Enhance Software Supply Chain Security with SCA + Package Reputation | Arnica

How Arnica’s third party package reputation works

Arnica’s third party package reputation scanning helps developers and security teams evaluate open source software packages used in the development process. Arnica classifies packages based on a wide range of health and reputation metrics such as:

• Download frequency: How regularly is this package downloaded? Number of downloads last week? 
• Release history: When was it first published? When was the last release? What is the total number of releases? 
• Star count: Has this package been upvoted by the community, signaling reliability? 
• Count of dependents: How many projects rely on this third party package? 
• External reputation scores: What do the external scoring mechanisms, such as OpenSSF, say about the package? 

By offering a detailed assessment of a third party software package’s health and maintenance characteristics, , Arnica helps developers ensure third-party packages are reputable and make informed decisions about the packages they integrate into their source code by leveraging our comprehensive SCA solution. 

What are the primary use cases for third party package reputation?  

While traditional Software Composition Analysis (SCA) focuses on the security risks of your software supply chain and open source software packages, package reputation covers a number of critical use cases associated with evaluating your third party packages. 

1. Stop Risks Identified by Package Reputation: Identify poorly maintained, infrequently updated, or poor quality packages which could post either security or reliability risks when introduced to your products. Arnica’s package reputation can identify when a package may be risky to include even if it is free of published vulnerabilities.
2. Reduce Reliance on Manual Developer Investigation: Ensure that all packages are automatically checked for low OpenSSF scorecard scores or evidence of poor maintenance the moment they are first introduced in a feature branch. Automate third-party package governance without relying directly on manual effort from developers conducting due diligence for each new dependency. 
3. Mitigate Operational Risks: Metrics like low download counts, release frequency, and external ratings help developers evaluate the health and reliability of a third-party package, which is critical to maintaining core application stability. Arnica’s package reputation feature empowers developers to identify and mitigate future operational risks by avoiding low reputation third party packages. 
4. Improve Application Security: Visibility into third party packages with low reputation or health metrics help developers to identify potential security risks as well. Packages with suspect characteristics, such as recent releases with massive sudden download spikes or name similarities to popular packages (aka typosquatting), can indicate malicious intent. By identifying packages with these characteristics, despite not necessarily containing active threats, Arnica helps enhance overall security of your software supply chain. The more dependency you create on a package, the harder it is to pivot from that package, which is why Arnica identifies reputation in real-time when a package is first introduced so it can be replaced efficiently. 

By providing complete visibility into package reputation across the development ecosystem, Arnica helps improve both operational reliability and security of third party packages used in the software development lifecycle, extending the benefits of traditional software composition analysis (SCA) scanning. 

Strengthen your software supply chain security with Arnica's new package reputation feature, evaluating third-party packages on reliability, health, and operational risk. See Arnica’s SCA and third-party package reputation in action!