Look more into literature for more metrics

[NightLore]

A master's thesis: https://www.researchgate.net/publication/279196437_In_Dependencies_We_Trust_How_vulnerable_are_dependencies_in_software_modules uses the following metrics:

• Popularity
  • number of downloads
  • number of dependents
  • number of stars
• Security
  • NSP advisory
  • CVE advisory
  • time took before vulnerability is patched

[bcdasilv]

Possible metrics:

Metric TF (Truck Factor): "Algorithms for estimating truck factors: a comparative study"

and "A Comparison of Three Algorithms for Computing Truck Factors"

Metric TFDD (Truck Factor developers detachment): "On the abandonment and survival of open sourceprojects: An empirical investigation"

Papers sent by email.

[NightLore]

----- "Algorithms for estimating truck factors: a comparative study" ----- Algorithms:

1. ZWK -- simulates developers at sees how many are needed to cover a percentage of the files.
2. AVL -- use Degree-of-Authorship: each file are measured by how much the creator of that file modifies it
3. RIG -- blame-based: based off the last developer to modify a line of code. That line of code is abandoned if the developer last associated with it is abandoned. Random groups are selected to leave until 90% is abandoned.
4. CST -- Primary and secondary developers are based off of amount of "knowledge" on a file. Knowledge is based on amount of changes with priority to last changer.
5. Commit-based heuristic -- core developers are the ones responsible for 80% of the project's commits
6. LOC-based -- core developers are the ones responsible for 80% of the "churn" of the project (amount of added and removed lines of code)

Results:

• AVL and CST are most accurate, RIG is least accurate at identifying truck factor
• AVL and RIG have best recall, CST has second highest recall (Recall is ability to identify the right core developers)
• Loc-based has best identification of truck factor developers
• Truck factor developers tend to be a subset of Core Developers

----- "A Comparison of Three Algorithms for Computing Truck Factors" -------- Algorithms:

1. AVL
2. RIG
3. CST

Results:

• AVL and CST are most accurate, RIG has least accuracy in Truck Factor
• AVL, then CST, then RIG has most accuracy in Truck Factor Developers
• When RIG and AVL are successful at Truck Factor, they are generally successful at TR Developer identification (This study appears the same as a portion of the paper above -- study 1 in that paper)

----- "On the abandonment and survival of open source projects: An empirical investigation" ------

• Not too clear how they created their dataset

Results:

• TFDDs occur a majority of the time when TF = 1
• Most TFDDs occur within 7 years of development
• 41% of projects survived their last TFDD, usually with a single new TF developer
• Newcomers are usually the ones to recover a project from TFDDs
• Revivers were motivated by their own usage of of projects and the want to contribute to open source communities
• Friendly and active maintainers helped the most in the attraction of new TF developers

[NightLore]

Github now explicitly mentions the vulnerabilities found in their security checking and security tab: The url: https://github.com/NightLore/DependencyVis/network/alerts

[NightLore]

• time it takes from open issues to closed (mean time between open and closed)
  • define a time frame (metric time window such as last month, last year, etc...)
  • only considers closed issues
  • need time it was opened and time it was closed

[NightLore]

Refer to #1 for all readings

[NightLore]

CVE: Automation Support for CVE Retrieval NVD

OSS Index API Rest API/Sonatype OSS Index