Last updated on March 9, 2021
Critical dependencies of open source software are often too little known and difficult to detect. Google wants to remedy this.
Small open source projects in particular are always conspicuous by the fact that although they are used extremely frequently and form an integral part of the infrastructure, the projects themselves are poorly equipped or inadequately supported. This becomes particularly critical in the case of security vulnerabilities. With a metric of its own, Google wants to help track down such projects.
Google’s work is part of the Open Source Security Foundation (OpenSSF), founded this year. The announcement states: “The criticality of an Open Source project is difficult to define. What might be a critical dependency on open source software for one consumer may be completely absent for another consumer.” To avoid discussion, Google defines criticality simply as the impact and importance of a project.
The long-term goal of the OpenSSF is to provide critical open source software with the financial resources necessary for maintenance on a permanent basis. In order to track down this software, the metrics presented by Google should help to sort the software accordingly. The corresponding value, the Criticality Score, is created completely automatically and evaluates projects according to certain characteristics.
This includes the number of regular contributors, the number of organisations or companies involved, or the involvement of the community. The tool itself can also be extended with your own rules. The source code is available on Github. Some of the data already created with the tool is made publicly available by Google. The most critical C projects are Git, the Linux kernel, PHP, OpenSSL, Systemd and Curl. Google has also created similar lists for C++, Java, Javascript, Python and Rust.
Read the original article here.
