GitPython

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.

Problem

Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Open source communities depend on the work of thousands of software developers that volunteer their time to maintain software components. Software developers build up the reputation of their open source projects by developing in public. Modern source code repositories have many social features that allow software developers to handle bug reports, have discussions with their users, and convey reaching significant project milestones. It is uncommon to find open source projects that omit linking their component to a publicly accessible source code repository.

Problem

Operating systems allow multiple user accounts to coexist on a single computer system. Each registered user has identity information associated with their account. At the very least, user accounts consist of a user name and an optional password. In some cases, user account data may also include personally identifiable information. Extended personal information may include user's given and last name, their email and mailing address, personal photo and their telephone number. Financially motivated attackers may seek to collect personal information for purposes of selling the private data to a third-party. Malicious code that typically exhibits these behavior traits is commonly referred to as an information stealer. While the presence of code that accesses identity information does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Accessing identity information is a very common behavior for software packages. One example of acceptable use for such functions is verifying that the active user has purchased a software license that allows them to run the application.