Risk Assessment with Custom Configurations

Introduction

The assess_pkg_r_package() function in the risk.assessr package allows users to evaluate the risk of an R package. You can pass a custom risk configuration to control how risk levels are interpreted.

This vignette demonstrates:

Load the Package

library(risk.assessr)
options(repos = c(CRAN = "http://cran.us.r-project.org"))

Example 1: Use Default Configuration

result_default <- risk.assessr::assess_pkg_r_package("stringr")
#> ── R CMD build ─────────────────────────────────────────────────────────────────
#> * checking for file ‘.../DESCRIPTION’ ... OK
#> * preparing ‘stringr’:
#> * checking DESCRIPTION meta-information ... OK
#> * checking vignette meta-information ... OK
#> * checking for LF line-endings in source and make files and shell scripts
#> * checking for empty or unneeded directories
#> * building ‘stringr_1.6.0.tar.gz’
#> Warning: invalid uid value replaced by that for user 'nobody'
#> Warning: invalid gid value replaced by that for user 'nobody'
#> 
#> ── R CMD check ─────────────────────────────────────────────────────────────────
#> * using log directory ‘/tmp/RtmpHs3yFi/file5045c236b1b48/stringr.Rcheck’
#> * using R version 4.4.1 (2024-06-14)
#> * using platform: x86_64-pc-linux-gnu
#> * R was compiled by
#>     gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
#>     GNU Fortran (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
#> * running under: Ubuntu 22.04.4 LTS
#> * using session charset: UTF-8
#> * using options ‘--no-examples --no-manual --ignore-vignettes’
#> * checking for file ‘stringr/DESCRIPTION’ ... OK
#> * this is package ‘stringr’ version ‘1.6.0’
#> * package encoding: UTF-8
#> * checking package namespace information ... OK
#> * checking package dependencies ... OK
#> * checking if this is a source package ... OK
#> * checking if there is a namespace ... OK
#> * checking for executable files ... OK
#> * checking for hidden files and directories ... OK
#> * checking for portable file names ... OK
#> * checking for sufficient/correct file permissions ... OK
#> * checking whether package ‘stringr’ can be installed ... OK
#> * checking installed package size ... OK
#> * checking package directory ... OK
#> * checking DESCRIPTION meta-information ... OK
#> * checking top-level files ... OK
#> * checking for left-over files ... OK
#> * checking index information ... OK
#> * checking package subdirectories ... OK
#> * checking code files for non-ASCII characters ... OK
#> * checking R files for syntax errors ... OK
#> * checking whether the package can be loaded ... OK
#> * checking whether the package can be loaded with stated dependencies ... OK
#> * checking whether the package can be unloaded cleanly ... OK
#> * checking whether the namespace can be loaded with stated dependencies ... OK
#> * checking whether the namespace can be unloaded cleanly ... OK
#> * checking loading without being on the library search path ... OK
#> * checking dependencies in R code ... OK
#> * checking S3 generic/method consistency ... OK
#> * checking replacement functions ... OK
#> * checking foreign function calls ... OK
#> * checking R code for possible problems ... OK
#> * checking Rd files ... OK
#> * checking Rd metadata ... OK
#> * checking Rd cross-references ... OK
#> * checking for missing documentation entries ... OK
#> * checking for code/documentation mismatches ... OK
#> * checking Rd \usage sections ... OK
#> * checking Rd contents ... OK
#> * checking for unstated dependencies in examples ... OK
#> * checking contents of ‘data’ directory ... OK
#> * checking data for non-ASCII characters ... OK
#> * checking LazyData ... OK
#> * checking data for ASCII and uncompressed saves ... OK
#> * checking installed files from ‘inst/doc’ ... OK
#> * checking files in ‘vignettes’ ... SKIPPED
#> * checking examples ... SKIPPED
#> * checking for unstated dependencies in ‘tests’ ... OK
#> * checking tests ...
#>   Running ‘testthat.R’
#>  OK
#> * DONE
#> 
#> Status: OK
str(result_default$risk_analysis)
#> List of 8
#>  $ dependencies_count        : chr "low"
#>  $ later_version             : chr "low"
#>  $ code_coverage             : chr "low"
#>  $ total_download            : chr "low"
#>  $ license                   : chr "low"
#>  $ reverse_dependencies_count: chr "low"
#>  $ documentation_score       : chr "low"
#>  $ cmd_check                 : chr "low"

Example 2: Use Custom Configuration (Strict Code Coverage)


strict_coverage_config <- list(
  list(
    label = "code coverage",
    id = "code_coverage",
    key = "code_coverage",
    thresholds = list(
      list(level = "high", max = 0.9999),
      list(level = "low", max = NULL)
    )
  ),
  list(
    label = "popularity",
    id = "popularity",
    key = "last_month_download",
    thresholds = list(
      list(level = "high", max = 21200000),          
      list(level = "medium", max = 11200000),      
      list(level = "low", max = NULL)       
    )
  )
)

# Set the option
options(risk.assessr.risk_definition = strict_coverage_config)
result_strict <- risk.assessr::assess_pkg_r_package("stringr")
#> ── R CMD build ─────────────────────────────────────────────────────────────────
#> * checking for file ‘.../DESCRIPTION’ ... OK
#> * preparing ‘stringr’:
#> * checking DESCRIPTION meta-information ... OK
#> * checking vignette meta-information ... OK
#> * checking for LF line-endings in source and make files and shell scripts
#> * checking for empty or unneeded directories
#> * building ‘stringr_1.6.0.tar.gz’
#> Warning: invalid uid value replaced by that for user 'nobody'
#> Warning: invalid gid value replaced by that for user 'nobody'
#> 
#> ── R CMD check ─────────────────────────────────────────────────────────────────
#> * using log directory ‘/tmp/RtmpHs3yFi/file5045c7fbe836d/stringr.Rcheck’
#> * using R version 4.4.1 (2024-06-14)
#> * using platform: x86_64-pc-linux-gnu
#> * R was compiled by
#>     gcc (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
#>     GNU Fortran (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0
#> * running under: Ubuntu 22.04.4 LTS
#> * using session charset: UTF-8
#> * using options ‘--no-examples --no-manual --ignore-vignettes’
#> * checking for file ‘stringr/DESCRIPTION’ ... OK
#> * this is package ‘stringr’ version ‘1.6.0’
#> * package encoding: UTF-8
#> * checking package namespace information ... OK
#> * checking package dependencies ... OK
#> * checking if this is a source package ... OK
#> * checking if there is a namespace ... OK
#> * checking for executable files ... OK
#> * checking for hidden files and directories ... OK
#> * checking for portable file names ... OK
#> * checking for sufficient/correct file permissions ... OK
#> * checking whether package ‘stringr’ can be installed ... OK
#> * checking installed package size ... OK
#> * checking package directory ... OK
#> * checking DESCRIPTION meta-information ... OK
#> * checking top-level files ... OK
#> * checking for left-over files ... OK
#> * checking index information ... OK
#> * checking package subdirectories ... OK
#> * checking code files for non-ASCII characters ... OK
#> * checking R files for syntax errors ... OK
#> * checking whether the package can be loaded ... OK
#> * checking whether the package can be loaded with stated dependencies ... OK
#> * checking whether the package can be unloaded cleanly ... OK
#> * checking whether the namespace can be loaded with stated dependencies ... OK
#> * checking whether the namespace can be unloaded cleanly ... OK
#> * checking loading without being on the library search path ... OK
#> * checking dependencies in R code ... OK
#> * checking S3 generic/method consistency ... OK
#> * checking replacement functions ... OK
#> * checking foreign function calls ... OK
#> * checking R code for possible problems ... OK
#> * checking Rd files ... OK
#> * checking Rd metadata ... OK
#> * checking Rd cross-references ... OK
#> * checking for missing documentation entries ... OK
#> * checking for code/documentation mismatches ... OK
#> * checking Rd \usage sections ... OK
#> * checking Rd contents ... OK
#> * checking for unstated dependencies in examples ... OK
#> * checking contents of ‘data’ directory ... OK
#> * checking data for non-ASCII characters ... OK
#> * checking LazyData ... OK
#> * checking data for ASCII and uncompressed saves ... OK
#> * checking installed files from ‘inst/doc’ ... OK
#> * checking files in ‘vignettes’ ... SKIPPED
#> * checking examples ... SKIPPED
#> * checking for unstated dependencies in ‘tests’ ... OK
#> * checking tests ...
#>   Running ‘testthat.R’
#>  OK
#> * DONE
#> 
#> Status: OK
str(result_strict$risk_analysis)
#> List of 2
#>  $ code_coverage      : chr "high"
#>  $ last_month_download: chr "high"

Summary

The risk_config parameter allows you to tailor the risk scoring logic to your organization’s policies. You can use it to enforce stricter standards, accommodate internal tooling priorities, or meet compliance requirements.