability-related if it mentions a CVE in its commit message.
  • This package does not access any environment information such as environment variables, user, or host names. This reduces the risk of exposing security-sensitive information, such as environment variables with API keys.
  • No vulnerabilities ever discovered in a repository indicate that there are no known security issues in this codebase.
  • The package does not read data from a file system. It does not have write access to a file system.
  • This package does not start operating system processes. This reduces the risk of having command or parameter injection vulnerabilities.
  • This package does not use any dynamic programming techniques such as introspection, reflection or dynamic code execution through eval() type of functions or script engines.
  • This package does not open any network connections or listen for incoming connection requests. This reduces the risk of data leakage or loading of data from untrusted sources.
  • Recently fixed vulnerabilities indicate that the repository has lower security risk and is well maintained.

The following factors have a negative contribution to the security score:

  • High activity from invalid accounts is suspicious.
  • This package accesses environment information like environment variables, user, and host names. Some of this information may be security sensitive, e.g., environment variables with API keys.
  • This package reads data from the file system. This can be dangerous in combination with user-provided input, e.g., lead to path traversal vulnerabilities.
  • This package starts operating system processes. This can be dangerous in combination with user-provided input, as it can lead to command or parameter injection vulnerabilities.
  • This package has a large number of instances of suspicious code that has been known to be used by malware. While this is not a guarantee that this package is malicious, a review of the related code is recommended.
  • This package opens network connections or listens for incoming connection requests. This can be dangerous in combination with user-provided input, e.g., lead to data leakage or the load of data from untrusted sources.
  • This package writes data to the file system, creates or deletes directories, or changes the ownership or permissions of files. This can be dangerous in combination with user-provided input, e.g., lead to path traversal vulnerabilities.
  • A high fraction of critical vulnerabilities among the discovered vulnerabilities indicates an elevated security risk and potentially systematic security issues with this codebase.
  • A high fraction of high-fix priority vulnerabilities among the discovered vulnerabilities indicates an elevated security risk and that the repository needs immediate maintenance. A vulnerability is considered a high priority based on our analysis.
  • A high fraction of high severity or critical vulnerabilities among the discovered vulnerabilities indicates an elevated security risk and potentially systematic security issues with this codebase.
  • This package uses dynamic programming techniques like introspection, reflection or dynamic code execution through eval() type of functions or script engines.
  • Taking more time to fix critical vulnerabilities discovered in a repository indicates a lack of regular maintenance. Analysis only considers vulnerabilities associated with this repository and not its dependencies.
  • The package accesses environment information like environment variables, user and host names. Some of this information may be security sensitive, such as environment variables with API keys.
  • This package reads data from the file system. This can be dangerous in combination with user-provided input, e.g., lead to path traversal vulnerabilities.
  • A high fraction of releases with high severity vulnerabilities indicate an elevated security risk and potentially systematic security issues with this codebase.
  • This package starts operating system processes. This can be dangerous in combination with user-provided input, as it can lead to command or parameter injection vulnerabilities.
  • This package opens network connections or listens for incoming connection requests. This can be dangerous in combination with user-provided input, e.g., lead to data leakage or the load of data from untrusted sources.
  • The package has a large number of unmerged vulnerability-related pull requests means that the project is not actively maintained and may have security issues.
  • The repository includes recently discovered vulnerabilities indicating that the repository’s security risk is increasing.
  • This package has a large number of instances of suspicious code that has been known to be used by malware.
  • A high number of critical or unfixed vulnerabilities discovered in a repository indicates an elevated security risk and potentially systematic security issues with this codebase.