SQ14160
Detected Windows executable files that embed PDB files whose integrity is verified with an insecure hashing algorithm.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | low | low | None | hardening: warning Reason: outdated toolchain issues |
About the issueโ
Program database (PDB) files are typically only used during software development. They contain private debug symbols that make it significantly easier to reverse engineer a closed-source application. In some cases, having a program database file is equivalent to having access to the source code. Presence of program databases could indicate that one or more software components have been built using a debug profile, instead of the release.
How to resolve the issueโ
- Private debug database files should not be embedded within executables, and you should remove them from the software package before releasing it.
- The integrity verification of the embedded database files should not be done with insecure hashing algorithms. SHA1 and MD5 hashes should be deprecated throughout the application, and a more secure SHA256 algorithm should be used instead.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Program database (External resource - Wikipedia)
- Open source vs. closed source software (External resource - GCFGlobal)