Python code libraries are riddled with security holes

Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue, according to analysis by Finnish researchers.

The researchers used static analysis to uncover the security issues in the open source packages, which they reason end up tainting software that use them.

In total the research scanned through 197,000 packages and found more than 749,000 security issues in all.

“With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems,” note the researchers in their paper. 

Cause for concern

Explaining their methodology the researchers note that despite the inherent limitations of static analysis, they still found at least one security issue in about 46% of the packages in the repository.

The paper reveals that of the issues identified, the maximum (442,373) are of low severity, while 227,426 are moderate severity issues. However, 11% of the flagged PyPI packages have 80,065 high severity issues. 

In terms of the issue types, exception handling and different code injections were found to be the most prevalent. 

“Of the 46% of all packages with at least one issue, the median number of issues is three,” note the researchers. Of course it’s not evenly distributed with a few packages riddled with a lot more issues, including five that were found to have more than a thousand issues.

The researchers have reason to be concerned. PyPI has been at the receiving end of several campaigns to poison the repository with malicious packages.

Earlier this year in June, PyPI was purged of half a dozen typosquatting packages that contained cryptomining malware, and a month before that the repository was flooded with spam packages.



from TechRadar - All the latest technology news https://ift.tt/3iUp222
Share:

No comments:

Post a Comment

Categories

Rove Reviews Youtube Channel

  1. Subscribe to our youtube channel
  2. Like our videos and share them too.
  3. Our youtube channel name Rove reviews.

WITNUX

This website is made by Witnux LLC. This website provides you with all the news feeds related to technology from large tech media industries like GSM Arena, NDTV, Gadgets 360, Firstpost and many other such ates altogether at technical depicts so that you need not go to several sites to view their post provide you advantantage of time.

From the developer
Tanzeel Sarwar

OUR OTHER NETWORKS

OUR YOUTUBE CHANNEL

ROVE REVIEWS PLEASE SUBSCRIBE

OUR FACEBOOK PAGE

The Rove Reviews

Support

Trying our best to provide you the best DONATE or SUPPORTour site Contact me with details how are you gonna help us