Package Scores
Socket Scores and Alerts
Socket scores and alerts are broken down into the following categories:
- Supply chain risk
- Quality
- Maintenance
- Vulnerabilities
- License
We compute the score for each category as a normalized weighted sum of various metrics. These metrics are subject to change as we make improvements to our product. Each metric may also optionally apply a limit.
Given a category i, let xi,j be the value of metric j with normalization function Nj and weight wj and limit li,j.
Then the score Si is
Si = 100 · min ( max (0, minj li,j), ∑j wj Nj(xj)/∑j wj )γ
Where γ is a power scaling constant based on the size and popularity of the project:
γ ≈ 1/2 + c0 log(lines of code) + c1 log(popularity)
Currently socket supports the following metrics:
Metric | Category | Weight | Normalization | Limit |
---|---|---|---|---|
Critical Alerts | Any | 1 | e-10x | { 1/4 if x > 0 1 otherwise } |
High Alerts | Any | 2 | e-x | max { 1/4, 1 - x/10 } |
Medium Alerts | Any | 2 | e-x/20 | max { 1/2, 1.15 - x/20 } |
Low Alerts | Any | 3 | e-x/40 | 1 |
License Quality | License | 12 | x/100 | 1 |
Maintainer Count | Maintenance | 5 | -(ex/3 - 1) | { 0 if x = 0 1 otherwise } |
Versions Last Year | Maintenance | 5 | -(e-x/12 - 1) | 1 |
Versions Last Two Months | Maintenance | 3 | -(e-x - 1) | 1 |
Versions Last Month | Maintenance | 2 | -(e-x - 1) | 1 |
Versions Last Week | Maintenance | 1 | -(e-x/0.25 - 1) | 1 |
Open Issues | Maintenance | 1 | e-x/100 | 1 |
Closed Issues | Maintenance | 1 | -(e-x/1000 - 1) | 1 |
Commits Last Week | Maintenance | 1 | -(e-x/4 - 1) | 1 |
Commits Last Month | Maintenance | 1 | -(e-x/6 - 1) | 1 |
Commits Last Two Months | Maintenance | 1 | -(e-x/32 - 1) | 1 |
Commits Last Year | Maintenance | 1 | -(e-x/208 - 1) | 1 |
Commits | Maintenance | 1 | -(e-x/300 - 1) | 1 |
Version Count | Maintenance | 0.5 | -(e-x/10 - 1) | 1 |
Readme Length | Quality | 5 | x/100 | 1 |
Bundle Size | Quality | 2 | e-x/16384 | 1 |
Stargazers | Quality | 1 | -(e-x/100 - 1) | 1 |
Forks | Quality | 1 | -(e-x - 1) | 1 |
Watchers | Quality | 1 | -(e-x - 1) | 1 |
Lines of Code | Quality | 0.5 | x/50 | 1 |
Download Count | Supply Chain Risk | 5 | -(e-x/10000 - 1) | 1 |
Transitive Dependency Count | Supply Chain Risk | 1 | e-x/1000 | 1 |
Total Dependency Count | Supply Chain Risk | 1 | e-x/1000 | 1 |
Dependency Count | Supply Chain Risk | 1 | e-x/50 | 1 |
Dev Dependency Count | Supply Chain Risk | 0.5 | e-x/100 | 1 |
Dependency Vulnerability Count | Vulnerability | 1 | 1 - x | { 0.5 if x > 0 1 otherwise } |
Vulnerability Count | Vulnerability | 1 | 1 - x/3 | 1 |
Please note that these metrics are subject to change and may be revised as we make changes to our system. The contents of this document may not exactly represent the scoring system as deployed in Socket at this point in time as we are continuously making adjustments to these systems.
Updated 6 months ago