The “Sonatype Safety Rating” is generated by our experimental analysis tool and is an aggregate rating designed to estimate the likelihood of an open source project containing security vulnerabilities. You will see the rating of the project via Central and OSSIndex. See more information and FAQs, here.
This tool leverages a variety of metrics, including the project’s rate at which it updates vulnerable dependencies (also known as Mean Time to Update, or MTTU), as well as whether the project uses open source best practices, as measured by the OpenSSF’s Security Scorecard.
The Security Scorecard assesses projects’ practices like code review, signed releases, use of dependency update tools, and other similar measures, and produces a quantitative output. Further details about OpenSSF’s Security Scorecard and the checks it runs can be found on its Github repository.
Sonatype’s analysis tool combines these metrics and uses machine learning to output a scaled result that forms the basis for the Safety Rating of a project. Projects are rated on a 1-10 scale, with 1 being the least safe and 10 being the safest. The more confident the model is that a project will not contain vulnerabilities, the higher the rating. The more confident the model is that the project will contain vulnerabilities, the lower it will rate the project. The model is based on empirical research conducted by the Sonatype Research Team, where we analyzed thousands of projects and determined a high correlation between the Safety Rating and the presence of vulnerabilities, with 88% of projects scoring below 5 having existing known vulnerabilities.
Curious to know more about the technical breakdown of our new metric? Read the full 8th Annual State of Software Supply Chain Report.