SQ14161
Detected Windows executable files that are not using a cryptographically secure GUID for their PDB identifier.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | low | low | None | None |
About the issueโ
Program database (PDB) files are typically only used during software development. They contain private debug symbols that make it significantly easier to determine the root cause of a software quality issue. Applications built to support debugging link to their program databases through Globally Unique Identifiers (GUIDs). This sequence of pseudo-random numbers is guaranteed to be uniquely generated. As this is the main verification that the correct debugging symbols have been loaded, it is important that the identifier has been generated securely. Using non-cryptographically secure algorithms for their generation increases the odds of identifier collisions.
How to resolve the issueโ
- Since some programming language toolchains use unsafe GUIDs, you should maintain a list of trusted debugging servers for the development environment.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Program database (External resource - Wikipedia)