Google Develops Scoring Tool to Identify Critical Open Source Projects

We need new ways to connect critical open source projects with organizations that can provide support, Google said in a recent blog post.

“Most organizations, large and small, make use of open source software every day to build modern products, but many OSS projects are struggling for the time, resources and attention they need. This is a resource allocation problem and Google, as part of Open Source Security Foundation (OpenSSF), can help solve it together,” Google said.

Evaluating criticality can be difficult, but Google bases it on “the influence and importance of a project.” To aid in identifying such projects, Google has developed a “Criticality Score” under the OpenSSF.

“Criticality score indicates a project’s criticality (a number between 0 and 1) and is derived from various project usage metrics in a fully automated way. Our initial evaluation metrics include a project’s age, number of individual contributors and organizations involved, user involvement (in terms of new issue requests and updates), and a rough estimate of its dependencies using commit mentions,” Google said.

The goals of the Criticality Score project are to:

  • Generate a criticality score for every open source project.
  • Create a list of critical projects that the open source community depends on.
  • Use this data to proactively improve the security posture of these critical projects.