DEV Community

Cover image for RepoMetaScore: evaluate supply chain risks of open-source projects
Cossack Labs
Cossack Labs

Posted on

RepoMetaScore: evaluate supply chain risks of open-source projects

Open-source software saves time on development but should be taken carefully, as the code is in the hands of maintainers and contributors you know nothing about.

🚩The threat of intentionally weaponizing open-source tools by criminals is growing every year. Recently, novel risks have emerged: developers living in oppressed countries are being pushed into introducing backdoors involuntarily.

⚠️ Backdoors and vulnerabilities introduced into OSS can cause ruinous aftermaths.

One of the ways to prevent them is to employ vulnerability scanners for analyzing third-parties libraries your project uses, but, unfortunately, sometimes they alert too late.

Another option entails identifying and quantifying security risks linked to third-party libraries before adding them to your product.

🔎 RepoMetaScore

To help developers avoid risks associated with weaponizing OSS, our security engineers have built a RepoMetaScore. It’s a tool that collects information about the project and its contributors, analyzes it, and calculates risk ratings by several criteria: GitHub and Twitter profiles, location, commit history, email domain, etc.

💡 Note, that RepoMetaScore (📥 GitHub) should not be used as the only tool for assessing open-source repositories’ credibility. Use it wisely as an additional tool for mitigating current threats in open source.

🔨 How RepoMetaScore works

Repometascore uses public information disclosed by contributors themselves. RepoMetaScore collects such info through the APIs and calculates results as a risk rating. It can be the first tool in a series of security checkup developers go through when deciding whether to add a certain project or not.

💡 To use RepoMetaScore, follow its Readme. It’s a simple python package that should work on any Unix and Mac.

Provide RepoMetaScore with a link to a repository-in-question—and get the risk rating results and general information about repository contributors.

Discussion (1)

Collapse
phlash909 profile image
Phil Ashby

An interesting idea, although it may be unwise to publish the very opinionated trigger word list (github.com/cossacklabs/repometasco...)!

Having worked in the identity intelligence space creating services that provide background checks and risk scoring, I can attest to the value of other open source intelligence beyond github (a nice list: github.com/jivoi/awesome-osint), that consumers of this tool may wish to include (and you may wish to use in making your checks). I would also suggest using publicly available watchlists (eg: home.treasury.gov/policy-issues/fi..., data.europa.eu/data/datasets/conso...) to generate search patterns that are appropriate for the risks you are intending to mitigate (everyone will have different risks!).