Open Source Security Foundation's Criticality Score 2.0 Debuts To Rank Important OSS Projects

Written by Michael Larabel in Linux Security on 24 February 2023 at 07:34 AM EST. 10 Comments
LINUX SECURITY
Back in 2020 Google and the Open-Source Security Foundation (OpenSSF) came up with a "Criticality Score" to rank the importance/criticality of open-source projects. The Criticality Score is a means of quantifying the importance of an open-source project such as if in need of funding or development assistance. Criticality Score 2.0 has now been published.

The Criticality Score takes into account the age of the codebase/repository, the contributor count, commit frequency, the number of releases in the past year, the number of closed and updated issues in the last 90 days, the comment frequency, the number of project mentions in commit messages, and other parameters to come up with a numerical representation between 0 and 1 for how critical a project is by this standard. The Criticality Score software can compute the score based on a GitHub repository URL.

OpenSSF logo


The stated goals of the OpenSSF Criticality Score are:
Generate a criticality score for every open source project.

Create a list of critical projects that the open source community depends on.

Use this data to proactively improve the security posture of these critical projects.

The Criticality Score software is maintained by the Open Source Security Foundation's "Securing Critical Projects" working group. Among the most critical C language projects on GitHub are Git, the Linux kernel, PHP, OpenSSL, systemd, and curl. For the most critical Rust-written projects the list includes Rust itself, Servo, Cargo, rust-analyzer, and others. The most critical PHP projects include Symfony, Magento2, Joomla, and the Laravel Framework. Topping the Python criticality list includes the likes of SaltStack Salt, Home-Assistant Core, CPython, Scikit-Learn, and Numpy.

Criticality Score 2.0


Released on Thursday was Criticality Score 2.0 as a "revamp" of the project. With v2.0, the Criticality Score software has been rewritten in the Go programming language rather than Python. There are also various fixes, new features, and other enhancements to this software for scoring open-source projects based on their GitHub repository.

Those wishing to learn more about Criticality Score 2.0 can do so via their OpenSSF GitHub repository.
10 Comments
Related News
New Linux Patch Lets You Force CPU Bugs/Mitigations Even When Not Vulnerable
Linux To Allow Disabling TPM PCR Integrity Protection Due To Performance Bottleneck
OpenPaX Announced As "Open-Source Alternative To GrSecurity" With Free Kernel Patch
Unauthenticated RCE Flaw With CVSS 9.9 Rating For Linux Systems Affects CUPS
Landlock Sandboxing Now Supports More Controls Around Unix Sockets
Linux 6.12 Adds Build Options For Greater Control Over CPU Security Mitigations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
NTSYNC Linux Patches Revived To Help Boost Steam Play Gaming Performance
KDE Starts December By Landing A Number Of New Features
Rust-Based, Memory-Safe PNG Decoders "Vastly Outperform" C-Based PNG Libraries