Authors: Adam Gorine, Faten Spondon

Abstract:

Python is considered the most popular programming language and offers its own ecosystem for archiving and maintaining open-source software packages. This system is called the Python Package Index (PyPI), the repository of this programming language. Unfortunately, one-third of these software packages have vulnerabilities that allow attackers to execute code automatically when a vulnerable or malicious package is installed. This paper contributes to large-scale empirical studies investigating security issues in the Python ecosystem by evaluating package vulnerabilities. These provide a series of implications that can help the security of software ecosystems by improving the process of discovering, fixing, and managing package vulnerabilities. The vulnerable dataset is generated using the NVD, the National Vulnerability Database, and the Snyk vulnerability dataset. In addition, we evaluated 807 vulnerability reports in the NVD and 3900 publicly known security vulnerabilities in Python Package Manager (Pip) from the Snyk database from 2002 to 2022. As a result, many Python vulnerabilities appear in high severity, followed by medium severity. The most problematic areas have been improper input validation and denial of service attacks. A hybrid scanning tool that combines the three scanners, Bandit, Snyk and Dlint, which provide a clear report of the code vulnerability, is also described.

Keywords: Python vulnerabilities, Bandit, Snyk, Dlint, Python Package Index, ecosystem, static analysis, malicious attacks.

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 126

References:

[1] “PyPI · the Python Package Index,” PyPI. (Online). Available: https://pypi.org/. (Accessed: 26-Dec-2022).
[2] M. Alfadel, D. E. Costa, and E. Shihab, “Empirical analysis of security vulnerabilities in python packages,” in 2021 IEEE International Conference on Software Analysis, Evolution, and Reengineering (SANER), 2021.
[3] “NVD - home,” Nist.gov. (Online). Available: https://nvd.nist.gov/. (Accessed: 26-Dec-2022).
[4] “Snyk vulnerability database,” Find detailed information and remediation guidance for vulnerabilities. Accessed on 26-Dec-22 at: https://security.snyk.io/
[5] “Common Vulnerability Scoring System version 3.1, Specification Document, Revision 1”. Accessed on 12-Jan-2023 at: https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf
[6] “Common Weakness Enumeration,” Mitre.org. Accessed on 26-Dec-2022 at : https://cwe.mitre.org/index.html
[7] Wenliang Du, “Computer & Internet Security: A Hands-on Approach 2nd Edition”, Independently published, May 2019.
[8] A. Bagmar, J. Wedgwood, D. Levin, and J. Purtilo, “I Know What You Imported Last Summer: A study of security threats in the python ecosystem,” arXiv (cs.CR), 2021.
[9] A. Gkortzis, D. Mitropoulos, and D. Spinellis, “VulinOSS: A dataset of security vulnerabilities in open-source systems,” in Proceedings of the 15th International Conference on Mining Software Repositories - MSR ’18, 2018.
[10] J. Ruohonen, K. Hjerppe, and K. Rindell, “A large-scale security-oriented static analysis of python packages in PyPI,” in 2021 18th International Conference on Privacy, Security and Trust (PST), 2021.
[11] J. Ruohonen, “An empirical analysis of vulnerabilities in python packages for web applications,” in 2018 9th International Workshop on Empirical Software Engineering in Practice (IWESEP), 2018.
[12] J. Ruohonen, “The similarities of software vulnerabilities for interpreted programming languages,” in 2021 IEEE International Conference on Progress in Informatics and Computing (PIC), 2021.
[13] G. Antal, M. Keleti, and P. Hegedŭs, “Exploring the security awareness of the python and JavaScript open source communities,” in Proceedings of the 17th International Conference on Mining Software Repositories, 2020.
[14] S. Turner, "Security vulnerabilities of the top ten programming languages: C, Java, C++, Objective-C, C#, PHP, Visual Basic, Python, Perl, and Ruby," Journal of Technology Research.
[15] J. Garbajosa, X. Wang, and A. Aguiar, Eds., Agile Processes in Software Engineering and Extreme Programming: 19Th International Conference, XP 2018, Porto, Portugal, May 21-25, 2018, Proceedings, 1st ed. Cham, Switzerland: Springer International Publishing, 2018.
[16] J. Lopez and Y. Wu, Eds., Information security practice and experience: 11Th international conference, ISPEC 2015, Beijing, China, May 5-8, 2015, proceedings, 2015th ed. Basel, Switzerland: Springer International Publishing, 2015.
[17] J. Smith, B. Johnson, E. Murphy-Hill, B. Chu, and H. R. Lipford, “How developers diagnose potential security vulnerabilities with a static analysis tool,” IEEE Trans. Soft. Eng., vol. 45, no. 9, pp. 877–897, 2019.
[18] M. R. Rahman, A. Rahman, and L. Williams, “Share, but be aware: Security Smells in Python Gists,” in 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME), 2019.
[19] S. Peng, P. Liu, and J. Han, “A python security analysis framework in integrity verification and vulnerability detection,” Wuhan Univ. J. Nat. Sci., vol. 24, no. 2, pp. 141–148, 2019.
[20] “CWE-2022 CWE top 25 most dangerous software weaknesses,” Mitre.org. (Online). Accessed on 26-Dec-2022 at: https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25.html.
[21] G. Blok Dyk, TensorFlow: A Complete Guide. 5starcooks, 2018.
[22] “Denial of Service guidance, National Cyber Security Centre. Accessed on 26-Dec-2022 at: https://www.ncsc.gov.uk/collection/denial-service-dos-guidance-collection.
[23] “Red Hat Bugzilla-Bug 1832472 – (CVE-2020-11651) CVE-2020-11651 salt: salt-master process ClearFuncs class does not properly validate method calls,” Redhat.com. Accessed on 26-Dec-2023 at: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-11651
[24] “Python API reference – airflow documentation,” Apache.org. Accessed on 19-Dec-2023 at: https://airflow.apache.org/docs/apache-airflow/stable/python-api- ref.html.
[25] Django. (2019). The web framework for perfectionists with deadlines | Django. djangoproject.com.2019 (Online). Available at https://www.djangoproject.com/.