An application which should get the highest score, based on the numbers seen on the dashboard is found to be getting the lowest OSS among other apps.
Details
This is because the particular application has very low number of third-party components, which results in lesser CVE's, low license risk and obsolescence scores. That is fewer number of components with fewer risks results in a lower score.
How Open Source Safety Index is calculated
Open Source Safety index from 0 (low safety) to 100 (high safety) is an average of the three underlying scores for measuring Open Source/Third-Party component risk. It is calculated at an application level and then rolled up for the entire portfolio (straight average of all application scores). The three underlying scores are summarized below.
- Security Risk: This score from 0 (low security) to 100 (high security) is calculated based on the number of open source/third-party components in an application and the total number of Common Vulnerabilities & Exposures (CVEs), weighted by CVE criticality (critical, high, medium and low).
- License Risk: This score from 0 (high risk) to 100 (low risk) is calculated based on the number of components having a low risk license, the number of components having a medium risk license, and the number of components having a high-risk license, where low/medium/high risk license have different weights.
- Obsolescence Risk: This score from 0 (high obsolescence) to 100 (low obsolescence) is calculated based on the gap between the current version of the components detected in applications and the latest known version of each corresponding component
Additional components with partial information don’t contribute to Open Source Safety scores. More details about how the score is calculated can be found at https://doc.casthighlight.com/tools/CAST-Highlight-Indicators-Methodology.pptx
Additional Resources
CAST Highlight Troubleshooting Guides
CAST Highlight Product Documentation
Ticket
26144
Comments