Last updated on December 12, 2020
Critical dependencies of open source software are often too little known and difficult to detect. Google wants to remedy this.
Small open source projects in particular are always conspicuous by the fact that although they are used extremely frequently and form an integral part of the infrastructure, the projects themselves are poorly equipped or inadequately supported. This becomes particularly critical in the case of security vulnerabilities. With a metric of its own, Google wants to help track down such projects.
Google’s work is part of the Open Source Security Foundation (OpenSSF), founded this year. The announcement states: “The criticality of an Open Source project is difficult to define. What might be a critical dependency on open source software for one consumer may be completely absent for another consumer.” To avoid discussion, Google defines criticality simply as the impact and importance of a project.
The long-term goal of the OpenSSF is to provide critical open source software with the financial resources necessary for maintenance on a permanent basis. In order to track down this software, the metrics presented by Google should help to sort the software accordingly. The corresponding value, the Criticality Score, is created completely automatically and evaluates projects according to certain characteristics.
Read the original article here.