Open Source Security Foundation's Criticality Score 2.0 Debuts To Rank Important OSS Projects

Written by Michael Larabel in Linux Security on 24 February 2023 at 07:34 AM EST. 10 Comments
LINUX SECURITY
Back in 2020 Google and the Open-Source Security Foundation (OpenSSF) came up with a "Criticality Score" to rank the importance/criticality of open-source projects. The Criticality Score is a means of quantifying the importance of an open-source project such as if in need of funding or development assistance. Criticality Score 2.0 has now been published.

The Criticality Score takes into account the age of the codebase/repository, the contributor count, commit frequency, the number of releases in the past year, the number of closed and updated issues in the last 90 days, the comment frequency, the number of project mentions in commit messages, and other parameters to come up with a numerical representation between 0 and 1 for how critical a project is by this standard. The Criticality Score software can compute the score based on a GitHub repository URL.

OpenSSF logo


The stated goals of the OpenSSF Criticality Score are:
Generate a criticality score for every open source project.

Create a list of critical projects that the open source community depends on.

Use this data to proactively improve the security posture of these critical projects.

The Criticality Score software is maintained by the Open Source Security Foundation's "Securing Critical Projects" working group. Among the most critical C language projects on GitHub are Git, the Linux kernel, PHP, OpenSSL, systemd, and curl. For the most critical Rust-written projects the list includes Rust itself, Servo, Cargo, rust-analyzer, and others. The most critical PHP projects include Symfony, Magento2, Joomla, and the Laravel Framework. Topping the Python criticality list includes the likes of SaltStack Salt, Home-Assistant Core, CPython, Scikit-Learn, and Numpy.

Criticality Score 2.0


Released on Thursday was Criticality Score 2.0 as a "revamp" of the project. With v2.0, the Criticality Score software has been rewritten in the Go programming language rather than Python. There are also various fixes, new features, and other enhancements to this software for scoring open-source projects based on their GitHub repository.

Those wishing to learn more about Criticality Score 2.0 can do so via their OpenSSF GitHub repository.
10 Comments
Related News
Linux 6.9-rc6 To Fix Accidentally Disabling Mitigations By Default For Non-x86 CPUs
Linux BHI Mitigation Being Tweaked Following 12% Database Performance Hit
Linux 6.9-rc4 To Bring New Fixes For x86 Speculation Mitigations
Linux Kernel Patched For Branch History Injection "BHI" Intel CPU Vulnerability
GitHub Disables The XZ Repository Following Today's Malicious Disclosure
XZ Struck By Malicious Code That Could Allow Unauthorized Remote System Access
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
systemd Rolling Out "run0" As sudo Alternative
Fedora Linux 40 Available For Download As A Wonderful Upgrade
Microsoft Open-Sources MS-DOS 4.0 Under MIT License
Systemd 256-rc1 Brings A Huge Number Of New Features
NVIDIA Developer Opens Feature Pull Request For Open-Source NVK Driver
Rust-Based Coreutils 0.0.26 Increases Compatibility With GNU Coreutils
Ubuntu 24.04 LTS Downloads Now Available
Linux Mint Looks To Fork More GNOME Software, Make XApp More Independent