OSS Supply Chain Risk Scoring - Where abandoned packages come to rest
Project description
Ossuary
OSS Supply Chain Risk Scoring - Where abandoned packages come to rest.
Ossuary analyzes open source packages to identify governance-based supply chain risks before incidents occur. It calculates a risk score based on maintainer concentration, activity levels, and protective factors.
What It Detects
Ossuary focuses on governance failures - the type of vulnerability that enabled attacks like:
- event-stream (2018) - Abandoned package handed off to malicious maintainer
- colors/faker (2022) - Frustrated maintainer intentionally sabotaged packages
Detection Capabilities
| Can Detect | Cannot Detect |
|---|---|
| Maintainer abandonment | Account compromise (like ua-parser-js) |
| High concentration risk | Dependency confusion attacks |
| Economic frustration signals | Typosquatting |
| Declining activity trends | Malicious code injection |
| Governance centralization |
Quick Start
# Install
pip install ossuary
# Initialize database (optional, for caching)
ossuary init
# Score a package
ossuary score event-stream --ecosystem npm
# Score with historical cutoff (T-1 analysis)
ossuary score event-stream --ecosystem npm --cutoff 2018-09-01
# Output as JSON
ossuary score requests --ecosystem pypi --json
Risk Levels
| Score | Level | Semaphore | Action |
|---|---|---|---|
| 0-20 | Very Low | ๐ข | Routine monitoring |
| 21-40 | Low | ๐ข | Quarterly review |
| 41-60 | Moderate | ๐ก | Monthly review |
| 61-80 | High | ๐ | Weekly review + contingency plan |
| 81-100 | Critical | ๐ด | Immediate action required |
Scoring Methodology
Final Score = Base Risk + Activity Modifier + Protective Factors
(20-100) (-30 to +20) (-100 to +20)
Base Risk (Maintainer Concentration)
| Concentration | Points |
|---|---|
| <30% | 20 |
| 30-50% | 40 |
| 50-70% | 60 |
| 70-90% | 80 |
| >90% | 100 |
Activity Modifier
| Commits/Year | Points |
|---|---|
| >50 | -30 |
| 12-50 | -15 |
| 4-11 | 0 |
| <4 | +20 |
Protective Factors
| Factor | Points |
|---|---|
| Tier-1 maintainer (500+ repos or 100K+ stars) | -25 |
| GitHub Sponsors enabled | -15 |
| Organization with 3+ admins | -15 |
| >50M weekly downloads | -20 |
| >10M weekly downloads | -10 |
| <40% concentration | -10 |
| >20 contributors | -10 |
| CII Best Practices badge | -10 |
| Frustration signals detected | +20 |
API Usage
Start the API server:
uvicorn ossuary.api.main:app --host 0.0.0.0 --port 8000
Query a package:
curl "http://localhost:8000/score/npm/event-stream"
Response:
{
"package": "event-stream",
"ecosystem": "npm",
"score": 100,
"risk_level": "CRITICAL",
"semaphore": "๐ด",
"explanation": "๐ด CRITICAL (100). Critical concentration (90%): single person controls nearly all commits. Project appears abandoned (<4 commits/year).",
"recommendations": [
"IMMEDIATE: Identify alternative packages or prepare to fork",
"Do not accept new versions without manual code review"
]
}
Development
# Clone
git clone https://github.com/anicka-net/ossuary-risk.git
cd ossuary-risk
# Install with dev dependencies
pip install -e ".[dev]"
# Run tests
pytest
# Run linter
ruff check src/
# Type check
mypy src/
Configuration
Environment variables:
# Required for higher GitHub API rate limits
GITHUB_TOKEN=ghp_xxxxxxxxxxxxx
# Database (defaults to SQLite)
DATABASE_URL=postgresql://user:pass@localhost/ossuary
# Repository storage
REPOS_PATH=./repos
Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ API / CLI โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Scoring Engine โ
โ - Base risk (concentration) โ
โ - Activity modifier โ
โ - Protective factors โ
โ - Sentiment analysis โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Data Collectors โ
โ GitCollector | GitHubCollector | NpmCollector | PyPICollectorโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Validation
Validated on 92 packages (20 incidents + 72 controls):
- Accuracy: 92.4%
- Precision: 100.0%
- Recall: 65.0%
- F1 Score: 0.79
T-1 analysis confirms 100% predictive detection of governance-detectable incidents before they occurred.
See methodology documentation for details.
License
MIT
Academic Context
This project supports MBA thesis research on OSS supply chain risk. Key contribution: demonstrating that meaningful risk indicators are observable in public metadata before incidents occur.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file ossuary_risk-0.1.1.tar.gz.
File metadata
- Download URL: ossuary_risk-0.1.1.tar.gz
- Upload date:
- Size: 43.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a5a1200e61bb968044c6f438f09526958f0ef34ab385577f51b98914d5a59f56
|
|
| MD5 |
4c2b061ee597538a767ee1b7ef22a79f
|
|
| BLAKE2b-256 |
58183bacd765b53e0d317e4a4802c12d3883180a23e2ba852f098ed0826db884
|
File details
Details for the file ossuary_risk-0.1.1-py3-none-any.whl.
File metadata
- Download URL: ossuary_risk-0.1.1-py3-none-any.whl
- Upload date:
- Size: 34.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bd247dce9b741d637cc0302b8846ea2176a1f9b639e6618341879da97238e3cf
|
|
| MD5 |
9a59ebd50737d83f5959b7448562c18a
|
|
| BLAKE2b-256 |
294138c6d358e1e5c0d464813f8032ed865751f02fbecda3b416f2c83fca5a8a
|
