Spectra Assure

warningRisk: Hardening

Scanned:

SpeechRecognition

Artifact:

latest

Top 10k

Library for performing speech recognition, with support for several engines and APIs, online and offline.

License: Permissive (BSD-3-Clause)

Published:

Visit GitHub

See on PyPI

SAFE Assessment

Compliance

Licenses

1 copyleft licensed components

Secrets

4 debugging symbols found

Security

Vulnerabilities

No known vulnerabilities detected

Hardening

2 baseline mitigations missing

Threats

Tampering

No evidence of software tampering

Malware

No evidence of malware inclusion

List of software quality issues with the number of affected components.

Policies

Info

Problem

Address Space Layout Randomization (ASLR) is a vulnerability mitigation option that forces software components to load on a different memory base address each time they are used. This mitigation is detected as enabled, but rendered ineffective due to the lack of code relocations necessary for layout randomization. This issue is reported for native 32-bit applications that contain code and opt in to use ASLR. Reasons for relocation absence include forcing software component load on a fixed address, removing relocations post-build, and using non-ASLR-compliant executable packing solutions.

Prevalence in PyPI community

0 packages

found in

Top 100

0 packages

found in

Top 1k

10 packages

found in

Top 10k

161 packages

in community

Next steps

Review the programming language linker documentation.

In Microsoft VisualStudio, make sure the linker option /FIXED is disabled (set to OFF).

Problem

Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Imported function addresses are pointers to the symbols that implement the application-required functionality. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.

Prevalence in PyPI community

15 packages

found in

Top 100

29 packages

found in

Top 1k

165 packages

found in

Top 10k

3.83k packages

in community

Next steps

Review the programming language linker options, and consider a build toolchain update.

Problem

Sensitive executable memory regions should be kept as read-only to protect the integrity of trusted execution code flow paths. Thread local storage (TLS) callbacks are pointers to code initialization and resource release functions. If those pointers are changed by malicious code, execution paths can be redirected to unintended locations. Most modern programming language toolchains protect those memory regions appropriately. These issues are commonly reported for outdated linkers and non-compliant executable packing solutions.

Prevalence in PyPI community

7 packages

found in

Top 100

16 packages

found in

Top 1k

121 packages

found in

Top 10k

3.03k packages

in community

Next steps

Review the programming language linker options, and consider a build toolchain update.

Problem

Software license is a legal instrument that governs the use and distribution of software source code and its binary representation. Software publishers have the freedom to choose any commonly used or purposefully written license to publish their work under. While some licenses are liberal and allow almost any kind of distribution, with or without code modification, other licenses are more restrictive and impose rules for their inclusion in other software projects. Copyleft licenses in particular impose substantial restrictions on the licensee. They typically require that any derived works, and even software code that merely interacts with copyleft code, be licensed under the same license. Since copyleft licenses are commonly applied to open source code, their inclusion requires that the entire software package becomes open sourced. For commercial applications, this is typically undesirable. Therefore, the inclusion of copyleft code is commonly avoided or even prohibited by the organization policy.

Prevalence in PyPI community

4 packages

found in

Top 100

42 packages

found in

Top 1k

659 packages

found in

Top 10k

89.98k packages

in community

Next steps

Confirm that the software package includes a copyleft component.

Investigate if the software publisher provides this component under a non-copyleft license.

Consider replacing the software component with an alternative that offers a license compatible with commercial use.

Problem

Software license is a legal instrument that governs the use and distribution of software source code and its binary representation. Software publishers have the freedom to choose any commonly used or purposefully written license to publish their work under. While some licenses are liberal and allow almost any kind of distribution, with or without code modification, other licenses are more restrictive and impose rules for their inclusion in other software projects. Some software licenses place restrictions on software distribution of the code they apply to. These restrictions may extend to the services built upon the code licensed under such restrictive licenses. Some restrictive licenses explicitly state that the licensee may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the licensed software. When building commercial applications, this is typically undesirable. Therefore, the inclusion of any code that may impose limits on software distribution is commonly avoided or even prohibited by the organization policy.

Prevalence in PyPI community

7 packages

found in

Top 100

82 packages

found in

Top 1k

1208 packages

found in

Top 10k

109.57k packages

in community

Next steps

Confirm that the software package references a component or a dependency with a restrictive license.

Consider replacing the software component with an alternative that offers a license compatible with organization policy.

Problem

ASLR (address-space layout randomization) is a mitigation technique that increases the difficulty of performing buffer-overflow attacks that require the attacker to know the address of the program in memory. This is done by loading the program at a randomly selected address in the process' address space. ASLR-enabled kernels can choose a random load address only for position-independent executables and code.

Prevalence in PyPI community

3 packages

found in

Top 100

17 packages

found in

Top 1k

119 packages

found in

Top 10k

2.96k packages

in community

Next steps

To support ASLR, the program must be compiled as position-independent code. In most compilers, this is done by passing the corresponding position-independent flag, such as -fPIC for shared libraries or -fPIE for executables.

Problem

On Linux, external symbols are resolved via the procedure linkage table (PLT) and the global offset table (GOT). The global offset table is split into two tables - one for external data, and one for external functions. Without any protection, both are writable at runtime and thus leave the executable vulnerable to data overwrite attacks and pointer hijacking. Data overwrite attacks can be mitigated by using partial read-only relocations, while pointer hijacking can be mitigated with full read-only relocations. Both approaches have some drawbacks. Partial read-only relocations don't provide full protection, because the external function GOT remains writable. Full read-only relocations require that all external function symbols are resolved at load-time instead of during execution. This may increase loading time for large programs.

Prevalence in PyPI community

21 packages

found in

Top 100

95 packages

found in

Top 1k

405 packages

found in

Top 10k

3.91k packages

in community

Next steps

In most cases, it's recommended to use full read-only relocations (in GCC: -Wl,-z,relro,-z,now).

If the executable load-time is an issue, you should use partial read-only relocations.

Problem

Control Flow Guard (CFG/CFI) protects the code flow integrity by ensuring that indirect calls are made only to vetted functions. This mitigation protects dynamically resolved function targets by instrumenting the code responsible for transferring execution control. Because the code flow integrity is verified during runtime, malicious code is less likely to be able to hijack trusted execution paths.

Prevalence in PyPI community

29 packages

found in

Top 100

114 packages

found in

Top 1k

525 packages

found in

Top 10k

8.89k packages

in community

Next steps

It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.

To enable this mitigation, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. The integrity validation relies on the cryptographic strength of the encryption and the hash verification algorithm. If either of the two is considered weak by current standards, there is a chance the signed object could be maliciously modified, without triggering the integrity failure check.

Prevalence in PyPI community

2 packages

found in

Top 100

15 packages

found in

Top 1k

100 packages

found in

Top 10k

1.8k packages

in community

Next steps

Create signatures with strong ECC key-length of at least 224 bits, or RSA key-length of at least 2048 bits, and use SHA256 as the hashing algorithm. While encryption key-length upgrade does require you to obtain a new certificate, the hashing algorithm can freely be selected during signing.

With Microsoft SignTool, you can specify the hashing algorithm using the /fd SHA256 parameter.

Problem

Debug databases are typically only used during software development. On Windows, they are usually files embedded into the executable (PDB), while on Linux, they're contained inside special executable sections. The databases contain private debug symbols that make it significantly easier to reverse-engineer a closed-source application. In some cases, having a debug database is equivalent to having access to the source code. Presence of debug databases could indicate that one or more software components have been built using a debug profile, instead of the release. Private debug databases can be embedded into software components by programming language tools.

Prevalence in PyPI community

27 packages

found in

Top 100

130 packages

found in

Top 1k

824 packages

found in

Top 10k

14.18k packages

in community

Next steps

To remediate this issue and remove private debugging information, refer to your programming language toolchain documentation.

Did you know...

... that you can use ReversingLabs’ Spectra Assure platform to perform regular risk assessments of packages you develop in-house?

We recommend continuous software safeness monitoring through CI/CD integrations and pre-release/deployment checks. In addition to basic package information found on this page our platform offers rich reports for developers and DevSecOps that help them remediate all reported issues.

This website uses cookies to ensure the best website experience. By continuing to use this website you are giving your consent to cookies being used. Detailed information about our use of cookies is here.

List of software quality issues with the number of affected components.

Policies

Info

Problem

Prevalence in PyPI community

0 packages

found in

Top 100

0 packages

found in

Top 1k

10 packages

found in

Top 10k

161 packages

in community

Next steps

Review the programming language linker documentation.

In Microsoft VisualStudio, make sure the linker option /FIXED is disabled (set to OFF).

Problem

Prevalence in PyPI community

15 packages

found in

Top 100

29 packages

found in

Top 1k

165 packages

found in

Top 10k

3.83k packages

in community

Next steps

Review the programming language linker options, and consider a build toolchain update.

Problem

Prevalence in PyPI community

7 packages

found in

Top 100

16 packages

found in

Top 1k

121 packages

found in

Top 10k

3.03k packages

in community

Next steps

Review the programming language linker options, and consider a build toolchain update.

Problem

Prevalence in PyPI community

4 packages

found in

Top 100

42 packages

found in

Top 1k

659 packages

found in

Top 10k

89.98k packages

in community

Next steps

Confirm that the software package includes a copyleft component.

Investigate if the software publisher provides this component under a non-copyleft license.

Consider replacing the software component with an alternative that offers a license compatible with commercial use.

Problem

Software license is a legal instrument that governs the use and distribution of software source code and its binary representation. Software publishers have the freedom to choose any commonly used or purposefully written license to publish their work under. While some licenses are liberal and allow almost any kind of distribution, with or without code modification, other licenses are more restrictive and impose rules for their inclusion in other software projects. Some software licenses place restrictions on software distribution of the code they apply to. These restrictions may extend to the services built upon the code licensed under such restrictive licenses. Some restrictive licenses explicitly state that the licensee may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the licensed software. When building commercial applications, this is typically undesirable. Therefore, the inclusion of any code that may impose limits on software distribution is commonly avoided or even prohibited by the organization policy.

Prevalence in PyPI community

7 packages

found in

Top 100

82 packages

found in

Top 1k

1208 packages

found in

Top 10k

109.57k packages

in community

Next steps

Confirm that the software package references a component or a dependency with a restrictive license.

Consider replacing the software component with an alternative that offers a license compatible with organization policy.

Problem

Prevalence in PyPI community

3 packages

found in

Top 100

17 packages

found in

Top 1k

119 packages

found in

Top 10k

2.96k packages

in community

Next steps

Problem

Prevalence in PyPI community

21 packages

found in

Top 100

95 packages

found in

Top 1k

405 packages

found in

Top 10k

3.91k packages

in community

Next steps

In most cases, it's recommended to use full read-only relocations (in GCC: -Wl,-z,relro,-z,now).

If the executable load-time is an issue, you should use partial read-only relocations.

Problem

Prevalence in PyPI community

29 packages

found in

Top 100

114 packages

found in

Top 1k

525 packages

found in

Top 10k

8.89k packages

in community

Next steps

It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs.

To enable this mitigation, refer to your programming language toolchain documentation.

In Microsoft VisualStudio, you can enable CFG mitigation by passing the /guard:cf parameter to the compiler and linker.

Problem

Prevalence in PyPI community

2 packages

found in

Top 100

15 packages

found in

Top 1k

100 packages

found in

Top 10k

1.8k packages

in community

Next steps

With Microsoft SignTool, you can specify the hashing algorithm using the /fd SHA256 parameter.

Problem

Prevalence in PyPI community

27 packages

found in

Top 100

130 packages

found in

Top 1k

824 packages

found in

Top 10k

14.18k packages

in community

Next steps

To remediate this issue and remove private debugging information, refer to your programming language toolchain documentation.

SpeechRecognition

SAFE Assessment

Compliance

Security

Threats

SQ14107Detected Windows executable files that try to implement ASLR but do not have relocations to support that vulnerability mitigation protection.Causes risk: ineffective mitigations detectedhardening

Problem

Prevalence in PyPI community

Next steps

SQ14156Detected Windows executable files with imported functions susceptible to pointer hijacking.Causes risk: execution hijacking concernshardening

Problem

Prevalence in PyPI community

Next steps

SQ14158Detected Windows executable files with TLS callbacks susceptible to pointer hijacking.Causes risk: execution hijacking concernshardening

Problem

Prevalence in PyPI community

Next steps

SQ12101Detected presence of software components distributed with copyleft licenses.Causes risk: copyleft licensed componentslicenses

Problem

Prevalence in PyPI community

Next steps

SQ12405Detected presence of licenses that place restrictions on software distribution.Causes risk: software distribution restrictionslicenses

Problem

Prevalence in PyPI community

Next steps

SQ18111Detected Linux executable files that do not implement the ASLR vulnerability mitigation protection.Causes risk: baseline mitigations missinghardening

Problem

Prevalence in PyPI community

Next steps

SQ18112Detected Linux executable files that were compiled without any dynamic symbol hijacking protections.Causes risk: execution hijacking concernshardening

Problem

Prevalence in PyPI community

Next steps

SQ14122Detected Windows executable files that do not implement CFG vulnerability mitigation protection.Causes risk: modern mitigations missinghardening

Problem

Prevalence in PyPI community

Next steps

SQ20119Detected digital signatures that rely on a weak digest algorithm for integrity validation.signatures

Problem

Prevalence in PyPI community

Next steps

SQ34203Detected presence of hardcoded debug databases.Causes risk: debugging symbols foundsecrets

Problem

Prevalence in PyPI community

Next steps

Did you know...

SQ14107Detected Windows executable files that try to implement ASLR but do not have relocations to support that vulnerability mitigation protection.Causes risk: ineffective mitigations detectedhardening

Problem

Prevalence in PyPI community

Next steps

SQ14156Detected Windows executable files with imported functions susceptible to pointer hijacking.Causes risk: execution hijacking concernshardening

Problem

Prevalence in PyPI community

Next steps

SQ14158Detected Windows executable files with TLS callbacks susceptible to pointer hijacking.Causes risk: execution hijacking concernshardening

Problem

Prevalence in PyPI community

Next steps

SQ12101Detected presence of software components distributed with copyleft licenses.Causes risk: copyleft licensed componentslicenses

Problem

Prevalence in PyPI community

Next steps

SQ12405Detected presence of licenses that place restrictions on software distribution.Causes risk: software distribution restrictionslicenses

Problem

Prevalence in PyPI community

Next steps

SQ18111Detected Linux executable files that do not implement the ASLR vulnerability mitigation protection.Causes risk: baseline mitigations missinghardening

Problem

Prevalence in PyPI community

Next steps

SQ18112Detected Linux executable files that were compiled without any dynamic symbol hijacking protections.Causes risk: execution hijacking concernshardening

Problem

Prevalence in PyPI community

Next steps

SQ14122Detected Windows executable files that do not implement CFG vulnerability mitigation protection.Causes risk: modern mitigations missinghardening

Problem

Prevalence in PyPI community

Next steps

SQ20119Detected digital signatures that rely on a weak digest algorithm for integrity validation.signatures

Problem