Risk Assessment with Custom Configurations

Introduction

The assess_pkg_r_package() function in the risk.assessr package allows users to evaluate the risk of an R package. You can pass a custom risk configuration to control how risk levels are interpreted.

This vignette demonstrates:

Load the Package

library(risk.assessr)
options(repos = c(CRAN = "http://cran.us.r-project.org"))

Example 1: Use Default Configuration

result_default <- risk.assessr::assess_pkg_r_package("stringr")
#> ── R CMD build ─────────────────────────────────────────────────────────────────
#> * checking for file ‘.../DESCRIPTION’ ... OK
#> * preparing ‘stringr’:
#> * checking DESCRIPTION meta-information ... OK
#> * checking vignette meta-information ... OK
#> * checking for LF line-endings in source and make files and shell scripts
#> * checking for empty or unneeded directories
#> * building ‘stringr_1.6.0.tar.gz’
#> Warning: invalid uid value replaced by that for user 'nobody'
#> Warning: invalid gid value replaced by that for user 'nobody'
#> 
#> ── R CMD check ─────────────────────────────────────────────────────────────────
#> * using log directory ‘/tmp/RtmpHs3yFi/file5045c236b1b48/stringr.Rcheck’
#> * using R version 4.4.1 (2024-06-14)
#> * using platform: x86_64-pc-linux-gnu
#> * R was compiled by
#>     gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
#>     GNU Fortran (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
#> * running under: Ubuntu 22.04.4 LTS
#> * using session charset: UTF-8
#> * using options ‘--no-examples --no-manual --ignore-vignettes’
#> * checking for file ‘stringr/DESCRIPTION’ ... OK
#> * this is package ‘stringr’ version ‘1.6.0’
#> * package encoding: UTF-8
#> * checking package namespace information ... OK
#> * checking package dependencies ... OK
#> * checking if this is a source package ... OK
#> * checking if there is a namespace ... OK
#> * checking for executable files ... OK
#> * checking for hidden files and directories ... OK
#> * checking for portable file names ... OK
#> * checking for sufficient/correct file permissions ... OK
#> * checking whether package ‘stringr’ can be installed ... OK
#> * checking installed package size ... OK
#> * checking package directory ... OK
#> * checking DESCRIPTION meta-information ... OK
#> * checking top-level files ... OK
#> * checking for left-over files ... OK
#> * checking index information ... OK
#> * checking package subdirectories ... OK
#> * checking code files for non-ASCII characters ... OK
#> * checking R files for syntax errors ... OK
#> * checking whether the package can be loaded ... OK
#> * checking whether the package can be loaded with stated dependencies ... OK
#> * checking whether the package can be unloaded cleanly ... OK
#> * checking whether the namespace can be loaded with stated dependencies ... OK
#> * checking whether the namespace can be unloaded cleanly ... OK
#> * checking loading without being on the library search path ... OK
#> * checking dependencies in R code ... OK
#> * checking S3 generic/method consistency ... OK
#> * checking replacement functions ... OK
#> * checking foreign function calls ... OK
#> * checking R code for possible problems ... OK
#> * checking Rd files ... OK
#> * checking Rd metadata ... OK
#> * checking Rd cross-references ... OK
#> * checking for missing documentation entries ... OK
#> * checking for code/documentation mismatches ... OK
#> * checking Rd \usage sections ... OK
#> * checking Rd contents ... OK
#> * checking for unstated dependencies in examples ... OK
#> * checking contents of ‘data’ directory ... OK
#> * checking data for non-ASCII characters ... OK
#> * checking LazyData ... OK
#> * checking data for ASCII and uncompressed saves ... OK
#> * checking installed files from ‘inst/doc’ ... OK
#> * checking files in ‘vignettes’ ... SKIPPED
#> * checking examples ... SKIPPED
#> * checking for unstated dependencies in ‘tests’ ... OK
#> * checking tests ...
#>   Running ‘testthat.R’
#>  OK
#> * DONE
#> 
#> Status: OK
str(result_default$risk_analysis)
#> List of 8
#>  $ dependencies_count        : chr "low"
#>  $ later_version             : chr "low"
#>  $ code_coverage             : chr "low"
#>  $ total_download            : chr "low"
#>  $ license                   : chr "low"
#>  $ reverse_dependencies_count: chr "low"
#>  $ documentation_score       : chr "low"
#>  $ cmd_check                 : chr "low"

Example 2: Use Custom Configuration (Strict Code Coverage)


strict_coverage_config <- list(
  list(
    label = "code coverage",
    id = "code_coverage",
    key = "code_coverage",
    thresholds = list(
      list(level = "high", max = 0.9999),
      list(level = "low", max = NULL)
    )
  ),
  list(
    label = "popularity",
    id = "popularity",
    key = "last_month_download",
    thresholds = list(
      list(level = "high", max = 21200000),          
      list(level = "medium", max = 11200000),      
      list(level = "low", max = NULL)       
    )
  )
)

# Set the option
options(risk.assessr.risk_definition = strict_coverage_config)
result_strict <- risk.assessr::assess_pkg_r_package("stringr")
#> ── R CMD build ─────────────────────────────────────────────────────────────────
#> * checking for file ‘.../DESCRIPTION’ ... OK
#> * preparing ‘stringr’:
#> * checking DESCRIPTION meta-information ... OK
#> * checking vignette meta-information ... OK
#> * checking for LF line-endings in source and make files and shell scripts
#> * checking for empty or unneeded directories
#> * building ‘stringr_1.6.0.tar.gz’
#> Warning: invalid uid value replaced by that for user 'nobody'
#> Warning: invalid gid value replaced by that for user 'nobody'
#> 
#> ── R CMD check ─────────────────────────────────────────────────────────────────
#> * using log directory ‘/tmp/RtmpHs3yFi/file5045c7fbe836d/stringr.Rcheck’
#> * using R version 4.4.1 (2024-06-14)
#> * using platform: x86_64-pc-linux-gnu
#> * R was compiled by
#>     gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
#>     GNU Fortran (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
#> * running under: Ubuntu 22.04.4 LTS
#> * using session charset: UTF-8
#> * using options ‘--no-examples --no-manual --ignore-vignettes’
#> * checking for file ‘stringr/DESCRIPTION’ ... OK
#> * this is package ‘stringr’ version ‘1.6.0’
#> * package encoding: UTF-8
#> * checking package namespace information ... OK
#> * checking package dependencies ... OK
#> * checking if this is a source package ... OK
#> * checking if there is a namespace ... OK
#> * checking for executable files ... OK
#> * checking for hidden files and directories ... OK
#> * checking for portable file names ... OK
#> * checking for sufficient/correct file permissions ... OK
#> * checking whether package ‘stringr’ can be installed ... OK
#> * checking installed package size ... OK
#> * checking package directory ... OK
#> * checking DESCRIPTION meta-information ... OK
#> * checking top-level files ... OK
#> * checking for left-over files ... OK
#> * checking index information ... OK
#> * checking package subdirectories ... OK
#> * checking code files for non-ASCII characters ... OK
#> * checking R files for syntax errors ... OK
#> * checking whether the package can be loaded ... OK
#> * checking whether the package can be loaded with stated dependencies ... OK
#> * checking whether the package can be unloaded cleanly ... OK
#> * checking whether the namespace can be loaded with stated dependencies ... OK
#> * checking whether the namespace can be unloaded cleanly ... OK
#> * checking loading without being on the library search path ... OK
#> * checking dependencies in R code ... OK
#> * checking S3 generic/method consistency ... OK
#> * checking replacement functions ... OK
#> * checking foreign function calls ... OK
#> * checking R code for possible problems ... OK
#> * checking Rd files ... OK
#> * checking Rd metadata ... OK
#> * checking Rd cross-references ... OK
#> * checking for missing documentation entries ... OK
#> * checking for code/documentation mismatches ... OK
#> * checking Rd \usage sections ... OK
#> * checking Rd contents ... OK
#> * checking for unstated dependencies in examples ... OK
#> * checking contents of ‘data’ directory ... OK
#> * checking data for non-ASCII characters ... OK
#> * checking LazyData ... OK
#> * checking data for ASCII and uncompressed saves ... OK
#> * checking installed files from ‘inst/doc’ ... OK
#> * checking files in ‘vignettes’ ... SKIPPED
#> * checking examples ... SKIPPED
#> * checking for unstated dependencies in ‘tests’ ... OK
#> * checking tests ...
#>   Running ‘testthat.R’
#>  OK
#> * DONE
#> 
#> Status: OK
str(result_strict$risk_analysis)
#> List of 2
#>  $ code_coverage      : chr "high"
#>  $ last_month_download: chr "high"

Summary

The risk_config parameter allows you to tailor the risk scoring logic to your organization’s policies. You can use it to enforce stricter standards, accommodate internal tooling priorities, or meet compliance requirements.

mirror server hosted at Truenetwork, Russian Federation.