SQ25105
Detected packages with content protected by an unknown password.
| priority | CI/CD status | severity | effort | SAFE level | SAFE assessment |
|---|---|---|---|---|---|
 | pass | medium | medium | None | None |
About the issueโ
Proprietary ReversingLabs analysis engine supports a wide range of commonly used archive and software packaging formats. Using automated static file decomposition technologies, the engine recursively analyzes complex software packages. Software analysis is typically conducted in multiple steps. Content identification, unpacking, validation, and classification are some of the steps performed on each analyzed file. To limit the access to authorized users, the package contents may optionally be password-protected. When the package content is protected with an unknown password, it cannot be fully inspected by the analysis engine. The protected content might contain additional software components that were not listed in the Software Bill of Materials (SBOM) due to use of unknown passwords.
How to resolve the issueโ
- Consult the ReversingLabs product documentation for a list of supported archive and software packaging formats.
- CLI only: Provide the ReversingLabs analysis engine with the passwords used to protect the software package.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes. Analysis results are used to calculate incidence statistics for issues (policy violations) that Spectra Assure can detect in software packages.
This section is updated when new data becomes available.
Total amount of packages analyzed
- RubyGems: 183K
- Nuget: 644K
- PyPi: 628K
- NPM: 3.72M