Researchers in Finland have examined the open-source software libraries in the Python Package Index and found that it is riddled with security issues. The researchers found that PyPI, as it is popularly known, has potentially vulnerable code in nearly half the index.
The research was published in a paper by ArXiv, Jukka Ruohonen, Kalle Hjerppe, and Kalle Rindell from the University of Turku.
In the paper, the researchers describe how they tested the 197,000 Python packages available through PyPI using a static analysis tool called Bandit and discovered more than 749,000 instances of potentially vulnerable code.
The researchers said that even under the constraints of static analysis, the results indicate that security issues are prevalent, affecting 46% of the Python packages.
Most of the issues identified (442,373) are of low severity, with 227,426 having moderate severity and 80,065 are highly severe.
The moderate issues are present in about 25% of the PyPI packages, while the highly severe issues occur in about 11% of the packages. Out of the 46% packages with problems, the median number of issues stands at three. However, some packages were worse than others, by a wide margin.
A widespread problem
On the extreme end, the researchers said that there are five packages (PyGGI, appengine-sdk, genie.libs.ops, pbcore, and genie.libs.parser) with more than a thousand detected problems.
Some of the worst offenders may make users uneasy, but the researchers say that many of them are not anything to worry about. For instance, they reported that all of the 2,589 problems with PyGGI, are related to the “try-except-pass” construct, which may be better classified as suspicion of vulnerability than vulnerability.
Other similar studies of software package ecosystems have come to the same conclusions, necessitating a security overhaul.