OpenSSF Scorecard: On the Path Toward Ecosystem-wide Automated Security Metrics
Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan,, Laurie Williams
TL;DR
The paper evaluates the OpenSSF Scorecard tool's effectiveness in monitoring open-source security health and compares security practices across npm and PyPI ecosystems.
Contribution
It provides an assessment of the Scorecard tool's applicability and highlights security gaps and practices in two major open-source package ecosystems.
Findings
Scorecard effectively identifies security issues in open-source projects.
Security practices vary significantly between npm and PyPI.
The study reveals specific security gaps in both ecosystems.
Abstract
The OpenSSF Scorecard project is an automated tool to monitor the security health of open-source software. This study evaluates the applicability of the Scorecard tool and compares the security practices and gaps in the npm and PyPI ecosystems.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsScientific Computing and Data Management · Information and Cyber Security · Big Data and Business Intelligence