The risk metrics dealt with in this working group are organized in focus areas:
| Focus Area | Goal |
|---|---|
| Business Risk | Understand how active a community exists around/to support a given software package. |
| Code Quality | Understand the quality of a given software package. |
| Licensing | Understand the potential IP issues associated with a given software package’s use. |
| Security | Understand security processes and procedures associated with the software’s development. |
| Transparency | Understand how transparent a given software package is with respect to dependencies, licensing (?), security processes, etc. |
| Dependency Risk Assessment | Understand software dependency risk. |