Security News > 2022 > August > Boffins rate npm and PyPI package security and it's not good
Computer scientists at North Carolina State University have put one of its tools to the test by evaluating software package registries npm and PyPI using OpenSSF Scorecards.
In a preprint paper distributed via ArXiv, NCSU researchers Nusrat Zahan, Parth Kanakiya, Brian Hambleton, Shohanuzzaman Shohan, and Laurie Williams applied the OpenSSF Scorecard to software packages within npm and PyPI in order to see what security practices could be identified among the developers using those registries.
"On the contrary, practices like Dangerous Workflows and Token Permission scan GitHub workflows to verify the presence of good practices. But what would happen if a repository did not contain GitHub workflows? The tool would still give a high score to that package because it could not detect any bad practices. Hence, even if these metrics had a high percentage of packages with good practices, it also opens up the debate about whether Scorecard should check for the existence of GitHub workflows before verifying the good or bad practices for accurate results."
"Packages may contain more vulnerabilities than are listed. For example, Elder et al. showed in a study that they found 95 times more vulnerabilities than reported. Hence, if we do more in-depth studies to detect vulnerabilities, we might find more than we know, and in that case, our finding shows evidence that we need to focus on secure coding. Note that the scorecard tool gives us a way to measure these security practices, but it is up to the practitioners to determine how they can improve package security."
Both npm and PyPI scored poorly on checks like "Security-Policy," "Packaging," "Signed Releases," and "Fuzzing." While none of these gaps represent urgent problems, they show how these package ecosystems and participating developers could take security more seriously.
Another heuristic, "Pinned Dependencies," seems to show npm and PyPI in a good light, with more than 99 percent of packages having at least one pinned dependency.
News URL
https://go.theregister.com/feed/www.theregister.com/2022/08/11/npm_pypi_security/