Quality
The Quality group is for criteria which are intended to indicate whether a package conforms to good open-source practices.
Good practice is things such as:
- Including documentation.
- Links to a source control repository.
Quality Severity
Quality criteria currently do not feature a severity dimension since the pipeline is intended to provide users with actionable information to help them reduce the risk-level that is present in their code. A quality criteria implies adherence to best-practices which result in more manageable and secure code. Since a quality criteria does not offset a security vulnerability or risk attribute, NCM 2 does not assign an impact severity to a quality attribute. Quality scores do therefore not affect a package’s risk level. This is determined by the lowest risk level that is present as determined by its security/ risk attributes.
Quality Scores
NCM 2 captures the following set of Quality Scores. This set continues to expand. Each property is outlined in more detail below:
- readme-exists
- readme-size
- disk-usage-expanded-size
- disk-usage-file-count
- disk-usage-dir-count
- has-scm-info
- scm-tagged-versions
Quality Score: readme-exists
This score indicates whether a readme file of some sort is present.
Identifying this attribute in a package means that its score will be elevated to Medium.
Quality Score: readme-size
This score indicates the size of a readme file (if a readme file is present).
Severity:
- NONE if readme is of decent size.
- LOW if readme size is under 1kb.
- MEDIUM if readme size is under 500 bytes.
Quality Score: disk-usage-expanded-size
This score indicates the uncompressed size of the package on disk. Severity:
- NONE if package size is under 20kb.
- LOW if package size is over 20kb.
- MEDIUM if package size is over 50kb.
- HIGH if package size is over 100kb.
- CRITICAL if package size is over 1mb.
Quality Score: disk-usage-file-count
This score indicates the number of files within a package.
Severity MEDIUM if a package contains over 100 files, otherwise NONE.
Quality Score: disk-usage-dir-count
This score indicates the number of directories within a package.
Severity MEDIUM if a package contains over 20 directories, otherwise NONE.
Quality Score: has-scm-info
This score indicates whether the package has source control information defined within its package.json.
Always severity HIGH or NONE.
Quality Score: scm-tagged-versions
This score indicates whether an acceptable percentage of this package's version have a corresponding tag in their source control repository (if it exists).
Always severity MEDIUM or NONE.