Following is the method to calculate Open Source Safety Obsolescence.
Details
Obsolescence Risk: This score from 0 (high obsolescence) to 100 (low obsolescence) is calculated based on the gap between the current version of the components detected in applications and the latest known version of each corresponding component.
Calculation (at the application level):
- Calculation is based on the release date of the version of the component detected (releaseDate) and the release data of the latest know version of the corresponding component (lastReleaseDate).
Qualification:
- At least 1 component should be matched to CAST Highlight SCA database (frameworks not matched will be ignored)
- Only components with a lastReleaseDate > releaseDate (i.e., unreleased components are ignored)
- Formula at the component level:
Maximum Gap of 100 months -> score = 0
Param1 = 1.66667 // internal parameter of the formula
DiffMonth = min(100, Diff(lastReleaseDate, releaseDate) // difference between the detected version and the latest version
DeprecationIndicator = 1 - Param1 * (-1(POWER(1 + DiffMonth, DiffMonth/1000))) - The application score is the straight average of all component scores (DeprecationIndicator)
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Zendesk Ticket Number
25540
Comments