What is this health score supposed to tell me?

  • The big green box on the left panel is an aggregate score that represents the "goodness" of your application and all its dependencies. A higher number means that you're using better versions of your dependencies, meaning that you're using the versions that:
    • Bring in the fewest and least-severe vulnerabilities
    • Use non-restrictive licenses
    • Are popular

What are these different "levels" supposed to indicate?

  • The levels are arbitrary, and moving from one level to the next doesn't confer any discrete advantages to your application. It's just a fun, easy way to quickly gauge your application's overall health.

One of my dependencies is bringing down my score. How do I fix that?

  • Start with updating your direct dependency to a version that does not bring in risk.

How do I update my dependencies to get a better score?

  • Typically, improving your score means updating your dependence to versions that do not bring in risk.

What if there is not a non-vulnerable version to upgrade to?

  • Consider if the dependency adds enough value to keep it in your project or find a better component.
  • Do what you can in your code to isolate the risk and update your stakeholders with the facts.

Why does my dependency have a zero score?

  • These are components where the data is incomplete to determine the health score.
  • Identifying unknown risks is an important part of understanding your project's health.

Why should I care about restrictive/non-restrictive licenses?

  • Some licenses require certain actions from you. If you don't comply, you may be opening yourself up to legal action from the license holder.
  • Licenses also add obligations to the users of your project. You may not care, but your consumers will.
    • Consider your app's function, purpose, and your company's business goals to determine if using a restrictive license makes sense for you. Also consider the end user of our application.

I made it all the way to 500 pts, What do I win?

  • Great job! We knew you could do it.
  • Remember that components age more like milk than wine. New vulnerabilities are discovered all the time.
  • Good component hygiene is about staying ahead of the race for improving your application faster than those trying to exploit it.

Who is this squirrel?

  • That's Dr. Squirrely BOM! He's a professional.

What are Squirrely BOM's credentials?

  • He's an MD, DO, DDS, PhD in Theoretical Physics, Masters in Engineering, and avid amateur bug collector.