ossuary-risk 0.1.0__py3-none-any.whl

ossuary_risk-0.1.0.dist-info/METADATA

@@ -0,0 +1,241 @@
+Metadata-Version: 2.4
+Name: ossuary-risk
+Version: 0.1.0
+Summary: OSS Supply Chain Risk Scoring - Where abandoned packages come to rest
+Project-URL: Homepage, https://github.com/anicka-net/ossuary
+Project-URL: Repository, https://github.com/anicka-net/ossuary
+Project-URL: Documentation, https://github.com/anicka-net/ossuary/blob/main/docs/methodology.md
+Author: Anicka
+License-Expression: MIT
+Keywords: oss,risk,scoring,security,supply-chain
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Requires-Python: >=3.11
+Requires-Dist: alembic>=1.13.0
+Requires-Dist: fastapi>=0.109.0
+Requires-Dist: gitpython>=3.1.0
+Requires-Dist: httpx>=0.26.0
+Requires-Dist: psycopg2-binary>=2.9.0
+Requires-Dist: pydantic-settings>=2.1.0
+Requires-Dist: pydantic>=2.5.0
+Requires-Dist: rich>=13.0.0
+Requires-Dist: sqlalchemy>=2.0.0
+Requires-Dist: textblob>=0.18.0
+Requires-Dist: typer>=0.9.0
+Requires-Dist: uvicorn[standard]>=0.27.0
+Requires-Dist: vadersentiment>=3.3.0
+Provides-Extra: dev
+Requires-Dist: httpx>=0.26.0; extra == 'dev'
+Requires-Dist: mypy>=1.8.0; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23.0; extra == 'dev'
+Requires-Dist: pytest-cov>=4.1.0; extra == 'dev'
+Requires-Dist: pytest>=7.4.0; extra == 'dev'
+Requires-Dist: ruff>=0.1.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# Ossuary
+
+**OSS Supply Chain Risk Scoring** - Where abandoned packages come to rest.
+
+Ossuary analyzes open source packages to identify governance-based supply chain risks before incidents occur. It calculates a risk score based on maintainer concentration, activity levels, and protective factors.
+
+## What It Detects
+
+Ossuary focuses on **governance failures** - the type of vulnerability that enabled attacks like:
+
+- **event-stream** (2018) - Abandoned package handed off to malicious maintainer
+- **colors/faker** (2022) - Frustrated maintainer intentionally sabotaged packages
+
+### Detection Capabilities
+
+| Can Detect | Cannot Detect |
+|------------|---------------|
+| Maintainer abandonment | Account compromise (like ua-parser-js) |
+| High concentration risk | Dependency confusion attacks |
+| Economic frustration signals | Typosquatting |
+| Declining activity trends | Malicious code injection |
+| Governance centralization | |
+
+## Quick Start
+
+```bash
+# Install
+pip install ossuary
+
+# Initialize database (optional, for caching)
+ossuary init
+
+# Score a package
+ossuary score event-stream --ecosystem npm
+
+# Score with historical cutoff (T-1 analysis)
+ossuary score event-stream --ecosystem npm --cutoff 2018-09-01
+
+# Output as JSON
+ossuary score requests --ecosystem pypi --json
+```
+
+## Risk Levels
+
+| Score | Level | Semaphore | Action |
+|-------|-------|-----------|--------|
+| 0-20 | Very Low | 🟢 | Routine monitoring |
+| 21-40 | Low | 🟢 | Quarterly review |
+| 41-60 | Moderate | 🟡 | Monthly review |
+| 61-80 | High | 🟠 | Weekly review + contingency plan |
+| 81-100 | Critical | 🔴 | Immediate action required |
+
+## Scoring Methodology
+
+```
+Final Score = Base Risk + Activity Modifier + Protective Factors
+             (20-100)      (-30 to +20)        (-100 to +20)
+```
+
+### Base Risk (Maintainer Concentration)
+
+| Concentration | Points |
+|---------------|--------|
+| <30% | 20 |
+| 30-50% | 40 |
+| 50-70% | 60 |
+| 70-90% | 80 |
+| >90% | 100 |
+
+### Activity Modifier
+
+| Commits/Year | Points |
+|--------------|--------|
+| >50 | -30 |
+| 12-50 | -15 |
+| 4-11 | 0 |
+| <4 | +20 |
+
+### Protective Factors
+
+| Factor | Points |
+|--------|--------|
+| Tier-1 maintainer (500+ repos or 100K+ stars) | -25 |
+| GitHub Sponsors enabled | -15 |
+| Organization with 3+ admins | -15 |
+| >50M weekly downloads | -20 |
+| >10M weekly downloads | -10 |
+| <40% concentration | -10 |
+| >20 contributors | -10 |
+| CII Best Practices badge | -10 |
+| **Frustration signals detected** | **+20** |
+
+## API Usage
+
+Start the API server:
+
+```bash
+uvicorn ossuary.api.main:app --host 0.0.0.0 --port 8000
+```
+
+Query a package:
+
+```bash
+curl "http://localhost:8000/score/npm/event-stream"
+```
+
+Response:
+
+```json
+{
+  "package": "event-stream",
+  "ecosystem": "npm",
+  "score": 100,
+  "risk_level": "CRITICAL",
+  "semaphore": "🔴",
+  "explanation": "🔴 CRITICAL (100). Critical concentration (90%): single person controls nearly all commits. Project appears abandoned (<4 commits/year).",
+  "recommendations": [
+    "IMMEDIATE: Identify alternative packages or prepare to fork",
+    "Do not accept new versions without manual code review"
+  ]
+}
+```
+
+## Development
+
+```bash
+# Clone
+git clone https://github.com/anicka/ossuary.git
+cd ossuary
+
+# Install with dev dependencies
+pip install -e ".[dev]"
+
+# Run tests
+pytest
+
+# Run linter
+ruff check src/
+
+# Type check
+mypy src/
+```
+
+## Configuration
+
+Environment variables:
+
+```bash
+# Required for higher GitHub API rate limits
+GITHUB_TOKEN=ghp_xxxxxxxxxxxxx
+
+# Database (defaults to SQLite)
+DATABASE_URL=postgresql://user:pass@localhost/ossuary
+
+# Repository storage
+REPOS_PATH=./repos
+```
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                        API / CLI                            │
+└─────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────┐
+│                     Scoring Engine                           │
+│  - Base risk (concentration)                                │
+│  - Activity modifier                                        │
+│  - Protective factors                                       │
+│  - Sentiment analysis                                       │
+└─────────────────────────────────────────────────────────────┘
+                              │
+                              ▼
+┌─────────────────────────────────────────────────────────────┐
+│                    Data Collectors                           │
+│  GitCollector | GitHubCollector | NpmCollector | PyPICollector│
+└─────────────────────────────────────────────────────────────┘
+```
+
+## Validation
+
+Validated on 93 packages (20 incidents + 73 controls):
+
+- **Accuracy**: 91.4%
+- **Precision**: 92.9%
+- **Recall**: 65.0%
+- **F1 Score**: 0.76
+
+T-1 analysis confirms **100% predictive detection** of governance-detectable incidents before they occurred.
+
+See [methodology documentation](docs/methodology.md) for details.
+
+## License
+
+MIT
+
+## Academic Context
+
+This project supports MBA thesis research on OSS supply chain risk. Key contribution: demonstrating that meaningful risk indicators are observable in public metadata before incidents occur.

ossuary_risk-0.1.0.dist-info/RECORD

@@ -0,0 +1,23 @@
+ossuary/__init__.py,sha256=LBPIxjvA1VQ68JIe5jEHLM3k4olf6F-egSzmBwyl6gc,111
+ossuary/cli.py,sha256=aK8C0caQExM2RZktx7wKruMqpsvsi2JRMxsGe6uL0ns,12016
+ossuary/api/__init__.py,sha256=ZeoSK1LsObUCJjTBPuYIz9wPcsNdjcNyXjwV9Cm3nGo,30
+ossuary/api/main.py,sha256=LCOnxh8XYBI5z9O-fTuczV5IP84LNCz0KKcZ18EBdDg,6094
+ossuary/collectors/__init__.py,sha256=4RwxUTTH8GbEXIUYCxjl1RjkWcb748D-BO3jdiW_btM,324
+ossuary/collectors/base.py,sha256=XiQ8qlrJOdDBbNt8yl7M0dMf5KDbDcpBAmzxaLdyCyo,637
+ossuary/collectors/git.py,sha256=Ljy8i1lmLDz5KhCIYtczGM5AiRgs0tm-zPbhxdZ5RCo,7553
+ossuary/collectors/github.py,sha256=D1abhZVuMAOWgHhnkpIWJ7rdrdIQ5Vwg64Ihq9yNdy4,16977
+ossuary/collectors/npm.py,sha256=wBufJBrq52NGxjqHOInEtvlmw8NvwG39r3vuKGIHqgw,3586
+ossuary/collectors/pypi.py,sha256=mwBbK5VFDGo3b6uKlr2dUqKwJoj-d11jiHSxEKYU91Y,3625
+ossuary/db/__init__.py,sha256=kLmKsHlKXXsDHB7-gnV3BYJx5bkHc2qxQBJBt023gGI,321
+ossuary/db/models.py,sha256=6n1XlYFG6Hud41FCZUFk54ZH2xAyu5gvDNAyInxL8uc,6919
+ossuary/db/session.py,sha256=sUzk271Q0UrFHccu4m2Y1rGXcPC5Zgno0feT5j9Yrlg,1267
+ossuary/scoring/__init__.py,sha256=IzcbPV5NugIa1luLg6YVoy8TPEcFjlKyvgqX16vKHds,454
+ossuary/scoring/engine.py,sha256=jhWHkQ4V24osoNxhdWKUdptjLXCMZaIAPX2g3A_lC8E,11924
+ossuary/scoring/factors.py,sha256=DSQBQyUeVgl9pX1pDysRChBPW_j7XUW-ZDRXx58IRvs,5921
+ossuary/scoring/reputation.py,sha256=PABfHfZiRWGJxv-4q19qHIY0WmtTWQE-oIYTkffyiKE,9741
+ossuary/sentiment/__init__.py,sha256=ouOTyAh9Z_GW2UBMH0h-qD-jYUJVyyZfP7rK3KlJu58,147
+ossuary/sentiment/analyzer.py,sha256=ndlqVaKiM23P4yeFcOrRtOP7K0UCVY99Nqk9cvKVIro,7383
+ossuary_risk-0.1.0.dist-info/METADATA,sha256=iw9KDkUbV6R629mjb8CJIVXosbFSFWZhpk3Im-ZxXmg,7608
+ossuary_risk-0.1.0.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+ossuary_risk-0.1.0.dist-info/entry_points.txt,sha256=PorJvPUnbx9MTUHWHpypRK6N1Hra5Xcisk1aOtj443k,44
+ossuary_risk-0.1.0.dist-info/RECORD,,

ossuary_risk-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.28.0
+Root-Is-Purelib: true
+Tag: py3-none-any

ossuary_risk-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+ossuary = ossuary.cli:app