Skip to main content
Version: 5.0.0

Quality

The Quality group is for criteria which are intended to indicate whether a package conforms to good open-source practices.

Good practice is things such as:

  • Including documentation.
  • Links to a source control repository.

Quality Severity

Quality criteria currently do not feature a severity dimension since the pipeline is intended to provide users with actionable information to help them reduce the risk-level that is present in their code. A quality criteria implies adherence to best-practices which result in more manageable and secure code. Since a quality criteria does not offset a security vulnerability or risk attribute, NCM 2 does not assign an impact severity to a quality attribute. Quality scores do therefore not affect a package’s risk level. This is determined by the lowest risk level that is present as determined by its security/ risk attributes.

Quality Scores

NCM 2 captures the following set of Quality Scores. This set continues to expand. Each property is outlined in more detail below:

Quality Score: readme-exists

This score indicates whether a readme file of some sort is present.

Identifying this attribute in a package means that its score will be elevated to Medium.

Quality Score: readme-size

This score indicates the size of a readme file (if a readme file is present).

Severity:

  • NONE if readme is of decent size.
  • LOW if readme size is under 1kb.
  • MEDIUM if readme size is under 500 bytes.

Quality Score: disk-usage-expanded-size

This score indicates the uncompressed size of the package on disk. Severity:

  • NONE if package size is under 20kb.
  • LOW if package size is over 20kb.
  • MEDIUM if package size is over 50kb.
  • HIGH if package size is over 100kb.
  • CRITICAL if package size is over 1mb.

Quality Score: disk-usage-file-count

This score indicates the number of files within a package.

Severity MEDIUM if a package contains over 100 files, otherwise NONE.

Quality Score: disk-usage-dir-count

This score indicates the number of directories within a package.

Severity MEDIUM if a package contains over 20 directories, otherwise NONE.

Quality Score: has-scm-info

This score indicates whether the package has source control information defined within its package.json.

Always severity HIGH or NONE.

Quality Score: scm-tagged-versions

This score indicates whether an acceptable percentage of this package's version have a corresponding tag in their source control repository (if it exists).

Always severity MEDIUM or NONE.