Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libsqlite3-0 risk index should be 8 not 6 #1

Closed
edwintorok opened this issue Jul 9, 2015 · 3 comments
Closed

libsqlite3-0 risk index should be 8 not 6 #1

edwintorok opened this issue Jul 9, 2015 · 3 comments

Comments

@edwintorok
Copy link

Manually calculating the score yields a score of 8:

  • website: 0 points
  • CVE : 3 points (4 CVEs since 2010, don't know why its marked as 0 in your csv)
  • Contributor: 0 points (according to scm history, 4 contributors in 12 months)
  • popularity: 1 point (popcon vote: 126928 83348, popcon inst: 130862)
  • Network exposure: at least 1 point (firefox uses it for IndexedDB IIRC)
  • Dependencies: 2 points (440 unique reverse depends for libsqlite3-0 sqlite3)
  • Patches: 1 point (8 patches, not marked as forwarded in debian)
  • ABRT crash statistics: don't know where to get this from
@skhakimov
Copy link
Contributor

Hello,

Please note: we are not yet including Dependencies, Patches and ABRT crash statistics into the risk index. These are suggested but are not implemented yet [1].

CVEs are not being captured because all are recent (post-April 2015). I believe results.csv shows data from March-April. Rerunning the script will reflect latest CVEs and scores. And we are using [2] to source CVEs.

[1] https://www.coreinfrastructure.org/programs/census-project
[2] https://security-tracker.debian.org/tracker/source-package/sqlite3

@david-a-wheeler
Copy link
Collaborator

I suggest closing this issue, partly because we've shown in the previous responses that we don't use ABRT etc., and partly from the resolution of issue #29 . In particular, the new version of the tool will show each portion of the calculated score, making it MUCH easier to see why scores ended up a certain way.

@edwintorok
Copy link
Author

thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants