Introducing the New Package/Library Catalog for Node.js, PHP, Python, Ruby, & Java

Released on: January 2025

Atatus now added the feature Catalogs for packages and libraries in languages like Node.js, PHP, Python, Ruby, and Java. This feature provides detailed insights into:

1. License: Identifies the type of license associated with the package, ensuring compliance with licensing requirements.
2. Vulnerabilities: Highlights known security vulnerabilities in the package to help mitigate risks.
3. Current Version: Displays the currently installed version of the package, making it easy to determine if updates are needed.
4. OpenSSF Score: Indicates the security and health rating of the package, based on the standards set by OpenSSF.

The OpenSSF Score (Open Source Security Foundation Score) is a metric used to evaluate the security posture of open-source projects. It assesses various aspects of a project to ensure it adheres to best practices for open-source security and reliability.

The score typically considers:

• Code Quality: Whether the project follows secure coding practices.
• Dependency Management: How well the project handles its dependencies, including addressing vulnerabilities.
• Community Engagement: The project's responsiveness to security issues and its maintenance activity.
• Best Practices: Adoption of practices such as cryptographic signing of commits, secure CI/CD pipelines, and multi-factor authentication.

By providing this score in Atatus, you can easily gauge the trustworthiness and security maturity of the packages used in your projects, allowing for better-informed decisions about their inclusion in your stack.