| Attribute | Description | Value |
| Name | The name of the source code repository. | Identify the source code repository in the dashboard. |
| Repo Location | The URL of the source code repository. | Access the source code for further analysis. |
| Tag | The tag or branch of the source code. | Track different versions of the source code. |
| First Commit Time | The timestamp of the first commit for the tag | Understand the project's history. |
| Last Commit Time | The timestamp of the last commit for the tag | Assess the project's activity level and maintenance status. |
| Number of Commits/Authors | The number of commits and contributors to the repository. | Gauge the project's maturity and community involvement. |
| Timezones | The timezones of the contributors. | Information about the development team's geographical distribution. |
| Last Scanned Timestamp | The date and time the package was scanned. | "Last Scanned Timestamp" in the New Relic dashboard provides transparency to users, allowing them to understand the freshness of the data they are seeing. |
Type of security standard being evaluated.
The type of the security check
| Attribute | Description | Value |
| Binary Artifacts | Has the project generated executable (binary) artifacts in the source repository? | Binary Artifacts: Has the project generated executable (binary) artifacts in the source repository? |
| CII Best Practices | Does the project have a CII Best Practices badge? | CII Best Practices: Does the project have a CII Best Practices badge? |
| Fuzzing | Does the project use fuzzing in OSS-Fuzz? | Fuzzing: Does the project use fuzzing in OSS-Fuzz? |
| Pinned Dependencies | Has the project declared and pinned its dependencies? | Pinned Dependencies: Has the project declared and pinned its dependencies? |
| CI Tests | Does the project run tests before pull requests are merged? | CI Tests: Does the project run tests before pull requests are merged? |
| Code Review | : Does the project require a code review before pull/merge requests are assimilated? | Code Review: Does the project require a code review before pull/merge requests are assimilated? |
| Maintained | Is the project actively maintained? | Maintained: Is the project actively maintained? |
| Score | The score for the code quality check. | Quantify the code quality. |
| Reason | The reason for the score. | Understand the factors contributing to the code quality. |
| Description | A description of the code quality check. | Provide context and explain the purpose of the check. |
| Issue Details | Details about any code quality issues found. | Understand the specific code quality problems. |
| Attribute | Description | Value |
| Entropy | A measure of the randomness of the data. | Identify potential secrets based on their entropy. |
| Rule_ID | The ID of the rule that detected the secret. | Categorize secrets. |
| Match | The matched secret. | Display the detected secret. |
| Secret | The type of secret detected (e.g., API key, password). | Categorize secrets. |
| Fingerprint | A unique identifier for the secret. | Track secrets across different codebases. |
| Attribute | Description | Value |
| Churn Analysis | Churn analysis attempts to identify the high prevalence of very large commits which may increase the risk of successful malicious contribution | Helps New Relic identify commits with a high risk of malicious code injection due to their size, allowing for focused review. |
| Entropy Analysis | Entropy analysis attempts to identify commits which contain a high degree of textual randomness which may indicate presence of packed malware | Flags potentially obfuscated or packed malware within commits based on high entropy, enabling New Relic to prioritize suspicious code for analysis. |
| Fuzz Analysis | This analysis checks if the repo is participating in the OSS Fuzz program | Shows if a project uses fuzz testing (OSS Fuzz), indicating a greater focus on security and potentially fewer undiscovered vulnerabilities. |
| Identity Analysis | Identity analysis looks at whether the author and committer identities for each commit are the same | Helps New Relic detect potentially malicious commits where the author and committer identities don't match, suggesting unauthorized modifications. |
| Review Analysis | Review analysis looks at whether pull requests receive at least one review prior to being merged | Indicates whether code reviews are practiced, a key security practice that reduces the likelihood of vulnerabilities slipping through. |
| Typo Analysis | Typo analysis attempts to identify possible typo squatting attacks | Helps New Relic detect potential typo squatting attacks, where malicious packages mimic legitimate ones, protecting users from supply chain attacks. |
| Attribute | Description | Value |
| Complexity | A measure of the code's complexity (e.g., cyclomatic complexity). | Assess the maintainability and testability of the code. |
| Language | The programming language used. | Filter and group code by language for analysis. |
| LOC (Lines of Code) | Total lines of code including comments and blank lines. | Measure the size of the codebase. |
| SLOC (Source Lines of Code) | Lines of code excluding comments and blank lines. | More accurate measure of code size. |
| Attribute | Description | Value |
| Depth | The depth of the dependency tree. | Understand the complexity of the dependency graph. |
| Number of Direct Dependencies | The number of direct dependencies. | Manage direct dependencies and their associated risks. |
| Number of Transitive Dependencies | The number of transitive dependencies. | Understand the full extent of the dependency graph and potential vulnerabilities. |
| Dependency Graph | A visual representation of the dependency tree. | Analyze dependencies and their relationships. |
| Attribute | Description | Value |
| Risk Score | Lineaje Risk Score is a 0-10 score representing the overall risk of an open-source component, calculated using a weighted average of age, vulnerability score, code quality, and security posture. | New Relic can use risk score to quickly assess component risk: ZIRL (0) is ideal, while CIRL (9-10) indicates critical risk. This allows for prioritizing remediation efforts and visualizing risk across a project's dependencies. |
| Attestation Level | Measure of how much Lineaje trusts a given open-source component. | LCAL 0: Unknown Component: Lineaje cannot identify the component or verify its provenance. LCAL 1: Known Component: Lineaje can identify the component and its PURL but cannot verify its integrity. LCAL 2: Attested Component: Lineaje has verified the component's integrity and provenance. LCAL 3: Attested Build & Source: Lineaje has verified both the component's package and its source code, ensuring they match and are built from the declared source. LCAL 4: Fully Attested: Lineaje has performed extensive checks, including malware scanning, to ensure the component is untampered and free of malicious code. |
| Attribute | Description | Value |
| Country Code | The country code where the code was committed. | Display on a map or allow filtering by country. |
| Time zone | The time zone where the code was committed. | Correlate with contributor locations. |
| Contributor Name | Full name of the contributor. | Identify key contributors. |
| Contributor Email | Email address of the contributor. | Contact information for contributors. |
| Contributor User ID | Unique identifier for the contributor. | Track contributions across projects. |
| Contributor Location | Location of the contributor. | Visualize contributor distribution on a map. |
| Number of Commits (per contributor) | Number of commits by each contributor. | Identify top contributors. |
| First Commit (per contributor) | Timestamp of the first commit by each contributor. | Track contributor involvement over time. |
| Last Commit (per contributor) | Timestamp of the last commit by each contributor. | Assess recent activity. |