[Feature]: Scoring package while auditing the package.

ossillate-inc / packj

Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

https://packj.dev

GNU Affero General Public License v3.0

650 stars 36 forks source link

[Feature]: Scoring package while auditing the package. #68

Closed shivaabhishek07 closed 1 year ago

shivaabhishek07 commented 1 year ago

Recently, OpenSSF introduced a scorecard, which gives a score to each package.

How about we give the score to each package that we analyze and include that score in the final report?

ashishbijlani commented 1 year ago

The reason Packj doesn't assign generic scores is because such numbers would have different meaning to different users. For example, absence of source repo may be assigned different scores based on the perceived threat.