Skip to main content

Library scoring guide

Contrast provides letter grades for the security of your application's libraries so that you can use them as a reference point during analysis. The grades map to scores as follows:

  • A: 90 - 100

  • B: 80 - 89

  • C: 70 - 79

  • D: 60 - 69

  • F: 35 - 59

Scores are based on three penalty factors:

  • Time: The age of the library is calculated based on the number of full years between the release of the latest version and the version used in the application, multiplied by 2.5.

  • Status: The status is calculated based on the number of versions that have been released since the current library in your application, multiplied by 10.

  • Security: The CVE penalty of the library is the highest severity of all known CVEs for this library, multiplied by 10.


Organization administrators can adjust the scoring method to include only security criteria.


For example:

If you're using a library from January 2010 and the latest version came out in September 2013, the number of full years passed is two. So your time penalty would be:

2 x 2.5 = 5

If you're using Version 1.1.1, but Versions 1.1.2 and 1.1.3 have been released, your penalty would be:

2 x 10 = 20

If you have a library with the scores 2.4 and 2.2, the penalty would be:

2.4 x 10 = 24

The final score of the library is calculated by subtracting each of the three penalty values from 100.

100 - 5 - 20 - 24 = 51

A score of 51 maps to a letter grade of F.