“Almost half of the packages in the official Python Package Index (PyPI) repository have at least one security issue,” reports TechRadar, citing a new analysis by Finnish researchers, which even found five packages with more than a thousand issues each…
The researchers used static analysis to uncover the security issues in the open source packages, which they reason end up tainting software that use them. In total the research scanned through 197,000 packages and found more than 749,000 security issues in all… Explaining their methodology the researchers note that despite the inherent limitations of static analysis, they still found at least one security issue in about 46% of the packages in the repository. The paper reveals that of the issues identified, the maximum (442,373) are of low severity, while 227,426 are moderate severity issues. However, 11% of the flagged PyPI packages have 80,065 high severity issues.
The Register supplies some context:
Other surveys of this sort have come to similar conclusions about software package ecosystems. Last September, a group of IEEE researchers analyzed 6,673 actively used Node.js apps and found about 68 per cent depended on at least one vulnerable package… The situation is similar with package registries like Maven (for Java), NuGet (for .NET), RubyGems (for Ruby), CPAN (for Perl), and CRAN (for R). In a phone interview, Ee W. Durbin III, director of infrastructure at the Python Software Foundation, told The Register, “Things like this tend not to be very surprising. One of the most overlooked or misunderstood parts of PyPI as a service is that it’s intended to be freely accessible, freely available, and freely usable. Because of that we don’t make any guarantees about the things that are available there…”
Durbin welcomed the work of the Finnish researchers because it makes people more aware of issues that are common among open package management systems and because it benefits the overall health of the Python community. “It’s not something we ignore but it’s also not something we historically have had the resources to take on,” said Durbin. That may be less of an issue going forward. According to Durbin, there’s been significantly more interest over the past year in supply chain security and what companies can do to improve the situation. For the Python community, that’s translated into an effort to create a package vulnerability reporting API and the Python Advisory Database, a community-run repository of PyPI security advisories that’s linked to the Google-spearheaded Open Vulnerability Database.