Top issues
Problem
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. A port number is associated with a network address of a host, such as an IP address, and the type of network protocol used for communication. Within URLs, the ports are optional. Ports can be specified in a URL immediately following the domain name. Each network protocol, or schema, has a set of standard ports on which the service operates. This issue is raised when a mismatch between a network protocol and its expected port number is detected. While the presence of non-standard ports does not imply malicious intent, all of their uses in a software package should be documented and approved.Prevalence in PyPI community
34 packages
found in
Top 100
261 packages
found in
Top 1k
1650 packages
found in
Top 10k
58747 packages
in community
Next steps
Investigate reported detections.
If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider changing the port to one that is standard for the networking protocol.
Problem
Private keys and certificates are considered sensitive information that should not be included in released software packages. However, developers frequently release sensitive information alongside their applications to facilitate automated software testing. Testing keys and certificates often proliferate through the software supply chain. When such information gets shared publicly, it is catalogued by file reputation databases. Any private key and certificate files seen by a file reputation database prior to configured time threshold can be automatically suppressed. Commonly shared sensitive information is not considered to be secret.Prevalence in PyPI community
38 packages
found in
Top 100
164 packages
found in
Top 1k
747 packages
found in
Top 10k
16783 packages
in community
Next steps
Review the commonly shared sensitive information for evidence of inadvertently exposed secrets.
If the keys were published unintentionally and the software has been made public, you should revoke the keys and file a security incident.
Top behaviors
Sends data on a connected TCP socket.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
13 packages
found in
Top 100
99 packages
found in
Top 1k
566 packages
found in
Top 10k
19246 packages
in community
Receives data from a connected TCP socket.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
9 packages
found in
Top 100
94 packages
found in
Top 1k
476 packages
found in
Top 10k
16117 packages
in community
Permits an incoming connection on a TCP socket.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
8 packages
found in
Top 100
64 packages
found in
Top 1k
281 packages
found in
Top 10k
8972 packages
in community
Opens a socket listening for an incoming connection.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
9 packages
found in
Top 100
75 packages
found in
Top 1k
309 packages
found in
Top 10k
9292 packages
in community
Opens a TCP connection to a remote server.
network
Prevalence in PyPI community
Behavior often found in this community (Common)
16 packages
found in
Top 100
128 packages
found in
Top 1k
776 packages
found in
Top 10k
25965 packages
in community
Top vulnerabilities
No vulnerabilities found.