SQ20126
Detected digital signatures that contain a certificate that is missing some of the common fields in its subject property.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | medium | None | None |
About the issueโ
Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. When purchased from a certificate authority, a certificate must conform to industry standards and best practices. One such requirement is that certificate subject identity includes either common name or organization name. This is required to distinguish between multiple similar identities to which a certificate might be issued to. Even if those similar identities belong to the same organization, they might need to represent different business units. While a commercial certificate authority is unlikely to go against these recommendations, some policy deviations can occur in practice.
How to resolve the issueโ
- Communicate the detected issue to your certificate issuer, and have a new certificate created to resolve it.
- Use your newly issued certificate to re-sign the software component.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Digital certificates (External resource - Microsoft)
- Subject in a certificate (External resource - NIST)
- Structure of a certificate (External resource - Wikipedia)