NodeSource Risk Score
NodeSource Certified Modules 2 (NCM 2) calculates a risk score for every third party package on npm. Each module is assessed for security vulnerabilities, license concerns and a series of package risk and quality attributes.
Terminology and their respective scoring criteria are included below:
- "Package": a bundled module, as distributed by npm.
- "Criteria": a programmatic rule run against a package.
- "Cert": the raw output data from a criteria.
- "Score": the processed, user-facing output data for a criteria.
- "Score Group": a set of related scores.
- "Severity": the approximate level of impact a score has, related to its score group.
Scoring Output NCM 2 - Risk Level
Scoring in NCM 2 is substantially different than it was in NCM 1. Instead of providing a 0-100 trust score, NCM 2 assesses packages based on security, compliance, package risk and quality attributes. Combined, these attributes result in an overall risk-level for each package which allows you to:
- Manage acceptable risk levels incurred through third-party code.
- Understand current security vulnerabilities and their severity introduced via third party modules.
- Understand license and compliance risks introduced via third party modules.
- Understand potential risk vectors not yet surfaced in security vulnerabilities.
- Obtain insights into quality attributes that align with best-practices making your code more manageable and secure.
The following paragraphs detail the NCM 2 scores, score groups, severity levels, and what all of those mean.
Security
The Security group surfaces if a certain module contains security vulnerabilities, along with their respective vulnerability-severity and if available, a path to their remediation.
Security Severity
Security vulnerabilities have severity levels. Each severity level contributed to the respective risk level. i.e.:
- Low Severity -> Low Risk
- Medium Severity -> Medium Risk
- High Severity -> High Risk
Security Score : vulnerability
Security vulnerabilities as reported by Snyk. Severity output is per reported vulnerability severity.