Advise about the quality / health of an Open Source project / dependency package

[sschuberth]

In addition to security vulnerabilities the advisor could also advise about the general quality of an Open Source project, e.g. using

• CHAOSS Software (GrimoireLab, Cauldron)
• Ecosyste.ms
• End-of-life (EOL)
• Google's scorecard project (also see the criticality score of Open Source projects: https://github.com/ossf/criticality_score)
  • Related: https://github.com/ossf/malicious-packages
• Hipcheck
• Pub Points
• Trusty
• JSR scoring
• CrOSSD

by extending

ort/model/src/main/kotlin/AdvisorCapability.kt

Lines 31 to 37 in 19c89ff

	enum class AdvisorCapability {
	/** Indicates that an advisor can retrieve information about defects. */
	DEFECTS,
	/** Indicates that an advisor can retrieve information about security vulnerabilities. */
	VULNERABILITIES
	}

with HEALTH or so.

[sschuberth]

Somewhat related is the criticality score of Open Source projects: https://github.com/ossf/criticality_score

[dgutson]

I this should be splitted in the different tools. We are interested in Google Scorecard.

[sschuberth]

I this should be splitted in the different tools. We are interested in Google Scorecard.

@dgutson, please indicate your interest by adding 👍🏻 to the top post, as that way we can rank the issues.

[MacOS]

I would also suggest the OpenSSF Scorecard, see https://github.com/ossf/scorecard.

[sschuberth]

I would also suggest the OpenSSF Scorecard, see https://github.com/ossf/scorecard.

It's mentioned above as "Google's scorecard project".

[sschuberth]

We might be able to collaborate with what @janniclas's team did at https://github.com/fraunhofer-iem/spha. Also see this whitepaper. I've already reached out to Fraunhofer IEM for this.