Google Comes Up With A Metric For Gauging Critical Open-Source Projects
Google as part of their involvement in the Open-Source Security Foundation (OpenSSF) has devised the "Criticality Score" as a means of judging crucial open-source projects.
In order for being able to determine projects in need of support for funding or development assistance, Google with the other OpenSSF parties came up with the "Criticality Score" as a 0 to 1 metric for indicating a project's criticalness.
The Criticality Score is calculated based on the age of the project, the last time it was updated, the number of contributors to the project, the number of organizations that contributors belong to, the commit frequency, the releases over the past year, the number of updated and closed issues in the last 90 days, the comment frequency, and the number of project mentions in the commit messages.
According to their automated scoring, the top ten C-based projects rated by the Cruciality Score include Git, the Linux kernel (actually in spots 2 and 3, with the 2nd place spot coming ahead of mainline Linux being the Raspberry Pi Linux kernel), PHP, OpenSSl, systemd, Curl, U-Boot, QEMU, and Mbed-OS.
Their ten most critical C++ projects include Tensorflow, Ceph, PyTorch, Bitcoin, Electron, Marlin, Cataclysm-DDA, LLVM, RocksDB, and QGIS.
Meanwhile for Java projects the top 10 includes ElasticSearch, Flink, Spring-Boot, Hadoop, Netty, Jenkins, Beam, Bazel, Alluxio, and PMD.
Google announced the Criticality Score today and for those wanting to learn more about the Criticality Score or even try it out on arbitrary Git repositories can find out more via ossf/criticality_core on GitHub.