SQ14141
Detected Windows executable files that might have SDL process enforcement coverage gaps.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | medium | None | None |
About the issueโ
Security Development Lifecycle (SDL) is a group of enhanced compile-time checks that report common coding mistakes as errors, preventing them from reaching production. These checks were detected as enabled, but their effectiveness was impacted by the use of outdated precompiled code. It was determined that the application had been linked against static libraries produced by multiple toolchain versions. Because some of them predate the general availability of the security development lifecycle checks, it is likely that protection coverage gaps exist.
How to resolve the issueโ
- Recompile statically linked libraries with the same programming language toolchain version.
- In Microsoft VisualStudio, you can enable the feature by setting the compiler option /SDL to ON.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Secure Development Lifecycle: The essential guide to safe software pipelines (External resource - TechBeacon)
- A journey across static and dynamic libraries (External resource - internalpointers)