Dr Adam Gorine Adam.Gorine@uwe.ac.uk
Senior Lecturer in Cyber Security
Static analysis of security issues of the Python packages ecosystem
Gorine, Adam; Spondon, Faten
Authors
Faten Spondon
Abstract
Python is considered the most popular programming language and offers its own ecosystem for archiving and maintaining open-source software packages. This system is called the python package index (PyPI), the repository of this programming language. Unfortunately, one-third of these software packages have vulnerabilities that allow attackers to execute code automatically when a vulnerable or malicious package is installed. This paper contributes to large-scale empirical studies investigating security issues in the python ecosystem by evaluating package vulnerabilities. These provide a series of implications that can help the security of software ecosystems by improving the process of discovering, fixing, and managing package vulnerabilities. The vulnerable dataset is generated using the NVD, the national vulnerability database, and the Snyk vulnerability dataset. In addition, we evaluated 807 vulnerability reports in the NVD and 3900 publicly known security vulnerabilities in Python Package Manager (pip) from the Snyk database from 2002 to 2022. As a result, many Python vulnerabilities appear in high severity, followed by medium severity. The most problematic areas have been improper input validation and denial of service attacks. A hybrid scanning tool that combines the three scanners bandit, snyk and dlint, which provide a clear report of the code vulnerability, is also described.
Presentation Conference Type | Conference Paper (published) |
---|---|
Conference Name | IRC 2023: International Conference on Computer Science, Programming and Security |
Acceptance Date | Mar 16, 2023 |
Online Publication Date | Apr 16, 2023 |
Publication Date | Mar 16, 2023 |
Deposit Date | Apr 13, 2023 |
Journal | World Academy of Science, Engineering and Technology: Open Science Index: Computer and Information Engineering |
Print ISSN | 2010-376X |
Electronic ISSN | 2010-3778 |
Publisher | World Academy of Science, Engineering and Technology |
Volume | 17 |
Issue | 3 |
Pages | 33-40 |
Series Title | International Research Conference Proceedings |
Series Number | IRC 2023 |
Series ISSN | 1307-6892 |
Keywords | Python vulnerabilities, bandit, snyk, dlint, python package index, ecosystem, static analysis, malicious attacks. |
Public URL | https://uwe-repository.worktribe.com/output/10623319 |
Publisher URL | https://publications.waset.org/abstracts/161094/static-analysis-of-security-issues-of-the-python-packages-ecosystem |
Related Public URLs | https://publications.waset.org/ |
You might also like
Performance of vehicle ad-hoc networks (VANETs) operating in a hostile environment
(2023)
Journal Article
Exploring AES encryption implementation through quantum computing techniques
(2024)
Journal Article
Perception and trust in autonomous vehicles post cyber security incidents
(2024)
Journal Article
Securing V2X communication: DDoS attack implementation and mitigation via VEINS simulation
(2024)
Journal Article
Downloadable Citations
About UWE Bristol Research Repository
Administrator e-mail: repository@uwe.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2024
Advanced Search