OpenSSL Cryticality Score

Matt Caswell matt at openssl.org
Fri Dec 11 09:23:44 UTC 2020



On 11/12/2020 07:39, Nicola Tuveri wrote:
> Hi all,
> 
> just sharing an interesting factoid I came across today about the project. 
> 
> Google, as part of the Open Source Security Foundation, yesterday
> released a new project dubbed "Criticality Score", attempting (I am
> simplifying here for brevity) to create a metric of "how critical" a
> software is in the software ecosystem. 
> You can read more accurate info about it here:
> https://opensource.googleblog.com/2020/12/finding-critical-open-source-projects.html
> 
> They publish the collected metadata and the resulting score (based on
> the formula described at <https://github.com/ossf/criticality_score>)
> online as a CSV file.
> 
> Sidenote: Notice the data seems to refer only to whatever the github API
> for a repo says, so for example OpenSSL is only 95 months old because
> that's when the github mirror was created (I opened an issue about this).
> 
> Anyway, they split the data by language, and, among the analyzed C
> projects, OpenSSL expectedly scores quite high, being 6th in the top 200
> measured C projects.

This is really interesting! We've always known that OpenSSL is widely
used but never had any data to back it up.

Actually according to the spreadsheet we are 5th (not 6th) - line 1 in
the sheet is the title row. Linux takes 2 of the top spots, with git and
php taking the other spots ahead of OpenSSL.

Not sure I understand the "Releases (last yr)" column which says we did
41 releases - that's a number I can't reconcile with the actual number
of releases we did.

Matt


> 
> Here is a link directly to the data:
> https://commondatastorage.googleapis.com/ossf-criticality-score/index.html
> 
> 
> Cheers, 
> 
> Nicola


More information about the openssl-project mailing list