I'd like to have a design document to:
‐ [ ] npm-health: Define the metrics collected
‐ [ ] npm-health: Collect the project health data required to support the metrics and scores
‐ [ ] npm-health: Calculate the associated score, based on weighted metrics (scoring elements)
This design should be based on and informed by existing metrics and scores available with open source projects like OpenSSF Scorecard, GrimoireLab, Bitergia Analytics and CHAOSS, as best practices.
The associated health score should be verifiable with available underlying and backing project health data and metrics, so that users can interpret and trace data signals and apply their own thresholds.
Collected project health data will be first used to compute metrics, but then also available for evidence verification.
Weighted metrics can then be used as scoring elements to compute the associated score, similar to other scoring elements used in DejaCode, ScanCode, and VulnerableCode.
A user (typically a developer) would query a new API to return data, metrics, and scores to apply internal policy decisions (including "allow/block"), backed by the open data evidence of collected project health data. (Note: Policy decisions are not
in scope here, would be handled separately).
I'd like to have a design document to:
‐ [ ] npm-health: Define the metrics collected
‐ [ ] npm-health: Collect the project health data required to support the metrics and scores
‐ [ ] npm-health: Calculate the associated score, based on weighted metrics (scoring elements)
This design should be based on and informed by existing metrics and scores available with open source projects like OpenSSF Scorecard, GrimoireLab, Bitergia Analytics and CHAOSS, as best practices.
The associated health score should be verifiable with available underlying and backing project health data and metrics, so that users can interpret and trace data signals and apply their own thresholds.
Collected project health data will be first used to compute metrics, but then also available for evidence verification.
Weighted metrics can then be used as scoring elements to compute the associated score, similar to other scoring elements used in DejaCode, ScanCode, and VulnerableCode.
A user (typically a developer) would query a new API to return data, metrics, and scores to apply internal policy decisions (including "allow/block"), backed by the open data evidence of collected project health data. (Note: Policy decisions are not
in scope here, would be handled separately).