The process to objectively assess the security risk of 3rd party open source components or dependencies is outlined with consideration of the legacy way of performing the assessment, as well as the new process discussed within the project during the Hanoi development time frame.
Current Process
Someone researches the open source component that is desired, sometimes after the code has already been integrated into the EdgeX Project, without completion of any formal review.
The
...
Age: Age of the Open Source Project
Commits: Count - Total Commits
Issues: Count - Open Issues / Closed Issues
Releases: Count - Releases
Stars: Count - Stars
Forks: Count - Forks
Watchers: Count - Watchers
CVEs: Count - CVEs (query NVD database)
Other Criteria: Subjective Assessment of Reviewer
...
Process
The ideal process should take into consideration relevant data such as the project's age, popularity / maturity, evidence of security practices, recent commit history, diversity of committers, established CVE practices, or other observable evidence. In terms of licensing compliance, ideal process should also consider the license associated to the component as well.
...