How scores work

Meterian’s assessment report displays three scores labelled Security, Stability and Licensing. All these scores range from 100 to 0, where 100 is the best score. Scores represent a straightforward way to understand the posture of a codebase and can be used to control the exit code of the scanner in order to fail a build on a CI system.

Security measures how likely is a codebase to be affected by security vulnerabilities. A value of 0 stands for “very likely to be insecure”, while a value of 100 is, of course, very secure according to our analysis. There are two basic algorithms used to compute this score, that can be selected in the dashboard configuration.

Stability shows how likely is code to be subject to critical defects. While not directly related to software security, critical defects can cause the application to misbehave, crash, or perform poorly. The Stability indicator is calculated taking in account all components that can be patched: each missing patch will deduct 1 point from the initial 100 score.

Licensing measures how likely is code compliant to the policies defined at the account level in regards to the licenses of the components. Each component that does not declare a license will deduct one point from the initial 100 score, and any component with a license forbidden by the applicable polices will immediately bring the score to 0

Enterprise customers can request to use custom algorithms to compute those scores.

Some may think our scoring applies a harsh judgement. But isn’t it better to receive a stronger alert to call attention to bolster your code’s security rather than risk a more mild alert that could lead to undeserved complacency? So please don’t be intimidated by seeing Security or Stability scores of 0! Make haste to fix the problems repo