A Large-Scale Security-Oriented Static Analysis of Python Packages in PyPI

TL;DR

This study conducts a large-scale static analysis of Python packages in PyPI, revealing widespread security issues, especially in exception handling and code injection, with package size not correlating to security problems.

Contribution

It provides the first comprehensive large-scale empirical analysis of security issues across all PyPI packages using static analysis.

Findings

46% of packages contain at least one security issue

Exception handling and code injection are the most common issues

Package size metrics do not predict security issues

Abstract

Different security issues are a common problem for open source packages archived to and delivered through software ecosystems. These often manifest themselves as software weaknesses that may lead to concrete software vulnerabilities. This paper examines various security issues in Python packages with static analysis. The dataset is based on a snapshot of all packages stored to the Python Package Index (PyPI). In total, over 197 thousand packages and over 749 thousand security issues are covered. Even under the constraints imposed by static analysis, (a) the results indicate prevalence of security issues; at least one issue is present for about 46% of the Python packages. In terms of the issue types, (b) exception handling and different code injections have been the most common issues. The subprocess module stands out in this regard. Reflecting the generally small size of the packages, (c) software size metrics do not predict well the amount of issues revealed through static analysis. With these results and the accompanying discussion, the paper contributes to the field of large-scale empirical studies for better understanding security problems in software ecosystems.