SQ30201
Detected presence of software components with potentially unwanted dependencies.
priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
---|---|---|---|---|---|
fail | medium | high | 2 | malware: fail Reason: undesirable dependencies found |
About the issueโ
Potentially unwanted applications (PUAs) can be considered a risk by some software users. This threat type typically collects private user data, or in more extreme cases, tampers with system security settings. Most threat prevention solutions detect and block PUAs. Some software dependencies may be optional, and could be installed or downloaded only if a certain pre-defined condition is met. When software dependencies are confirmed to be found within the software package, additional issues might also be reported. Software packages that trigger security solution detections also tend to increase the number of support calls and open tickets from users.
How to resolve the issueโ
- Revise the use of components that raise these alarms. If you can't deprecate those components, make sure they are well-documented.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M
Recommended readingโ
- Potentially unwanted program (External resource - Wikipedia)
- Dependency management - Software supply chain security (External resource - Google Cloud)