Standard code scanners can help spot vulnerabilities and open source licensing issues, but this alone doesn’t tell the whole story when it comes to software supply chain risk. It’s also important to understand the health and quality of the open source components in your projects. But defining the health and quality of these packages — and understanding why it matters — isn’t straightforward.
Think of package health as an ecosystem influenced by factors like how well the package is maintained and how up-to-date it is. Packages that lag in maintenance or are versions behind can turn into potential security risks down the line — risks that aren’t immediately apparent if you’re only focusing on current vulnerabilities. To truly gauge the quality of your open source components, you must look at a range of indicators that, together, give a clearer picture of their overall health.
To help solve this problem, we recently launched FOSSA Quality. This tool digs deeper than typical surface-level checks, delivering visibility into the real health of your open source components. But it doesn’t stop at visibility. FOSSA Quality enables you to set policies and enforce rules around these signals so you can keep your software supply chain healthy without adding manual effort.
Proactive Health Monitoring
At its core, FOSSA Quality serves as a proactive health monitor for your open source software supply chain. By evaluating multiple health indicators, it identifies components that could compromise your project's security in the future. This allows your team to prioritize updates and replacements before vulnerabilities arise.
FOSSA Quality enables visibility into:
- Abandoned packages: These are packages that haven't seen any activity from maintainers in at least two years. Identifying abandoned packages is crucial because they may not receive fixes for bugs or newly discovered vulnerabilities.
- Outdated packages: These are packages that lag several versions behind the most current release. You can set specific thresholds to flag these packages. Outdated packages are an issue because they might miss critical security patches or feature improvements.
- Empty packages: These are packages with no runnable code, potentially indicating issues like faulty publication or name squatting (which can lead to dependency confusion attacks). Since they offer no functionality, empty packages serve only as potential liabilities.
- Native code: This feature identifies packages that include compiled executable files. While native code is not inherently risky, it can obscure the package's intent and functionality. Binaries might conceal harmful code that remains undetected without specialized analysis.
Additionally, FOSSA Quality makes it possible for you to proactively block specific packages from use, keeping them out of your production environments.
Streamlined Policy Enforcement
FOSSA Quality goes beyond just monitoring; it empowers teams to enforce health and security standards across their projects. With customizable policy settings, you can automatically block or allow packages based on their health signals. This not only reduces the manual workload but ensures consistency in how open source components are evaluated and integrated into your projects.
Integrating with Your Workflows
FOSSA Quality is built to seamlessly integrate into your existing development and security workflows. Whether you're reviewing a single project or managing a portfolio of software, Quality enables you to make open source health a central part of your development lifecycle without adding overhead or complexity.
To learn more about Quality signals and how to integrate them into your workflow, check out our documentation.
Getting Started
If you’re new to FOSSA and eager to elevate your software's security and overall integrity, getting started is straightforward. You can sign up for a FOSSA premium account (recommended for smaller organizations) for immediate access to this feature, or request a demo (recommended for larger organizations) to get an in-depth look.
FOSSA Quality is another step in support of our mission to help companies embrace open source software and improve the integrity of their software supply chains. It adds an additional layer of visibility and control, assuring your software supply chain is not only free of known vulnerabilities but also healthy for the long term.