{"id":15359,"date":"2020-12-13T12:39:04","date_gmt":"2020-12-13T11:39:04","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=15359"},"modified":"2020-12-13T12:39:04","modified_gmt":"2020-12-13T11:39:04","slug":"the-critical-curl","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2020\/12\/13\/the-critical-curl\/","title":{"rendered":"the critical curl"},"content":{"rendered":"\n<p>Google has, as part of their involvement in the <a href=\"https:\/\/openssf.org\/\">Open Source Security Foundation<\/a> (OpnSSF), come up with a &#8220;<a href=\"https:\/\/opensource.googleblog.com\/2020\/12\/finding-critical-open-source-projects.html\">Criticality Score<\/a>&#8221; for open source projects.<\/p>\n\n\n\n<p>It is a score between <strong>0<\/strong> (least critical) and <strong>1<\/strong> (most critical)<\/p>\n\n\n\n<p>The input variables are:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>time since project creation<\/li><li>time since last update<\/li><li>number of committers<\/li><li>number or organizations among the top committers<\/li><li>number of commits per week the last year<\/li><li>number of releases the last year<\/li><li>number of closed issues the last 90 days<\/li><li>number of updated issues  the last 90 days<\/li><li>average number of comments per issue the last 90 days<\/li><li>number of project mentions in the commit messages<\/li><\/ul>\n\n\n\n<p>The best way to figure out exactly how to calculate the score based on these variables is to check out their <a href=\"https:\/\/github.com\/ossf\/criticality_score\">github page<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The top-10 C based projects<\/h2>\n\n\n\n<p>The project has run the numbers on projects hosted on GitHub (which admittedly seriously limits the results) and they host these <a href=\"https:\/\/commondatastorage.googleapis.com\/ossf-criticality-score\/index.html\">generated lists of the 200 most critical projects<\/a> written in various languages.<\/p>\n\n\n\n<p>Checking out the <a href=\"https:\/\/www.googleapis.com\/download\/storage\/v1\/b\/ossf-criticality-score\/o\/c_top_200.csv?generation=1605823040838957&amp;alt=media\">top list for C based projects<\/a>, we can see the top 10 projects with the highest criticality scores being:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>git<\/li><li>Linux (raspberry pi)<\/li><li>Linux (torvald version)<\/li><li>PHP<\/li><li>OpenSSL<\/li><li>systemd<\/li><li><strong>curl<\/strong><\/li><li>u-boot<\/li><li>qemu<\/li><li>mbed-os<\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">What now then?<\/h2>\n\n\n\n<p>After having created the scoring system and generated lists, step 3 is said to be &#8220;<em>Use this data to proactively improve the security posture of these critical projects.<\/em>&#8220;.<\/p>\n\n\n\n<p>Now I think we have a pretty strong effort on security already in curl and <a href=\"https:\/\/daniel.haxx.se\/blog\/2020\/09\/23\/a-google-grant-for-libcurl-work\/\" data-type=\"post\" data-id=\"13896\">Google helped us strengthen<\/a> it even more recently, but I figure we can never have too much help or focus on improving our project.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Credits<\/h2>\n\n\n\n<p>Image by <a href=\"https:\/\/pixabay.com\/users\/thaliesin-2168464\/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=1563961\">Thaliesin<\/a> from <a href=\"https:\/\/pixabay.com\/?utm_source=link-attribution&amp;utm_medium=referral&amp;utm_campaign=image&amp;utm_content=1563961\">Pixabay<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google has, as part of their involvement in the Open Source Security Foundation (OpnSSF), come up with a &#8220;Criticality Score&#8221; for open source projects. It is a score between 0 (least critical) and 1 (most critical) The input variables are: time since project creation time since last update number of committers number or organizations among &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2020\/12\/13\/the-critical-curl\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">the critical curl<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":15389,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33],"class_list":["post-15359","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/15359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=15359"}],"version-history":[{"count":16,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/15359\/revisions"}],"predecessor-version":[{"id":15393,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/15359\/revisions\/15393"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/15389"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=15359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=15359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=15359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}