Kedro

Projects that follow the best practices below can voluntarily self-certify and show that they've achieved an Open Source Security Foundation (OpenSSF) best practices badge.

If this is your project, please show your badge status on your project page! The badge status looks like this:

Badge level for project 6711 is passing

Here is how to embed it:

You can show your badge status by embedding this in your markdown file:

[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6711/badge)](https://www.bestpractices.dev/projects/6711)

or by embedding this in your HTML:
<a href="https://www.bestpractices.dev/projects/6711"><img src="https://www.bestpractices.dev/projects/6711/badge"></a>

These are the

level criteria. You can also view the

or

level criteria.

Basics 2/5 ●

Identification

What is the human-readable name of the project?
Note that other projects may use the same name.

What is a brief description of the project?

Kedro is an open-source Python framework for creating reproducible, maintainable and modular data science code. It borrows concepts from software engineering and applies them to machine-learning code; applied concepts include modularity, separation of concerns and versioning.

What is the URL for the project (as a whole)?
https://kedro.org

What is the URL for the version control repository (it may be the same as the project URL)?
https://github.com/kedro-org/kedro
Prerequisites

Criterion [achieve_silver]
Met

Unmet

The project MUST achieve a silver level badge. ^{[achieve_silver]}
Project oversight
Criterion [bus_factor]
Met

Unmet

?

Mradi LAZIMA uwe na "bus factor" ya 2 au zaidi. (URL required) ^[bus_factor]
A "bus factor" (aka "truck factor") is the minimum number of project members that have to suddenly disappear from a project ("hit by a bus") before the project stalls due to lack of knowledgeable or competent personnel. The truck-factor tool can estimate this for projects on GitHub. For more information, see Assessing the Bus Factor of Git Repositories by Cosentino et al.
output of Truck-Factor is TF=6
```
TF = 6 (coverage = 49.67%)
TF authors (Developer;Files;Percentage):
tsanikgr;121;19.90
Jo Stichbury;120;19.74
Lorena Balan;77;12.66
Merel Theisen;62;10.20
Dmitrii Deriabin;35;5.76
Lim H;30;4.93
```
https://github.com/kedro-org/kedro/issues/3597#issuecomment-2497086034
Criterion [contributors_unassociated]
Met

Unmet

?

Mradi LAZIMA uwe na angalau wachangiaji wawili wasiohusika. (URL required) ^{[contributors_unassociated]}
Contributors are associated if they are paid to work by the same organization (as an employee or contractor) and the organization stands to benefit from the project's results. Financial grants do not count as being from the same organization if they pass through other organizations (e.g., science grants paid to different organizations from a common government or NGO source do not cause contributors to be associated). Someone is a significant contributor if they have made non-trivial contributions to the project in the past year. Examples of good indicators of a significant contributor are: written at least 1,000 lines of code, contributed 50 commits, or contributed at least 20 pages of documentation.
- Yolan Honoré-Rougé contributed kedro-mlflow, kedro-boot, and many other extensions, see https://github.com/Galileo-Galilei/kedro-mlflow
- Marcin Zabłocki contributed to kedro-azureml and many other extensions, see https://github.com/getindata/kedro-azureml
- Simon Brugman contributed to kedro-airflow, see https://github.com/kedro-org/kedro-plugins/tree/main/kedro-airflow
- Deepyaman Datta contributed to kedro and kedro-datasets, see https://github.com/kedro-org/kedro-plugins/tree/main/kedro-datasets
Other

Criterion [copyright_per_file]
Met

Unmet

?

The project MUST include a copyright statement in each source file, identifying the copyright holder (e.g., the [project name] contributors). ^{[copyright_per_file]}
This MAY be done by including the following inside a comment near the beginning of each file: "Copyright the [project name] contributors.". See "Copyright Notices in Open Source Software Projects" by Steve Winslow.

Copyright statement is not yet included in every source file.

Criterion [license_per_file]
Met

Unmet

?

The project MUST include a license statement in each source file. This MAY be done by including the following inside a comment near the beginning of each file: SPDX-License-Identifier: [SPDX license expression for project]. ^{[license_per_file]}
This MAY also be done by including a statement in natural language identifying the license. The project MAY also include a stable URL pointing to the license text, or the full license text. Note that the criterion license_location requires the project license be in a standard location. See this SPDX tutorial for more information about SPDX license expressions. Note the relationship with copyright_per_file, whose content would typically precede the license information.

License statement is not yet included in every source file.

Analysis 2/2 ●

Dynamic code analysis

Criterion [dynamic_analysis]
Met

Unmet

N/A

?

The project MUST apply at least one dynamic analysis tool to any proposed major production release of the software produced by the project before its release. ^{[dynamic_analysis]}
A dynamic analysis tool examines the software by executing it with specific inputs. For example, the project MAY use a fuzzing tool (e.g., American Fuzzy Lop) or a web application scanner (e.g., OWASP ZAP or w3af). In some cases the OSS-Fuzz project may be willing to apply fuzz testing to your project. For purposes of this criterion the dynamic analysis tool needs to vary the inputs in some way to look for various kinds of problems or be an automated test suite with at least 80% branch coverage. The Wikipedia page on dynamic analysis and the OWASP page on fuzzing identify some dynamic analysis tools. The analysis tool(s) MAY be focused on looking for security vulnerabilities, but this is not required.

The software uses MyPy, bandit, and other dynamic analysis tools that run on its Continuous Integration

Criterion [dynamic_analysis_enable_assertions]
Met

Unmet

N/A

?

The project SHOULD include many run-time assertions in the software it produces and check those assertions during dynamic analysis. ^{[dynamic_analysis_enable_assertions]}
This criterion does not suggest enabling assertions during production; that is entirely up to the project and its users to decide. This criterion's focus is instead to improve fault detection during dynamic analysis before deployment. Enabling assertions in production use is completely different from enabling assertions during dynamic analysis (such as testing). In some cases enabling assertions in production use is extremely unwise (especially in high-integrity components). There are many arguments against enabling assertions in production, e.g., libraries should not crash callers, their presence may cause rejection by app stores, and/or activating an assertion in production may expose private data such as private keys. Beware that in many Linux distributions NDEBUG is not defined, so C/C++ assert() will by default be enabled for production in those environments. It may be important to use a different assertion mechanism or defining NDEBUG for production in those environments.

Assertions are included (albeit sparingly, given that they can be disabled in certain modes of execution, e.g. python -O)

This data is available under the Community Data License Agreement – Permissive, Version 2.0 (CDLA-Permissive-2.0). This means that a Data Recipient may share the Data, with or without modifications, so long as the Data Recipient makes available the text of this agreement with the shared Data. Please credit Yetunde Dada and the OpenSSF Best Practices badge contributors.

Project badge entry owned by: Yetunde Dada.
Entry created on 2022-11-17 11:48:49 UTC, last updated on 2024-11-25 07:34:04 UTC. Last achieved passing badge on 2022-11-17 12:46:29 UTC.