List of software quality issues with the number of affected components.
category ALL
Policies
Info
Category
Detected presence of severe vulnerabilities with active exploitation.
Causes risk: actively exploited vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known severe vulnerabilities. Available threat intelligence telemetry has confirmed that the reported high or critical severity vulnerabilities are actively being exploited by malicious actors.Prevalence in NuGet community
0 packages
found in
Top 100
4 packages
found in
Top 1k
86 packages
found in
Top 10k
62.07k packages
in community
Next steps
We strongly advise updating the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected presence of critical severity vulnerabilities.
Causes risk: critical severity vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as critical severity.Prevalence in NuGet community
0 packages
found in
Top 100
3 packages
found in
Top 1k
47 packages
found in
Top 10k
21.52k packages
in community
Next steps
Perform impact analysis for the reported CVEs.
We strongly advise updating the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Detected presence of high severity vulnerabilities.
Causes risk: high severity vulnerabilities
vulnerabilities
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.Prevalence in NuGet community
0 packages
found in
Top 100
4 packages
found in
Top 1k
115 packages
found in
Top 10k
88.61k packages
in community
Next steps
Perform impact analysis for the reported CVEs.
Update the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Problem
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads. Since code-sharing services URLs are typically allowed by security solutions, using them for payload delivery increases the odds that the malicious code will reach the user. While the presence of code-sharing service locations does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages the GitHub service to deliver malicious payloads.Prevalence in NuGet community
0 packages
found in
Top 100
22 packages
found in
Top 1k
142 packages
found in
Top 10k
59.57k packages
in community
Next steps
Investigate reported detections.
If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider an alternative delivery mechanism for software packages.
Detected Windows executable files that embed PDB files whose integrity is verified with an insecure hashing algorithm.
Causes risk: outdated toolchains detected
hardening
Problem
Program database (PDB) files are typically only used during software development. They contain private debug symbols that make it significantly easier to reverse engineer a closed-source application. In some cases, having a program database file is equivalent to having access to the source code. Presence of program databases could indicate that one or more software components have been built using a debug profile, instead of the release.Prevalence in NuGet community
0 packages
found in
Top 100
14 packages
found in
Top 1k
69 packages
found in
Top 10k
19.61k packages
in community
Next steps
Private debug database files should not be embedded within executables, and you should remove them from the software package before releasing it.
The integrity verification of the embedded database files should not be done with insecure hashing algorithms. SHA1 and MD5 hashes should be deprecated throughout the application, and a more secure SHA256 algorithm should be used instead.
Detected Linux executable files compiled without any kind of buffer overrun protection while using banned string functions.
Causes risk: misconfigured toolchains detected
hardening
Problem
Buffer overrun protection on Linux is achieved in two ways. The most common solution is to use the stack canary (also called cookie). The stack canary is a special value written onto the stack that allows the operating system to detect and terminate the program if a stack overrun occurs. In most cases, compilers will apply the stack canary conservatively in order to avoid a negative performance impact. Therefore, stack canaries are often used together with another stack overrun mitigation - fortified functions. Fortified functions are usually wrappers around standard glibc functions (such as memcpy) which perform boundary checks either at compile time or run time to determine if a memory violation has occurred. The compiler needs additional context to generate such calls (for example, array size that needs to be known at compile time). Because of this, the compiler will virtually never substitute all viable functions with their fortified counterparts in complex programs. However, when combined with the stack canary, fortified functions provide a good measure of buffer overrun protection.Prevalence in NuGet community
0 packages
found in
Top 100
1 packages
found in
Top 1k
17 packages
found in
Top 10k
2.23k packages
in community
Next steps
Presence of unfortified string functions may indicate use of unsafe programming practices, and you should avoid it if possible.
In GCC, enable fortified functions with -fstack-protector and -D_FORTIFY_SOURCE=2 flag, while using at least -O1 optimization level.
Detected Linux executable files compiled without any kind of buffer overrun protection while using banned memory functions.
Causes risk: misconfigured toolchains detected
hardening
Problem
Buffer overrun protection on Linux is achieved in two ways. The most common solution is to use the stack canary (also called cookie). The stack canary is a special value written onto the stack that allows the operating system to detect and terminate the program if a stack overrun occurs. In most cases, compilers will apply the stack canary conservatively in order to avoid a negative performance impact. Therefore, stack canaries are often used together with another stack overrun mitigation - fortified functions. Fortified functions are usually wrappers around standard glibc functions (such as memcpy) which perform boundary checks either at compile time or run time to determine if a memory violation has occurred. The compiler needs additional context to generate such calls (for example, array size that needs to be known at compile time). Because of this, the compiler will virtually never substitute all viable functions with their fortified counterparts in complex programs. However, when combined with the stack canary, fortified functions provide a good measure of buffer overrun protection.Prevalence in NuGet community
0 packages
found in
Top 100
1 packages
found in
Top 1k
19 packages
found in
Top 10k
2.64k packages
in community
Next steps
Presence of unfortified memory functions may indicate use of unsafe programming practices, and you should avoid it if possible.
In GCC, enable fortified functions with -fstack-protector and -D_FORTIFY_SOURCE=2 flag, while using at least -O1 optimization level.
Detected Linux executable files compiled without any kind of buffer overrun protection while using banned input functions.
Causes risk: misconfigured toolchains detected
hardening
Problem
Buffer overrun protection on Linux is achieved in two ways. The most common solution is to use the stack canary (also called cookie). The stack canary is a special value written onto the stack that allows the operating system to detect and terminate the program if a stack overrun occurs. In most cases, compilers will apply the stack canary conservatively in order to avoid a negative performance impact. Therefore, stack canaries are often used together with another stack overrun mitigation - fortified functions. Fortified functions are usually wrappers around standard glibc functions (such as memcpy) which perform boundary checks either at compile time or run time to determine if a memory violation has occurred. The compiler needs additional context to generate such calls (for example, array size that needs to be known at compile time). Because of this, the compiler will virtually never substitute all viable functions with their fortified counterparts in complex programs. However, when combined with the stack canary, fortified functions provide a good measure of buffer overrun protection.Prevalence in NuGet community
0 packages
found in
Top 100
1 packages
found in
Top 1k
19 packages
found in
Top 10k
2.22k packages
in community
Next steps
Presence of some input functions may indicate use of unsafe programming practices, and you should avoid it if possible.
In GCC, enable fortified functions with -fstack-protector and -D_FORTIFY_SOURCE=2 flag, while using at least -O1 optimization level.
Detected Linux executable files that use a deprecated method to store the security cookie, making the buffer overrun vulnerability mitigation protection less effective.
Causes risk: reduced effectiveness mitigations
hardening
Problem
Stack canary is a special value written onto the stack that allows the operating system to detect and terminate the program if a stack overrun occurs. Older compilers might generate stack cookies in a way that makes it possible to determine their value, allowing the attacker to render the mitigation ineffective.Prevalence in NuGet community
0 packages
found in
Top 100
0 packages
found in
Top 1k
13 packages
found in
Top 10k
2.59k packages
in community
Next steps
In GCC, you can enable the stack canary with -fstack-protector-strong or -fstack-protector-all flag, but it may also be enabled by default in more recent versions of the compiler.
Consider upgrading your compiler.
Detected presence of software components that are rarely included by other public software packages.
hunting
Problem
Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Software developers publish components they have authored to public repositories. While a new software project is a welcome addition to the open source community. it is not always prudent to indiscriminately use the latest components when building a commercial application. Irrespective of the software quality, the danger of using components that are rarely used to build applications lies in the fact that the software component may contain novel, currently undetected malicious code. Therefore, it is prudent to review software component behaviors and even try out software component in a sandbox, an environment meant for testing untrusted code.Prevalence in NuGet community
No prevalence information at this timeNext steps
Check the software component behaviors for anomalies.
Consider exploratory software component testing within a sandbox environment.
Consider replacing the software component with a more widely used alternative.
Avoid using this software package until it is vetted as safe.
10