Releasing RepoMetaScore (repository metadata scoring): a dependency checking tool that analyzes metadata of open-source project, including commit history and contributors’ background. RepoMetaScore calculates risk rating, makes supply chain risks visible, and prevents weaponizing OSS.
Addressing supply chain risks early #
The existence of supply chain risks is not new, and neither are obvious mitigations: security-literate developers have been using vulnerability scanners for analyzing third-party components in their products for a while now. Typically, such scanners alert on new versions or known vulnerabilities in the libraries used.
It is important to alert developers about known vulnerabilities in their dependencies, but these alerts often arrive too late to prevent sophisticated attacks.
An alternative approach is to identify and quantify security risks associated with chosen OSS dependency before adding it to your product. Rewriting around dependency change is always harder than just doing enough “supply chain due diligence” in the first place.
Weaponizing open-source software hurts community #
Lately, novel risks have emerged: open-source maintainers intentionally weaponize their projects by introducing backdoors and vulnerabilities in the source code. Malicious code can be uploaded to popular repositories, causing devastating consequences which are hard to detect beforehand.
At Cossack Labs, we believe that weaponizing open-source software is a wrong practice which hurts the open-source community, users, and the fundamentals of open source development in the long run.
But every project is different, and every open-source project maintainer is different.
Unfortunately, this destructive practice takes place. Aside from being led by criminal and activist motivations, maintainers who live in regions with oppressive governments might be forced to introduce backdoors involuntarily.
Introducing RepoMetaScore #
To help developers understand the risks and cope with the demand for more detailed repository due diligence, we’ve built a simple tool—RepoMetaScore.
RepoMetaScore analyzes the given repository, collects information about its contributors, and outputs the risk level based on a configurable set of evaluation criteria. Metadata about contributors is collected through the official GitHub API and other public sources, and is solely based on the information users provide in their accounts.
Evaluate risks before adding new dependency to your product
RepoMetaScore gives developers a risk rating as one more argument for deciding whether to trust a repository or not.
Currently, RepoMetaScore uses a growing list of criteria to identify potentially problematic repositories: maintainers’ GitHub and Twitter profiles, location, commit history, email domain, etc.
Contributing and next steps #
Use RepoMetaScore as a manual tool for the one-time check or change it to be a part of your CICD pipeline. Feel free to extend the configuration, rules, and scoring and return with PRs. Also, contributions aimed at automation are welcome: adding to CICD, adding to GitHub plugins, etc.
Let your open source be safe!