Project
Client name
Report date
CARDANO
Toptal
Tuesday, 04 October 2022
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
2 of 18
Technical Due Diligence
Risks Overview
Overall code quality does not raise concerns
We do not suggest code refactoring activities.
Overall application security indicates caution
Code refactoring is recommended.
Overall license compliance does not raise concerns
We do not suggest license risk mitigation activities.
Overall development team analysis does not raise concerns
70% of top 10 developers are still active.
Code Quality | Security | Licenses | Team | ||||
Defects | Code Smells | Duplications | Hardcoded Items | Vulnerabilities | Hotspots | ||
● | ● | ● | ● | ● | ● | ● | ● |
License Compliance�2.5% (7) of the linked libraries and third-party components are protected by reciprocal licenses and require refactoring.��Reliability�236 hardcoded risks require resolution.��Complexity�255 duplicate blocks require refactoring.��Security�45 critical security hotspots require resolution.��Package Dependencies�133 critical outdated packages should be updated.
Recommendations
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
3 of 18
Security�Dashboard
Security
Vulnerability Score
Vulnerable Packages
Severity Distribution
Aging Vulnerable Packages
License Risk and Compliance
License Distribution
License Risk Distribution
Outdated Versions
86 Outdated Packages
101 Up-to-date Packages
42 Multi-versioned Packages
HIGH
129
Vulnerable
(0 outdated)
179
Not Vulnerable
Total License Types: 17, Total Packages: 308
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
4 of 18
Tech
Stack
TOP 5 PROGRAMMING LANGUAGES
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
5 of 18
Tech
Stack
Activity
5 MOST USED PROGRAMMING LANGUAGES IN THE LAST 12 MONTHS
5 MOST ACTIVE REPOSITORIES IN THE LAST 12 MONTHS
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
6 of 18
Code�Complexity
255 total duplicated blocks. The percentage of duplicated code lines is 1.1%. This is below the 4% threshold. 255 duplicated blocks require resolution.
Duplicate Code
0 total. 0 long methods require resolution.
Long Methods
0 total. 0 long classes require resolution.
Long Classes
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
7 of 18
Code
Reliability
13 total. Average number of defects per 10K LOC is 0. This is below the threshold of 20 issues per 10K LOC. 0 critical issues require resolution.
Defects
67 total. Average number of code smells per 10K LOC is 2. This is below the threshold of 200. 0 blocker issues require resolution.
Code Smells
236 total. Average number of hardcoded tokens per 10K LOC is 9. This is below the threshold of 50. 236 critical issues require resolution.
Hardcoded Risks
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
8 of 18
Code Structure
76.7% of code is proprietary.
0.3% of code is third-party (well-known libraries).
23% of code is auto-generated.
3% of all lines are comments.
11 of 11 repositories contain a README file.
Code Structure
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
9 of 18
Code Structure
1,128 developers have been working on the code base during past year.
46.5% of those developers are still active (they have committed code during past 6 months).
Contributors Overview
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
10 of 18
Code
Structure
Name | Commits | Fixes | Features | Languages |
olgahryniuk <67585499+olgahryniuk@users.noreply.github.com> | 113 | 1 | 112 | Markdown |
Markl Jenkins <quickbeam@outlook.com> | 58 | 0 | 58 | JSON |
Fillips Ickevics <60065019+fill-the-fill@users.noreply.github.com> | 51 | 6 | 45 | JavaScript, Markdown, TypeScript |
markl-jenkins <97963265+markl-jenkins@users.noreply.github.com> | 42 | 0 | 42 | JSON |
Tommy Kammerer <31965230+katomm@users.noreply.github.com> | 40 | 2 | 38 | Markdown, JavaScript |
Niamh Ahern <34340946+nahern@users.noreply.github.com> | 35 | 3 | 32 | Markdown |
Frederic J <58846030+crptmppt@users.noreply.github.com> | 32 | 14 | 18 | Markdown, JSON |
Tommy <31965230+katomm@users.noreply.github.com> | 28 | 4 | 24 | JavaScript, Markdown, CSS, JSON |
Martin Hunt <martin.hunt@iohk.io> | 27 | 4 | 23 | JavaScript, Markdown, JSON |
Leo42 <leantrosh@gmail.com> | 23 | 0 | 23 | JSON |
Top 10 Contributors
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
11 of 18
Code Structure
Top 5 Active Contributors by Commits
Active contributor is someone who has committed code during the last 6 months
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
12 of 18
Code
Security
0 total potential vulnerabilities. Average number of vulnerabilities per 10K LOC is 0. This is below the threshold of 0.5.
0 critical vulnerabilities require resolution.
45 total security hotspots. Average number of security hotspots per 10K LOC is 1. This is below the threshold of 2.
45 critical security hotspots require resolution.
Security Overview
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
13 of 18
Code
Security
Top 10 Security Rule Violations
Rule | Count | Risks |
Using regular expressions is security-sensitive | 23 | |
Using command line arguments is security-sensitive | 13 | |
Using pseudorandom number generators (PRNGs) is security-sensitive | 4 | |
Permissive Cross-Origin Resource Sharing policy is security-sensitive | 3 | |
Hashing data is security-sensitive | 2 |
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
14 of 18
Code
Security
Top 10 Package Vulnerabilities
Name | Count | Package |
nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js, CVE-2021-23382 | 6 | |
nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes, CVE-2021-3807 | 5 | |
nodejs-glob-parent: Regular expression denial of service, CVE-2020-28469 | 5 | |
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS), CVE-2021-35065 | 5 | |
nodejs-ws: Specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server, CVE-2021-32640 | 5 | |
browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS), CVE-2021-23364 | 4 | |
minimist: prototype pollution, CVE-2021-44906 | 4 | |
Prototype Pollution in async, CVE-2021-43138 | 3 | |
eventsource: Exposure of Sensitive Information, CVE-2022-1650 | 3 | |
nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl(), CVE-2021-23362 | 3 |
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
15 of 18
Package
Dependencies
Packages Overview
308 total package dependencies detected (Npm, NuGet, Pip, Yarn).
287 packages are outdated.
133 critically outdated packages should be updated.
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
Package | Type | Version | Latest Version | Message |
immer | Npm | 1.10.0 | 0.0.0 | nodejs-immer: prototype pollution may lead to DoS or remote code execution. Package: immer, installed version 1.10.0, fixed version 9.0.6. https://avd… |
mpath | Npm | 0.8.3 | 0.0.0 | mpath: type confusion can lead to a bypass of CVE-2018-16490. Package: mpath, installed version 0.8.3, fixed version 0.8.4. https://avd.aquasec.com/nv… |
parse-url | Npm | 5.0.1 | 0.0.0 | Cross site scripting in parse-url. Package: parse-url, installed version 5.0.1, fixed version 6.0.1. https://avd.aquasec.com/nvd/cve-2022-2218. npm: X… |
shell-quote | Npm | 1.6.1 | 0.0.0 | The shell-quote package before 1.7.3 for Node.js allows command inject .... Package: shell-quote, installed version 1.6.1, fixed version 1.7.3. https:… |
shell-quote | Npm | 1.7.2 | 0.0.0 | The shell-quote package before 1.7.3 for Node.js allows command inject .... Package: shell-quote, installed version 1.7.2, fixed version 1.7.3. https:… |
url-parse | Npm | 1.4.7 | 0.0.0 | npm-url-parse: authorization bypass through user-controlled key. Package: url-parse, installed version 1.4.7, fixed version 1.5.9. https://avd.aquasec… |
xmlhttprequest-ssl | Npm | 1.5.5 | 0.0.0 | nodejs-xmlhttprequest: Code injection through user input to xhr.send. Package: xmlhttprequest-ssl, installed version 1.5.5, fixed version 1.6.2. https… |
ejs | Yarn | 2.7.4 | 0.0.0 | ejs: server-side template injection in outputFunctionName. Package: ejs, installed version 2.7.4, fixed version 3.1.7. https://avd.aquasec.com/nvd/cve… |
json-schema | Yarn | 0.2.3 | 0.0.0 | nodejs-json-schema: Prototype pollution vulnerability. Package: json-schema, installed version 0.2.3, fixed version 0.4.0. https://avd.aquasec.com/nvd… |
url-parse | Yarn | 1.4.7 | 0.0.0 | nodejs-url-parse: authorization bypass through user-controlled key. Package: url-parse, installed version 1.4.7, fixed version 1.5.6. https://avd.aqua… |
16 of 18
Package
Dependencies
Top 10 Package Issues
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
17 of 18
Licenses
283 total libraries and third party components are linked.
91.5% (259) of the linked libraries and third party components are protected by permissive licenses.
6% (17) of the linked libraries and third party components have uncertain licenses and require attention.
2.5% (7) of the linked libraries and third party components are protected by reciprocal licenses.
Licenses Overview
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
18 of 18
Licenses
Top 10 License Issues
License | Count | Allows SaaS | Allows Distribution | Allows Modification |
GPL | 7 | True | True | False |
CDDL | 6 | True | True | Uncertain |
UnclassifiedLicense | 3 | Uncertain | Uncertain | Uncertain |
Non-commercial | 2 | Uncertain | Uncertain | Uncertain |
Non-profit | 2 | Uncertain | Uncertain | Uncertain |
Not-for-sale | 1 | Uncertain | Uncertain | Uncertain |
Public-domain | 1 | Uncertain | Uncertain | Uncertain |
See-doc.OTHER | 1 | Uncertain | Uncertain | Uncertain |
Standard 'no charge' license: https://greensock.com/standard-license. Club GreenSock members get more: https://greensock.com/licensing/. Why GreenSock doesn't employ an MIT license: https://greensock.com/why-license/ | 1 | Uncertain | Uncertain | Uncertain |
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022
Contact Us
Get Support
If you need help interpreting the report, assessing the risk and prioritizing the refactoring activities, please contact us at info@codewetrust.com.
We will be happy to help you maximize your codebase’s potential.
Download CodeWeTrust’s M&A paper: codewetrust.com/download-whitepaper
Project
CARDANO
Client name
Toptal
Report date
Tuesday, 04 October 2022