scorecard icon indicating copy to clipboard operation
scorecard copied to clipboard
verified publisher icon ossf

Feature: New check for average time to update dependencies

Open olivekl opened this issue 3 years ago • 6 comments

Proposal for a new check: project’s mean time to update (MTTU) — what is the average number of days it takes a project to update to a new version of a dependency?

The recent Sonatype State of the Supply Chain report states that 6 out of 7 vulnerabilities are transitive. The report says that “Two critical factors for reducing the risk of transitive vulnerabilities are minimizing the total number of dependencies and maintaining low update times.”

The MTTU check would give consumers an easy way to judge the risk of transitive vulnerabilities in their dependencies.

Potentially it could be combined with a check that uses deps.dev data to also give the total number of dependencies a project uses.

olivekl avatar Nov 15 '22 17:11 olivekl

Great idea.

Something simpler (to start with) could be to look at how many versions / how old each dependency is at?

But if we have data available to calculate this average, that'd be really nice.

/cc @oliverchang @another-rex @distractible

laurentsimon avatar Nov 17 '22 16:11 laurentsimon

One limitation I see here is that most open source projects are "libraries" so they declare their dependencies using version ranges. That will make it harder to infer when they update dependencies, because most of the time there is not update required, ie a dependency's new release still be in the range specified by the project.

laurentsimon avatar Nov 28 '22 04:11 laurentsimon

Deps.dev folks have data to measure lib-staleness, focusing on a library's worst case of a dependency that is blocked from updating a path with a known vulnerability. This seems like a good additional metric, especially for project maintainers to be aware of. MTTU might give a better sense of a project's average state for consumers, though, rather than data based on outliers. Could we have both as complementary checks?

Down the line, integrating VEX could be useful. Checks could be scored differently based on whether the vulnerability in a package that is blocked from updating is in actively used code.

olivekl avatar Nov 30 '22 14:11 olivekl

Bumping this because it's getting a lot of mentions at the Open Source Summit Europe conference!

olivekl avatar Sep 19 '23 12:09 olivekl

This issue is stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Nov 19 '23 01:11 github-actions[bot]

This issue has been marked stale because it has been open for 60 days with no activity.

github-actions[bot] avatar Mar 11 '24 01:03 github-actions[bot]