The risk calculation algorithm (in oss-risk-calculator) is pretty basic, combining project health (from oss-health) and the number of high-risk characteristics (from oss-characteristic), then normalizing to a range of 0 to 1.

I think this could be improved significantly, but would require a good amount of "think" time. If anyone is interested in contributing, it'd be very much appreciated.

Would it make sense to use the scorecard metrics?