List of software quality issues with the number of affected components.
category ALL
Policies
Info
Category
Problem
Data Execution Prevention (DEP/NX) is a vulnerability mitigation option that prevents data from being interpreted as code anywhere within the application. This mitigation protects the application stack, heap and other memory data ranges. Executable files that fail to implement this mitigation expose the user to increased risks of malicious code injection.
Prevalence in PyPI community
23 packages
found in
Top 100
96 packages
found in
Top 1k
422 packages
found in
Top 10k
5.91k packages
in community
Next steps
It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.
To enable this mitigation, refer to your programming language linker documentation.
In Microsoft VisualStudio, you can enable DEP mitigation by setting the linker option /NXCOMPAT to ON.
Problem
Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Imported function addresses are pointers to the symbols that implement the application-required functionality. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.
Prevalence in PyPI community
15 packages
found in
Top 100
29 packages
found in
Top 1k
165 packages
found in
Top 10k
3.83k packages
in community
Next steps
Review the programming language linker options, and consider a build toolchain update.
Problem
Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Thread local storage (TLS) callbacks are pointers to code initialization and resource release functions. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.
Prevalence in PyPI community
7 packages
found in
Top 100
16 packages
found in
Top 1k
121 packages
found in
Top 10k
3.03k packages
in community
Next steps
Review the programming language linker options, and consider a build toolchain update.
Problem
Software license is a legal instrument that governs the use and distribution of software source code and its binary representation. Software publishers have the freedom to choose any commonly used or purposefully written license to publish their work under. While some licenses are liberal and allow almost any kind of distribution, with or without code modification, other licenses are more restrictive and impose rules for their inclusion in other software projects. Weak copyleft licenses in particular impose requirements that the user must be able to replace or update the code they apply to. In practical terms, that means the object and library files that statically link to weak copyleft code must be made available publicly. For commercial applications, this is typically undesirable. Therefore, statically linking to weak copyleft code is commonly avoided or even prohibited by the organization policy. Instead of linking statically to weak copyleft licensed code, it is recommended to isolate such code into modules that the publisher-developed, first-party code can dynamically link to without the aforementioned obligations.
Prevalence in PyPI community
1 packages
found in
Top 100
19 packages
found in
Top 1k
106 packages
found in
Top 10k
1.34k packages
in community
Next steps
Confirm that the software package statically links to a weak copyleft dependency.
Investigate if the software publisher provides this dependency under a non-copyleft license.
Consider replacing the software dependency with an alternative that offers a license compatible with commercial use.
Alternatively, repackage the code so that it dynamically links to a weak copyleft dependency.
Problem
Software license is a legal instrument that governs the use and distribution of software source code and its binary representation. Software publishers have the freedom to choose any commonly used or purposefully written license to publish their work under. While some licenses are liberal and allow almost any kind of distribution, with or without code modification, other licenses are more restrictive and impose rules for their inclusion in other software projects. Some software licenses place restrictions on software distribution of the code they apply to. These restrictions may extend to the services built upon the code licensed under such restrictive licenses. Some restrictive licenses explicitly state that the licensee may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the licensed software. When building commercial applications, this is typically undesirable. Therefore, the inclusion of any code that may impose limits on software distribution is commonly avoided or even prohibited by the organization policy.
Prevalence in PyPI community
7 packages
found in
Top 100
82 packages
found in
Top 1k
1208 packages
found in
Top 10k
109.57k packages
in community
Next steps
Confirm that the software package references a component or a dependency with a restrictive license.
Consider replacing the software component with an alternative that offers a license compatible with organization policy.
Problem
Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors, preventing them from reaching production. These checks minimize the number of security issues by enforcing strict memory access checks. They also prevent the use of hard-to-secure string and memory manipulation functions. To prove the binary has been compiled with these checks enabled, the compiler emits a special debug object. Removing the debug table eliminates this proof. Therefore, this check only applies to binaries that still have their debug tables.
Prevalence in PyPI community
12 packages
found in
Top 100
63 packages
found in
Top 1k
326 packages
found in
Top 10k
7.08k packages
in community
Next steps
You should keep the debug table to prove that the SDL process has been followed.
To enable these checks, refer to your programming language toolchain documentation.
In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.
Problem
Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as medium severity.
Prevalence in PyPI community
36 packages
found in
Top 100
209 packages
found in
Top 1k
1750 packages
found in
Top 10k
81.53k packages
in community
Next steps
Perform impact analysis for the reported CVEs.
Update the component to the latest version.
If the update can't resolve the issue, create a plan to isolate or replace the affected component.
Problem
Software developers use programming and design knowledge to build reusable software components. Software components are the basic building blocks for modern applications. Software consumed by an enterprise consists of hundreds, and sometimes even thousands of open source components. Open source communities depend on the work of thousands of software developers that volunteer their time to maintain software components. Software developers build up the reputation of their open source projects by developing in public. Modern source code repositories have many social features that allow software developers to handle bug reports, have discussions with their users, and convey reaching significant project milestones. It is uncommon to find open source projects that omit linking their component to a publicly accessible source code repository.
Prevalence in PyPI community
70 packages
found in
Top 100
472 packages
found in
Top 1k
4207 packages
found in
Top 10k
413.79k packages
in community
Next steps
Check the software component behaviors for anomalies.
Consider exploratory software component testing within a sandbox environment.
Consider replacing the software component with a more widely used alternative.
Avoid using this software package until it is vetted as safe.
Problem
Address Space Layout Randomization (ASLR) is a vulnerability mitigation option that forces software components to load on a different memory base address each time they are used. This makes the memory layout unpredictable, and it is therefore harder for malicious code to be reliably injected during application runtime. Although enabling ASLR is an opt-in setting during program linking, some operating system configurations can still enforce its use if the vulnerability mitigation requirements are met. This is possible even if the application hasn't been explicitly marked as ASLR-compatible. While this generally improves security posture, the limitation of ASLR enforcement is that the application load addresses are not truly randomized. In most cases, the application load base is different than the default, but it remains the same for the entire duration of device uptime.
Prevalence in PyPI community
19 packages
found in
Top 100
71 packages
found in
Top 1k
285 packages
found in
Top 10k
3.05k packages
in community
Next steps
In Microsoft VisualStudio, you should explicitly enable ASLR mitigation by setting the linker option /DYNAMICBASE to ON.
Problem
Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Because the code flow integrity is verified during runtime, malicious code is less likely to be able to hijack trusted execution paths.
Prevalence in PyPI community
29 packages
found in
Top 100
114 packages
found in
Top 1k
525 packages
found in
Top 10k
8.89k packages
in community
Next steps
It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.
To enable this mitigation, refer to your programming language toolchain documentation.
In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.