2018 9th International Workshop on Empirical Software Engineering in Practice (IWESEP) 2018
DOI: 10.1109/iwesep.2018.00013
|View full text |Cite
|
Sign up to set email alerts
|

An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications

Abstract: This paper examines software vulnerabilities in common Python packages used particularly for web development. The empirical dataset is based on the PyPI package repository and the so-called Safety DB used to track vulnerabilities in selected packages within the repository. The methodological approach builds on a release-based time series analysis of the conditional probabilities for the releases of the packages to be vulnerable. According to the results, many of the Python vulnerabilities observed seem to be o… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

2
18
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
4
2
2

Relationship

2
6

Authors

Journals

citations
Cited by 19 publications
(20 citation statements)
references
References 23 publications
2
18
0
Order By: Relevance
“…In particular, the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) framework provide information about the severity of the vulnerabilities and the typical weaknesses behind these. As is well-known [24,30,43], it should be remarked that not all of the CVEs observed have CVSS and CWE entries in NVD due to delays and other database maintenance issues. In any case, the results regarding these frameworks are summarized in Fig.…”
Section: Severity and Weaknessesmentioning
confidence: 88%
See 2 more Smart Citations
“…In particular, the Common Vulnerability Scoring System (CVSS) and the Common Weakness Enumeration (CWE) framework provide information about the severity of the vulnerabilities and the typical weaknesses behind these. As is well-known [24,30,43], it should be remarked that not all of the CVEs observed have CVSS and CWE entries in NVD due to delays and other database maintenance issues. In any case, the results regarding these frameworks are summarized in Fig.…”
Section: Severity and Weaknessesmentioning
confidence: 88%
“…The reason why NVD is sometimes slower may relate to the online sources monitored by WPVDB's maintainers for gaining information about plugin vulnerabilities. Like many [28,40], but not all [24], vulnerability databases, WPVDB provides hyperlinks to the original information sources. To illustrate the main sources, Fig.…”
Section: Overviewmentioning
confidence: 99%
See 1 more Smart Citation
“…On a broader scope, the issues that emerge from our analysis can be seen as consequences of the black-box nature of software libraries. It is a known issue that the tendency of developers to include third-party code in their projects, without prior verification of its content, can lead to the inclusion of vulnerabilities or, in the worst case, of malicious code [10,33,43]. Indeed, in recent history, prominent package repositories for the Python and JavaScript languages have been the target of attacks that aimed to exploit the popularity of widely-used libraries [28,42].…”
Section: Discussionmentioning
confidence: 99%
“…In 2018, Ruohonen [21] discussed and examines software vulnerabilities in common Python packages used particularly for web development. Their dataset is basically on the base of PyPI package repository and the so-called Safety DB used to track vulnerabilities in selected packages within the repository.…”
Section: Literature Reviewmentioning
confidence: 99%