Open-source software saves time on development but should be taken carefully, as the code is in the hands of maintainers and contributors you know nothing about.
🚩The threat of intentionally weaponizing open-source tools by criminals is growing every year. Recently, novel risks have emerged: developers living in oppressed countries are being pushed into introducing backdoors involuntarily.
⚠️ Backdoors and vulnerabilities introduced into OSS can cause ruinous aftermaths.
One of the ways to prevent them is to employ vulnerability scanners for analyzing third-parties libraries your project uses, but, unfortunately, sometimes they alert too late.
Another option entails identifying and quantifying security risks linked to third-party libraries before adding them to your product.
🔎 RepoMetaScore
To help developers avoid risks associated with weaponizing OSS, our security engineers have built a RepoMetaScore. It’s a tool that collects information about the project and its contributors, analyzes it, and calculates risk ratings by several criteria: GitHub and Twitter profiles, location, commit history, email domain, etc.
💡 Note, that RepoMetaScore (📥 GitHub) should not be used as the only tool for assessing open-source repositories’ credibility. Use it wisely as an additional tool for mitigating current threats in open source.
🔨 How RepoMetaScore works
Repometascore uses public information disclosed by contributors themselves. RepoMetaScore collects such info through the APIs and calculates results as a risk rating. It can be the first tool in a series of security checkup developers go through when deciding whether to add a certain project or not.
💡 To use RepoMetaScore, follow its Readme. It’s a simple python package that should work on any Unix and Mac.
Provide RepoMetaScore with a link to a repository-in-question—and get the risk rating results and general information about repository contributors.
Top comments (1)