Add ability to generate "dependency health" metrics
i.e.
- via OpenSSF scorecards https://api.securityscorecards.dev/
- "how many contributors"
- "when was the last release" vs "how many advisories"
- "is this a deprecated Jenkins plugin" via https://plugins.jenkins.io/job-dsl/healthscore/
- https://stacklok.com/trusty
- "is this maintained"
As a report to start with, then follow-up to surface i.e. advisories
Metadata from OpenSSF Scorecards
(all of it)
Metadata from Ecosystems:
https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/eslint
$.metadata.funding # for issue #235
$.repo_metadata.archived # UNMAINTAINED
$.repo_metadata.pushed_at
$.repo_metadata.updated_at
$.repo_metadata.last_synced_at
$.pushed_at
$.updated_at
$.last_synced_at
$.latest_release_published_at
$.repo_metadata_updated_at
$.status.deprecated
Maybe:
$.dependent_packages_count
$.docker_dependents_count
Examples:
- https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/eslint
- https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@jamietanna%2Frenovate-graph
- https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fdeepmap%2Foapi-codegen
- https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fjamietanna%2Flog
- https://packages.ecosyste.ms/api/v1/registries/proxy.golang.org/packages/github.com%2Fpkg%2Ferrors
- https://packages.ecosyste.ms/api/v1/registries/repo1.maven.org/packages/me.jvt.http:media-type
- https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/angular (deprecated)
- https://packages.ecosyste.ms/api/v1/registries/pypi.org/packages/wiremock
Maybe also:
Metadata from Deps.dev
(OpenSSF Scorecards)
Edited by Jamie Tanna