Spectra Assure

warningRisk: Vulnerabilities

Scanned:

psycopg2-binary

Artifact:

latest

Top 1k

psycopg2 - Python-PostgreSQL Database Adapter

License: unknown

Published:

Visit GitHub

See on PyPI

SAFE Assessment

Compliance

Licenses

No license compliance issues

Secrets

No sensitive information found

Security

Vulnerabilities

1 high severity vulnerabilities

Hardening

9 misconfigured toolchains detected

Threats

Tampering

No evidence of software tampering

Malware

No evidence of malware inclusion

List of software quality issues with the number of affected components.

Policies

Info

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors. These checks prevent the use of hard-to-secure string manipulation functions. They enforce static memory access checks, and allow only the use of range-verified string parsing functions. While these checks do not prevent every memory corruption issue by themselves, they do help reduce the likelihood.

Prevalence in PyPI community

10 packages

found in

Top 100

45 packages

found in

Top 1k

247 packages

found in

Top 10k

4.13k packages

in community

Next steps

It's highly recommended to enable these checks for all software components used at security boundaries, or those that process user controlled inputs.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.

Prevalence in PyPI community

42 packages

found in

Top 100

278 packages

found in

Top 1k

1960 packages

found in

Top 10k

77.08k packages

in community

Next steps

Perform impact analysis for the reported CVEs.

Update the component to the latest version.

If the update can't resolve the issue, create a plan to isolate or replace the affected component.

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors, preventing them from reaching production. These checks minimize the number of security issues by enforcing strict memory access checks. They also prevent the use of hard-to-secure string and memory manipulation functions. To prove the binary has been compiled with these checks enabled, the compiler emits a special debug object. Removing the debug table eliminates this proof. Therefore, this check only applies to binaries that still have their debug tables.

Prevalence in PyPI community

12 packages

found in

Top 100

63 packages

found in

Top 1k

326 packages

found in

Top 10k

7.08k packages

in community

Next steps

You should keep the debug table to prove that the SDL process has been followed.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors. These checks prevent the use of hard-to-secure memory manipulation functions. They enforce static memory access checks, and allow only the use of range-verified memory access functions. While these checks do not prevent every memory corruption issue by themselves, they do help reduce the likelihood.

Prevalence in PyPI community

4 packages

found in

Top 100

45 packages

found in

Top 1k

242 packages

found in

Top 10k

5.25k packages

in community

Next steps

It's highly recommended to enable these checks for all software components used at security boundaries, or those that process user controlled inputs.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as medium severity.

Prevalence in PyPI community

36 packages

found in

Top 100

209 packages

found in

Top 1k

1750 packages

found in

Top 10k

81.53k packages

in community

Next steps

Perform impact analysis for the reported CVEs.

Update the component to the latest version.

If the update can't resolve the issue, create a plan to isolate or replace the affected component.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that dynamic calls are made only to vetted functions. Trusted execution paths rely on the ability of the operating system to build a list of valid function targets. Certain functions can intentionally be disallowed to prevent malicious code from deactivating vulnerability mitigation features. A list of such invalid function targets can include publicly exported symbols. Applications that enhance control flow integrity through export suppression rely on libraries to mark their publicly visible symbols as suppressed. This is done for all symbols that are considered to be sensitive functions, and to which access should be restricted. It is considered dangerous to mix applications that perform export suppression with libraries that do not.

Prevalence in PyPI community

30 packages

found in

Top 100

143 packages

found in

Top 1k

833 packages

found in

Top 10k

15.19k packages

in community

Next steps

To enable this mitigation on library code, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Higher-level programming languages implement structured exception handling by managing their own code flow execution paths. As such, they are subject to code flow hijacking during runtime. Language-specific exception handling mitigation enforces execution integrity by instrumenting calls to manage execution context switching. Any deviation from the known and trusted code flow paths will cause the application to terminate. This makes malicious code less likely to execute.

Prevalence in PyPI community

36 packages

found in

Top 100

164 packages

found in

Top 1k

932 packages

found in

Top 10k

17.86k packages

in community

Next steps

It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.

To enable this mitigation, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

Did you know...

... that you can use ReversingLabs’ Spectra Assure platform to perform regular risk assessments of packages you develop in-house?

We recommend continuous software safeness monitoring through CI/CD integrations and pre-release/deployment checks. In addition to basic package information found on this page our platform offers rich reports for developers and DevSecOps that help them remediate all reported issues.

List of software quality issues with the number of affected components.

Policies

Info

Problem

Prevalence in PyPI community

10 packages

found in

Top 100

45 packages

found in

Top 1k

247 packages

found in

Top 10k

4.13k packages

in community

Next steps

It's highly recommended to enable these checks for all software components used at security boundaries, or those that process user controlled inputs.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.

Prevalence in PyPI community

42 packages

found in

Top 100

278 packages

found in

Top 1k

1960 packages

found in

Top 10k

77.08k packages

in community

Next steps

Perform impact analysis for the reported CVEs.

Update the component to the latest version.

If the update can't resolve the issue, create a plan to isolate or replace the affected component.

Problem

Prevalence in PyPI community

12 packages

found in

Top 100

63 packages

found in

Top 1k

326 packages

found in

Top 10k

7.08k packages

in community

Next steps

You should keep the debug table to prove that the SDL process has been followed.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Prevalence in PyPI community

4 packages

found in

Top 100

45 packages

found in

Top 1k

242 packages

found in

Top 10k

5.25k packages

in community

Next steps

It's highly recommended to enable these checks for all software components used at security boundaries, or those that process user controlled inputs.

To enable these checks, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable this feature by setting the compiler option /SDL to ON.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as medium severity.

Prevalence in PyPI community

36 packages

found in

Top 100

209 packages

found in

Top 1k

1750 packages

found in

Top 10k

81.53k packages

in community

Next steps

Perform impact analysis for the reported CVEs.

Update the component to the latest version.

If the update can't resolve the issue, create a plan to isolate or replace the affected component.

Problem

Prevalence in PyPI community

30 packages

found in

Top 100

143 packages

found in

Top 1k

833 packages

found in

Top 10k

15.19k packages

in community

Next steps

To enable this mitigation on library code, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

Problem

Prevalence in PyPI community

36 packages

found in

Top 100

164 packages

found in

Top 1k

932 packages

found in

Top 10k

17.86k packages

in community

Next steps

It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.

To enable this mitigation, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

psycopg2-binary

SAFE Assessment

Compliance

Security

Threats

SQ14140Detected Windows executable files compiled without following the SDL best practices while using banned string functions.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in PyPI community

Next steps

SQ31105Detected presence of high severity vulnerabilities.Causes risk: high severity vulnerabilitiesvulnerabilities

Problem

Prevalence in PyPI community

Next steps

SQ14138Detected Windows executable files that were compiled without following the recommended SDL process.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in PyPI community

Next steps

SQ14139Detected Windows executable files compiled without following the SDL best practices while using banned memory functions.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in PyPI community

Next steps

SQ31106Detected presence of medium severity vulnerabilities.Causes risk: medium severity vulnerabilitiesvulnerabilities

Problem

Prevalence in PyPI community

Next steps

SQ14125Detected Windows shared library files that do not suppress exports which reduces CFG vulnerability mitigation protection effectiveness.Causes risk: low priority mitigations absenthardening

Problem

Prevalence in PyPI community

Next steps

SQ14127Detected Windows executable files that do not implement long jump control flow vulnerability mitigation protection.Causes risk: low priority mitigations absenthardening

Problem

Prevalence in PyPI community

Next steps

Did you know...

SQ14140Detected Windows executable files compiled without following the SDL best practices while using banned string functions.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in PyPI community

Next steps

SQ31105Detected presence of high severity vulnerabilities.Causes risk: high severity vulnerabilitiesvulnerabilities

Problem

Prevalence in PyPI community

Next steps

SQ14138Detected Windows executable files that were compiled without following the recommended SDL process.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in PyPI community

Next steps

SQ14139Detected Windows executable files compiled without following the SDL best practices while using banned memory functions.Causes risk: misconfigured toolchains detectedhardening

Problem

Prevalence in PyPI community

Next steps

SQ31106Detected presence of medium severity vulnerabilities.Causes risk: medium severity vulnerabilitiesvulnerabilities

Problem

Prevalence in PyPI community

Next steps

SQ14125Detected Windows shared library files that do not suppress exports which reduces CFG vulnerability mitigation protection effectiveness.Causes risk: low priority mitigations absenthardening

Problem

Prevalence in PyPI community

Next steps

SQ14127Detected Windows executable files that do not implement long jump control flow vulnerability mitigation protection.Causes risk: low priority mitigations absenthardening

Problem

Prevalence in PyPI community

Next steps