Since its first meeting on August 27, 2020, the Securing Critical Projects workgroup has encouraged participants, advocates, and the greater open source community to present and discuss research related to Security and Open Source Projects, Supply Chains, and ecosystems. As a result of that research and associated discussions, as well as proposed solutions to Secure Critical Projects, the workgroup curated this document; focused on identifying projects deemed "critical" to the open source ecosystem.
The list of Identified Critical Projects can be found here: Version 1: https://docs.google.com/spreadsheets/d/1ONZ4qeMq8xmeCHX03lIgIYE4MEXVfVL6oj05lbuXTDM/edit#gid=0
Here are a few of the various papers and programs that attempt to quantitatively identify the most critical open source software (OSS) projects. The list below is just a sample of the many presentations done and discussions had. For a full overview of the working group presentations and discussions, join the workgroup and view the meeting notes. The workgroup is open to all
The NIST Definition of Critical Software was considered when doing this exercise and generating a set of critical open source projects.
- Vulnerabilities in the Core: Preliminary Report and Census II of Open Source Software by Frank Nagle, Jessica Wilkerson, James Dana, and Jennifer L. Hoffman, Linux Foundation & Harvard, February 2020.
This research has resulted in the release of a preliminary report that identified a list of top 10 most-used JavaScript packages as well as the top 10 most-used Non-JavaScript packages.
- Open Source Project Criticality Score program - a program that scores a given OSS project using an algorithm described in "Quantifying Criticality" by Rob Pike (you can see the Hacker News Discussion)
The Open Source Project Criticality Score has been used to generate a number of lists of open source projects that had the highest criticality scores. The data generated from the algorithm ranks the projects with the highest criticality scores by: All (all-time top 200), C top 200, C++ top 200, C# top 200, go top 200, java top 200, and many others.
- Core Infrastructure Initiative (CII) Open Source Software Census II Strategy by David A. Wheeler & Jason N. Dossett, October 2017
- Open Source Software Projects Needing Security Investments by David A. Wheeler & Samir Khakimov, June 19, 2015
-
Report on the 2020 FOSS Contributor Survey, by Frank Nagle, David A. Wheeler, Hila Lifshitz-Assaf, Haylee Ham, and Jennifer L. Hoffman, The Linux Foundation & The Laboratory for Innovation Science at Harvard
-
Open Source Technology Improvement Fund, Inc (OSTIF Project List and Managed Audit Program
OSTIF, the Open Source Technology Improvement Fund, Inc is an independent non-profit that specializes in facilitating security engagements for open source projects. OSTIF strategically partnered with Linux Foundation in January 2020 and contributes to the OpenSSF via the Securing Critical Projects and Identifying Security Threats working group. Responsible for over 3,500 hours of independent review, 147 security fixes and improvements, and 26 Severe Bug Patches, OSTIF compiled a number of data points, including results from the Criticality Score and Census Program II referenced above, to generate a candidate list of 25 Critical Projects that could benefit from OSTIF's work.
The Managed Audit Program was pitched to the Securing Critical Projects workgroup due to the relevance of OSTIF's work in improving the security of critical projects.