Frequently Asked Questions About the Sonatype Safety Rating⚓︎
How is the Sonatype Safety Rating determined?⚓︎
The “Sonatype Safety Rating” is generated by our experimental analysis tool and is an aggregate rating designed to estimate the likelihood of an open source project containing security vulnerabilities.
This tool leverages a variety of metrics, including the project’s rate at which it updates vulnerable dependencies (also known as Mean Time to Update, or MTTU), as well as whether the project uses open source best practices, as measured by the OpenSSF’s Security Scorecard. The Security Scorecard assesses projects’ practices like code review, signed releases, use of dependency update tools, and other similar measures, and produces a quantitative output. Further details about OpenSSF’s Security Scorecard and the checks it runs can be found on its Github repository.
Sonatype’s analysis tool combines these metrics and uses machine learning to output a scaled result that forms the basis for the Safety Rating of a project. Projects are rated on a 1-10 scale, with 1 being the least safe and 10 being the safest. The more confident the model is that a project will not contain vulnerabilities, the higher the rating. The more confident the model is that the project will contain vulnerabilities, the lower it will rate the project. The model is based on empirical research conducted by the Sonatype Research Team, where we analyzed thousands of projects and determined a high correlation between the Safety Rating and the presence of vulnerabilities, with 88% of projects scoring below 5 having existing known vulnerabilities.
Curious to know more about the technical breakdown of our new metric? Read the full article in our State of Software Supply Chain Report.
How do I increase the Sonatype Safety Rating of my project?⚓︎
The Safety Rating of a project is based on two things:
- The OpenSSF Security Scorecard data for that project
- The project’s Mean Time To Update (MTTU), a measure of how quickly the project updates its dependencies when new versions come out.
The fastest way to improve your Safety Rating is to implement more of the best practices measured by the Security Scorecard. The most important practices are to implement code review, enable branch protection, ensure binaries are not checked into the repository, and pin dependencies. These are the most heavily-weighted of the Scorecard practices, so start with those. If you have implemented these best practices, but are still receiving a low score, check that the Scorecard API returns accurate results for your project. To improve your MTTU, ensure that you are updating dependencies as soon as new versions are released.