A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI

07/27/2021
by   Jukka Ruohonen, et al.
0

Different security issues are a common problem for open source packages archived to and delivered through software ecosystems. These often manifest themselves as software weaknesses that may lead to concrete software vulnerabilities. This paper examines various security issues in Python packages with static analysis. The dataset is based on a snapshot of all packages stored to the Python Package Index (PyPI). In total, over 197 thousand packages and over 749 thousand security issues are covered. Even under the constraints imposed by static analysis, (a) the results indicate prevalence of security issues; at least one issue is present for about 46 terms of the issue types, (b) exception handling and different code injections have been the most common issues. The subprocess module stands out in this regard. Reflecting the generally small size of the packages, (c) software size metrics do not predict well the amount of issues revealed through static analysis. With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems.

READ FULL TEXT

page 6

page 7

research
03/06/2019

Security Issues in Language-based Sofware Ecosystems

Language-based ecosystems (LBE), i.e., software ecosystems based on a si...
research
05/24/2023

Using the Uniqueness of Global Identifiers to Determine the Provenance of Python Software Source Code

We consider the problem of identifying the provenance of free/open sourc...
research
10/31/2018

An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications

This paper examines software vulnerabilities in common Python packages u...
research
08/21/2021

A Survey on Common Threats in npm and PyPi Registries

Software engineers regularly use JavaScript and Python for both front-en...
research
02/25/2019

Small World with High Risks: A Study of Security Threats in the npm Ecosystem

The popularity of JavaScript has lead to a large ecosystem of third-part...
research
02/28/2021

PyCG: Practical Call Graph Generation in Python

Call graphs play an important role in different contexts, such as profil...
research
07/21/2023

Exploring Security Commits in Python

Python has become the most popular programming language as it is friendl...

Please sign up or login with your details

Forgot password? Click here to reset