Open Source Safety

Definition

Open Source Safety indicates the use of 3rd-party components that comply with security, license and age requirements. This index from 0 (low safety) to 100 (high safety) is an average of the three main scores for measuring Open Source/Third-Party component risk:

  • Security: This score from 0 (low security) to 100 (high security) is calculated based on the number of open source/third-party components in an application and the total number of Common Vulnerabilities & Exposures (CVEs), weighted by CVE criticality (critical, high, medium and low).
  • License Compliance: This score from 0 (high risk) to 100 (low risk) is calculated based on the number of components having a low risk license, the number of components having a medium risk license, and the number of components having a high risk license.
  • Obsolescence: This score from 0 (high obsolescence) to 100 (low obsolescence) is calculated based on the gap between the current version of the components detected in applications and the latest known version of each corresponding component.

For further detail on this indicator, download our Indicators & Methodology deck.