fosstars-rating-core
fosstars-rating-core copied to clipboard
SAP
A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with o...
Currently, `SignsJarArtifacts` data provider check whether or not a project use a plugin that signs artifacts. However, some projects don't use such plugins. For example, https://github.com/spring-projects/spring-security However, there are PGP...
Fixes #743 (duplicate) Fixes #553
Check if this can be a Data provider for SAST tool Checkmarx https://github.com/marketplace/actions/checkmarx-cxflow-action DoD: - Check if the this github action is something which can be made into a data...
Register in https://bestpractices.coreinfrastructure.org/en DoD: - The above things are done.
Check if a project has CII-Best-Practices badge associated with the GitHub project. Ref: https://bestpractices.coreinfrastructure.org/en DoD: - Check if a feature can be generated. - Check if a score can be...
Determine if the project cryptographically signs release artifacts. It is currently limited to repositories hosted on GitHub, and does not support other source hosting repositories (i.e., Forges). Signed releases attest...
We can enforce certain workflows or requirements before a collaborator can push changes to a branch in our repository, including merging a pull request into the branch, by creating a...
Revisit and check if any information can be extracted from Python and JS Projects - IsEclipse or IsApache applicable to the Python and JS Projects - If the executables available...
- PMD is a static code analyzer, which finds bugs in code. - Check if this is something we can use as part of the rating-core Ref: https://pmd.github.io/pmd-6.40.0/
Check if the OWASP Dependency check tool is being used in python and NPM projects with the implementation of analyzers DoD: - If a project uses OWASP Dependency check tool...