How Xray Determines Operational Risk Severity

JFrog Security Documentation

ft:sourceType
Paligo

Xray calculates the Operational Risk as High, Medium, Low, and None (no known risk) using the following criteria. For information on how Xray calculates operational risk effective severity, see the table Calculating Operational Risk Effective Severity further below.

Risk

Type

Severity

Notes

End-of-Life

Boolean

High = True

None = False

Version Age

Number

Number of months since release / 10

High >= 4

Medium > 2 and < 4

Low > 1 and <= 2

None (no risk) <=1

Number of New Versions

Number

Number of versions since / 2

High >= 6

Medium >= 4 and < 6

Low >= 2 and < 4

None (no risk) < 2

Health of Open Source Project

Release cadence per year

Healthy >= 2 releases

Unhealthy <= 1

This includes all releases. Including any dot releases and patch releases if they are GA releases.

When there is no data, it is presumed as healthy

Number of commits per year

Healthy >= 100 commits

Unhealthy < 100 commits

Number of committers per year

Healthy > = 5 committers

Unhealthy < 5 c ommitters

Calculating Operational Risk Effective Severity

#

EOL

Health

# of new versions

Version Age

Combine Severity

Risk Reason

1

High

Any

Any

Any

High

EOL

2

None

High Risk

Any

Any

High

Health

3

None

No Risk

High

None, Low, Medium, High

High

Number of new versions and Version Age (only when High)

4

None

No Risk

Medium

None, Low, Medium

Medium

Number of new versions and Version Age (only when Medium)

5

None

No Risk

Low

None, Low

Low

Number of new versions and Version Age (only when Low)

6

None

No Risk

None

None

None

No given reason

7

None

No Risk

None, Low, Medium, High

High

High

Version Age and number of new versions (only when High)

8

None

No Risk

None, Low, Medium

Medium

Medium

Version Age and number of new versions (only when Medium)

9

None

No Risk

None, Low

Low

Low

Version Age and number of new versions (only when Low)