Google has, as part of their involvement in the Open Source Security Foundation (OpnSSF), come up with a “Criticality Score” for open source projects.
It is a score between 0 (least critical) and 1 (most critical)
The input variables are:
- time since project creation
- time since last update
- number of committers
- number or organizations among the top committers
- number of commits per week the last year
- number of releases the last year
- number of closed issues the last 90 days
- number of updated issues the last 90 days
- average number of comments per issue the last 90 days
- number of project mentions in the commit messages
The best way to figure out exactly how to calculate the score based on these variables is to check out their github page.
The top-10 C based projects
The project has run the numbers on projects hosted on GitHub (which admittedly seriously limits the results) and they host these generated lists of the 200 most critical projects written in various languages.
Checking out the top list for C based projects, we can see the top 10 projects with the highest criticality scores being:
- git
- Linux (raspberry pi)
- Linux (torvald version)
- PHP
- OpenSSL
- systemd
- curl
- u-boot
- qemu
- mbed-os
What now then?
After having created the scoring system and generated lists, step 3 is said to be “Use this data to proactively improve the security posture of these critical projects.“.
Now I think we have a pretty strong effort on security already in curl and Google helped us strengthen it even more recently, but I figure we can never have too much help or focus on improving our project.