Skip to main content
Version: 6.0.0

NodeSource Risk Score

NodeSource Certified Modules 2 (NCM 2) calculates a risk score for every third party package on npm. Each module is assessed for security vulnerabilities, license concerns and a series of package risk and quality attributes.

Terminology and their respective scoring criteria are included below:

  • "Package": a bundled module, as distributed by npm.
  • "Criteria": a programmatic rule run against a package.
  • "Cert": the raw output data from a criteria.
  • "Score": the processed, user-facing output data for a criteria.
  • "Score Group": a set of related scores.
  • "Severity": the approximate level of impact a score has, related to its score group.

Scoring Output NCM 2 - Risk Level

Scoring in NCM 2 is substantially different than it was in NCM 1. Instead of providing a 0-100 trust score, NCM 2 assesses packages based on security, compliance, package risk and quality attributes. Combined, these attributes result in an overall risk-level for each package which allows you to:

  • Manage acceptable risk levels incurred through third-party code.
  • Understand current security vulnerabilities and their severity introduced via third party modules.
  • Understand license and compliance risks introduced via third party modules.
  • Understand potential risk vectors not yet surfaced in security vulnerabilities.
  • Obtain insights into quality attributes that align with best-practices making your code more manageable and secure.

The following paragraphs detail the NCM 2 scores, score groups, severity levels, and what all of those mean.

Security

The Security group surfaces if a certain module contains security vulnerabilities, along with their respective vulnerability-severity and if available, a path to their remediation.

Security Severity

Security vulnerabilities have severity levels. Each severity level contributed to the respective risk level. i.e.:

  • Low Severity -> Low Risk
  • Medium Severity -> Medium Risk
  • High Severity -> High Risk

Security Score : vulnerability

Security vulnerabilities as reported by Snyk. Severity output is per reported vulnerability severity.