{"id":13484353,"url":"https://github.com/ossf/criticality_score","last_synced_at":"2025-05-14T14:09:11.383Z","repository":{"id":37103629,"uuid":"313674213","full_name":"ossf/criticality_score","owner":"ossf","description":"Gives criticality score for an open source project","archived":false,"fork":false,"pushed_at":"2025-04-08T01:10:12.000Z","size":1432,"stargazers_count":1366,"open_issues_count":80,"forks_count":121,"subscribers_count":32,"default_branch":"main","last_synced_at":"2025-04-12T14:15:39.466Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ossf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-11-17T16:14:23.000Z","updated_at":"2025-04-07T14:31:52.000Z","dependencies_parsed_at":"2024-01-17T01:43:33.591Z","dependency_job_id":"fb35e6b5-3582-4b8e-8e88-21defa5e12b7","html_url":"https://github.com/ossf/criticality_score","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcriticality_score","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcriticality_score/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcriticality_score/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ossf%2Fcriticality_score/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ossf","download_url":"https://codeload.github.com/ossf/criticality_score/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254160226,"owners_count":22024567,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T17:01:22.945Z","updated_at":"2025-05-14T14:09:06.374Z","avatar_url":"https://github.com/ossf.png","language":"Go","funding_links":[],"categories":["Metrics","Risk Management","Using","Go"],"sub_categories":["Community Health","Project quality"],"readme":"# Open Source Project Criticality Score (Beta)\n\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/criticality_score/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/criticality_score)\n\nThis project is maintained by members of the\n[Securing Critical Projects WG](https://github.com/ossf/wg-securing-critical-projects).\n\n## Goals\n\n1. Generate a **criticality score** for every open source project.\n\n1. Create a list of critical projects that the open source community depends on.\n\n1. Use this data to proactively improve the security posture of these critical projects.\n\n## Criticality Score\n\nA project's criticality score defines the influence and importance of a project.\nIt is a number between\n**0 (least-critical)** and **1 (most-critical)**. It is based on the following\n[algorithm](https://github.com/ossf/criticality_score/blob/main/Quantifying_criticality_algorithm.pdf)\nby [Rob Pike](https://github.com/robpike):\n\n\u003cimg src=\"https://raw.githubusercontent.com/ossf/criticality_score/main/images/formula.png\" width=\"359\" height=\"96\"\u003e\n\nWe use the following default parameters to derive the criticality score for an\nopen source project:\n\n| Parameter (S\u003csub\u003ei\u003c/sub\u003e)  | Weight (\u0026alpha;\u003csub\u003ei\u003c/sub\u003e) | Max threshold (T\u003csub\u003ei\u003c/sub\u003e) | Description | Reasoning |\n|---|---:|---:|---|---|\n| created_since | 1 | 120 | Time since the project was created (in months) | Older project has higher chance of being widely used or being dependent upon. |\n| updated_since  | -1 | 120 | Time since the project was last updated (in months) | Unmaintained projects with no recent commits have higher chance of being less relied upon. |\n| **contributor_count** | **2** | 5000 | Count of project contributors (with commits) | Different contributors involvement indicates project's importance. |\n| org_count | 1 | 10 | Count of distinct organizations that contributors belong to | Indicates cross-organization dependency. |\n| commit_frequency | 1 | 1000 | Average number of commits per week in the last year | Higher code churn has slight indication of project's importance. Also, higher susceptibility to vulnerabilities.\n| recent_releases_count | 0.5 | 26 | Number of releases in the last year | Frequent releases indicates user dependency. Lower weight since this is not always used. |\n| closed_issues_count | 0.5 | 5000 | Number of issues closed in the last 90 days | Indicates high contributor involvement and focus on closing user issues. Lower weight since it is dependent on project contributors. |\n| updated_issues_count | 0.5 | 5000 | Number of issues updated in the last 90 days | Indicates high contributor involvement. Lower weight since it is dependent on project contributors. |\n| comment_frequency | 1 | 15 | Average number of comments per issue in the last 90 days | Indicates high user activity and dependence. |\n| **dependents_count** | **2** | 500000 | Number of project mentions in the commit messages | Indicates repository use, usually in version rolls. This parameter works across all languages, including C/C++ that don't have package dependency graphs (though hack-ish). Plan to add package dependency trees in the near future. |\n\n**NOTE**:\n\n- You can override those default values at runtime as described below.\n- We are looking for community ideas to improve upon these parameters.\n- There will always be exceptions to the individual reasoning rules.\n\n## Usage\n\n```shell\n$ go install github.com/ossf/criticality_score/v2/cmd/criticality_score@latest\n\n$ export GITHUB_TOKEN=...         # requires a GitHub token to work\n$ gcloud auth login --update-adc  # optional, add -depsdev-disable to skip\n\n$ criticality_score -gcp-project-id=[your projectID] https://github.com/kubernetes/kubernetes\nrepo.name: kubernetes\nrepo.url: https://github.com/kubernetes/kubernetes\nrepo.language: Go\nrepo.license: Apache License 2.0\nlegacy.created_since: 87\nlegacy.updated_since: 0\nlegacy.contributor_count: 3999\nlegacy.watchers_count: 79583\nlegacy.org_count: 5\nlegacy.commit_frequency: 97.2\nlegacy.recent_releases_count: 70\nlegacy.updated_issues_count: 5395\nlegacy.closed_issues_count: 3062\nlegacy.comment_frequency: 5.5\nlegacy.dependents_count: 454393\ndefault_score: 0.99107\n```\n\nThe score can be changed by using the `-scoring-config` parameter and supplying\na different configuration file to specify how the score is calculated.\n\nBy default the `original_pike.yml` configuration is used to calculate the score.\nHowever, other config files can be supplied to produce different scores. See\n[config/scorer](`https://github.com/ossf/criticality_score/blob/main/config/scorer`) for more.\n\nFeel free to copy one of the configurations and adjust the weights and\nthresholds to suit your needs.\n\n### Authentication\n\nBefore running criticality score, you need to:\n\n- For GitHub repos, you need to\n[create a GitHub access token](https://docs.github.com/en/free-pro-team@latest/developers/apps/about-apps#personal-access-tokens)\nand set it in environment variable `GITHUB_AUTH_TOKEN`.\nThis helps to avoid the GitHub's\n[api rate limits](https://developer.github.com/v3/#rate-limiting)\nwith unauthenticated requests.\n\n```shell\n# For posix platforms, e.g. linux, mac:\nexport GITHUB_AUTH_TOKEN=\u003cyour access token\u003e\n\n# For windows:\nset GITHUB_AUTH_TOKEN=\u003cyour access token\u003e\n```\n\n\u003c!-- Hide GitLab documentation until support is added back. --\u003e\n\u003c!--\n- For GitLab repos, you need to\n[create a GitLab access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html)\nand set it in environment variable `GITLAB_AUTH_TOKEN`.\nThis helps to avoid the GitLab's api limitations for unauthenticated users.\n\n```shell\n# For posix platforms, e.g. linux, mac:\nexport GITLAB_AUTH_TOKEN=\u003cyour access token\u003e\n\n# For windows:\nset GITLAB_AUTH_TOKEN=\u003cyour access token\u003e\n```\n--\u003e\n\n### Formatting Results\n\nThere are three formats currently: `text`, `json`, and `csv`. Others may be added in the future.\n\nThese may be specified with the `-format` flag.\n\n## Other Commands\n\nThe criticality score project also has other commands for generating and\nworking with criticality score data.\n\n- [`enumerate_github`](https://github.com/ossf/criticality_score/blob/main/cmd/enumerate_github):\n  a tool for accurately collecting a set of GitHub repos with a minimum number of stars\n- [`collect_signals`](https://github.com/ossf/criticality_score/blob/main/cmd/collect_signals):\n  a worker for collecting raw signals at scale by leveraging the\n  [Scorecard project's](https://github.com/ossf/scorecard) infrastructure.\n- [`scorer`](https://github.com/ossf/criticality_score/blob/main/cmd/scorer):\n  a tool for recalculating criticality scores based on an input CSV file.\n\n## Public Data\n\nIf you're interested in seeing a list of critical projects with their criticality\nscore, we publish them in `csv` format and a BigQuery dataset.\n\nThis data is generated using a production instance of the criticality score\nproject running in GCP. Details for how this is deployed can be found in the\n[infra](https://github.com/ossf/criticality_score/blob/main/infra) directory.\n\n**NOTE**: Currently, these lists are derived from **projects hosted on GitHub ONLY**.\nWe do plan to expand them in near future to account for projects hosted on other\nsource control systems.\n\n### CSV data\n\nThe data is available on Google Cloud Storage and can be downloaded via:\n\n- web browser: [commondatastorage.googleapis.com/ossf-criticality-score/index.html](https://commondatastorage.googleapis.com/ossf-criticality-score/index.html)\n- [`gsutil`](https://cloud.google.com/storage/docs/gsutil_install)\ncommand-line tool: `gsutil ls gs://ossf-criticality-score/`\n\n### BigQuery Dataset\n\nThis data is available in the public [BigQuery dataset](https://console.cloud.google.com/bigquery?d=criticality_score_cron\u0026p=openssf\u0026t=criticality-score-v0-latest\u0026page=table).\n\nWith a GCP account you can run queries across the data. For example, here is a query returning the top 100 repos by score:\n\n```sql\n  SELECT repo.url, default_score\n    FROM `openssf.criticality_score_cron.criticality-score-v0-latest`\nORDER BY default_score DESC\n   LIMIT 100;\n```\n\n## Contributing\n\nIf you want to get involved or have ideas you'd like to chat about, we discuss this project in the [Securing Critical Projects WG](https://github.com/ossf/wg-securing-critical-projects) meetings.\n\nSee the [Community Calendar](https://calendar.google.com/calendar?cid=czYzdm9lZmhwNWk5cGZsdGI1cTY3bmdwZXNAZ3JvdXAuY2FsZW5kYXIuZ29vZ2xlLmNvbQ) for the schedule and meeting invitations.\n\nSee the [Contributing](CONTRIBUTING.md) documentation for guidance on how to contribute.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fcriticality_score","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fossf%2Fcriticality_score","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fossf%2Fcriticality_score/lists"}