Skip to main content

Research Repository

Advanced Search

Static analysis of security issues of the Python packages ecosystem

Gorine, Adam; Spondon, Faten

Authors

Faten Spondon



Abstract

Python is considered the most popular programming language and offers its own ecosystem for archiving and maintaining open-source software packages. This system is called the python package index (PyPI), the repository of this programming language. Unfortunately, one-third of these software packages have vulnerabilities that allow attackers to execute code automatically when a vulnerable or malicious package is installed. This paper contributes to large-scale empirical studies investigating security issues in the python ecosystem by evaluating package vulnerabilities. These provide a series of implications that can help the security of software ecosystems by improving the process of discovering, fixing, and managing package vulnerabilities. The vulnerable dataset is generated using the NVD, the national vulnerability database, and the Snyk vulnerability dataset. In addition, we evaluated 807 vulnerability reports in the NVD and 3900 publicly known security vulnerabilities in Python Package Manager (pip) from the Snyk database from 2002 to 2022. As a result, many Python vulnerabilities appear in high severity, followed by medium severity. The most problematic areas have been improper input validation and denial of service attacks. A hybrid scanning tool that combines the three scanners bandit, snyk and dlint, which provide a clear report of the code vulnerability, is also described.

Presentation Conference Type Conference Paper (published)
Conference Name IRC 2023: International Conference on Computer Science, Programming and Security
Acceptance Date Mar 16, 2023
Online Publication Date Apr 16, 2023
Publication Date Mar 16, 2023
Deposit Date Apr 13, 2023
Journal World Academy of Science, Engineering and Technology: Open Science Index: Computer and Information Engineering
Print ISSN 2010-376X
Electronic ISSN 2010-3778
Publisher World Academy of Science, Engineering and Technology
Volume 17
Issue 3
Pages 33-40
Series Title International Research Conference Proceedings
Series Number IRC 2023
Series ISSN 1307-6892
Keywords Python vulnerabilities, bandit, snyk, dlint, python package index, ecosystem, static analysis, malicious attacks.
Public URL https://uwe-repository.worktribe.com/output/10623319
Publisher URL https://publications.waset.org/abstracts/161094/static-analysis-of-security-issues-of-the-python-packages-ecosystem
Related Public URLs https://publications.waset.org/