Yesterday, we discussed what we found when we tried to assess the value of OpenSSF Scorecard scores for WordPress plugins. OpenSSF Scorecard scores are supposed to “quickly assess open source projects for risky practices.” With WordPress plugins, we found that it was of limited value due to lack of scores for many plugins, lack of an easy ability to check if there is a score for a plugin, and questionable metrics. Another use for this for WordPress plugins would be looking at the scores for libraries included in WordPress plugins. While looking into gathering more information on libraries included in plugins for our Plugin Security Scorecard, we found that a major promoter of the OpenSSF Scorecard project is using multiple libraries in a popular plugin despite low scores. That raises the question of how much weight others should put in those scores, if a major proponent appears not to put much.

Google has been heavily involved in the OpenSSF Scorecard project since the beginning. The blog post announcing the project on the OpenSSF was written by a Google employee. Days later, Google’s Open Source Blog promoted the project. Google’s involvement has continued as new versions of the scorecard have been released. Google is also the developer of the Site Kit by Google plugin, which has 4+ million active installs according to wordpress.org data. That includes 7 third-party libraries referenced in a file generated by Composer in the plugin. [Read more]