List of software quality issues with the number of affected components.
category ALL
Policies
Info
Category
Problem
Proprietary ReversingLabs analysis engine supports a wide range of commonly used archive and software packaging formats. Using automated static file decomposition technologies, the engine recursively analyzes complex software packages. Software analysis is typically conducted in multiple steps. Content identification, unpacking, validation, and classification are some of the steps performed on each analyzed file. To limit the access to authorized users, the package contents may optionally be password-protected. When the package content is protected with an unknown password, it cannot be fully inspected by the analysis engine. The protected content might contain additional software components that were not listed in the Software Bill of Materials (SBOM) due to use of unknown passwords.
Prevalence in PyPI community
3 packages
found in
Top 100
16 packages
found in
Top 1k
50 packages
found in
Top 10k
468 packages
in community
Next steps
Consult the ReversingLabs product documentation for a list of supported archive and software packaging formats.
CLI only: Provide the ReversingLabs analysis engine with the passwords used to protect the software package.
Problem
Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that dynamic calls are made only to vetted functions. Trusted execution paths rely on the ability of the operating system to build a list of valid function targets. Certain functions can intentionally be disallowed to prevent malicious code from deactivating vulnerability mitigation features. A list of such invalid function targets can include publicly exported symbols. Applications that enhance control flow integrity through export suppression rely on libraries to mark their publicly visible symbols as suppressed. This is done for all symbols that are considered to be sensitive functions, and to which access should be restricted. It is considered dangerous to mix applications that perform export suppression with libraries that do not.
Prevalence in PyPI community
30 packages
found in
Top 100
143 packages
found in
Top 1k
833 packages
found in
Top 10k
15.19k packages
in community
Next steps
To enable this mitigation on library code, refer to your programming language toolchain documentation.
In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.
Problem
Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Higher-level programming languages implement structured exception handling by managing their own code flow execution paths. As such, they are subject to code flow hijacking during runtime. Language-specific exception handling mitigation enforces execution integrity by instrumenting calls to manage execution context switching. Any deviation from the known and trusted code flow paths will cause the application to terminate. This makes malicious code less likely to execute.
Prevalence in PyPI community
36 packages
found in
Top 100
164 packages
found in
Top 1k
932 packages
found in
Top 10k
17.86k packages
in community
Next steps
It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.
To enable this mitigation, refer to your programming language toolchain documentation.
In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.
Problem
Private keys and certificates are considered sensitive information that should not be included in released software packages. However, developers frequently release sensitive information alongside their applications to facilitate automated software testing. Testing keys and certificates often proliferate through the software supply chain. When such information gets shared publicly, it is catalogued by file reputation databases. Any private key and certificate files seen by a file reputation database prior to configured time threshold can be automatically suppressed. Commonly shared sensitive information is not considered to be secret.
Prevalence in PyPI community
37 packages
found in
Top 100
169 packages
found in
Top 1k
753 packages
found in
Top 10k
16.54k packages
in community
Next steps
Review the commonly shared sensitive information for evidence of inadvertently exposed secrets.
If the keys were published unintentionally and the software has been made public, you should revoke the keys and file a security incident.