A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI

2021 18th International Conference on Privacy, Security and Trust (PST) Pub Date : 2021-07-27 DOI:10.1109/PST52912.2021.9647791

Jukka Ruohonen, Kalle Hjerppe, Kalle Rindell

{"title":"A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI","authors":"Jukka Ruohonen, Kalle Hjerppe, Kalle Rindell","doi":"10.1109/PST52912.2021.9647791","DOIUrl":null,"url":null,"abstract":"Different security issues are a common problem for open source packages archived to and delivered through software ecosystems. These often manifest themselves as software weaknesses that may lead to concrete software vulnerabilities. This paper examines various security issues in Python packages with static analysis. The dataset is based on a snapshot of all packages stored to the Python Package Index (PyPI). In total, over 197 thousand packages and over 749 thousand security issues are covered. Even under the constraints imposed by static analysis, (a) the results indicate prevalence of security issues; at least one issue is present for about 46% of the Python packages. In terms of the issue types, (b) exception handling and different code injections have been the most common issues. The subprocess module stands out in this regard. Reflecting the generally small size of the packages, (c) software size metrics do not predict well the amount of issues revealed through static analysis. With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems.","PeriodicalId":144610,"journal":{"name":"2021 18th International Conference on Privacy, Security and Trust (PST)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-07-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 18th International Conference on Privacy, Security and Trust (PST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/PST52912.2021.9647791","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

Different security issues are a common problem for open source packages archived to and delivered through software ecosystems. These often manifest themselves as software weaknesses that may lead to concrete software vulnerabilities. This paper examines various security issues in Python packages with static analysis. The dataset is based on a snapshot of all packages stored to the Python Package Index (PyPI). In total, over 197 thousand packages and over 749 thousand security issues are covered. Even under the constraints imposed by static analysis, (a) the results indicate prevalence of security issues; at least one issue is present for about 46% of the Python packages. In terms of the issue types, (b) exception handling and different code injections have been the most common issues. The subprocess module stands out in this regard. Reflecting the generally small size of the packages, (c) software size metrics do not predict well the amount of issues revealed through static analysis. With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems.

查看原文本刊更多论文

PyPI中Python包的大规模面向安全的静态分析

不同的安全问题是归档到软件生态系统并通过软件生态系统交付的开源包的常见问题。这些通常表现为可能导致具体软件漏洞的软件弱点。本文通过静态分析研究Python包中的各种安全问题。该数据集基于存储在Python包索引(PyPI)中的所有包的快照。总共涵盖了超过19.7万个包和74.9万个安全问题。即使在静态分析的约束下，(a)结果表明安全问题的普遍性;大约46%的Python包至少存在一个问题。就问题类型而言，(b)异常处理和不同的代码注入是最常见的问题。子流程模块在这方面表现突出。反映软件包通常较小的大小，(c)软件大小度量不能很好地预测通过静态分析揭示的问题的数量。通过这些结果和相应的讨论，本文有助于大规模实证研究领域更好地理解软件生态系统中的安全问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2021 18th International Conference on Privacy, Security and Trust (PST)

自引率

0.00%

发文量