Foundation ostif (Open Source Technology Improvement Fund), created in order to enhance the security of open projects, announced about cooperation with Google, which expressed his readiness to finance an independent security audit of 8 open projects. To obtained from Google tools, it was decided to conduct a Git audit, JavaScript library Lodash , php-framework Laravel , Java-framework SLF4J , Jackson JSON libraries ( jackson-core and jackson-databind ) and java components Apache httpcomponents (httpcomponents-core and httpcomponents-client).
Earlier on the funds received as a result of collecting donations, the OSTIF Fund has already conducted an audit of projects OpenSSL, Veracrypt, OpenVPN, Monero , Unbound DNS and QRL. Separately the community has already collected means for auditing PHP-framework Symfony. If you receive additional financing for the audit, also is scheduled for projects SystemD, Electron, Rails, Dropal, Joomla, WebPack, Reprepro, Ceph, React Native, Salt, Ansible, Angilar, Gatsby and Guava.
The choice is made empirical through an assessment of the impact of the project’s safety on the ecosystem of open software and the potential benefit for the community from increasing the security of the projects under consideration. For about 100 thousand projects on GitHub was Calculated The coefficient taking into account such Factors , as popularity of use as a dependency, infrastructure in demand, number of developers, development activity, the number of closed and unlocked error messages, the number of supporting Project of organizations, frequency of updates, history of vulnerabilities, etc.