pub fn score_project(
_lock: &LockfileModel,
signals: &[RiskSignal],
) -> ProjectRiskExpand description
Compute the project risk score from collected signals (0–100).
The aggregation is deliberately not a flat sum, to avoid false-positive inflation on large dependency trees:
- Advisory findings (real, matched vulnerabilities) are summed in full —
each additional known vulnerability genuinely adds risk. A
Criticaladvisory pins the project score to 100. - Heuristic findings (FFI, build scripts,
unsafe, duplicate versions, license) get diminishing returns per class: the largest finding of a class counts in full, the next at 50%, then 25%, … so a project with 30-syscrates is not scored as 30× the risk of one.
Per-package scores use a plain saturating sum so that a single highly-risky
package can still trip max_package_score.