Snake JARs, Part II:

Fangs in the Grass

Earlier this week, we highlighted how an increasing number of Python packages vendor log4j in their PyPI distributions. Many of these log4j dependency versions are unfortunately vulnerable to one or more CVEs and therefore theoretically open the potential for attack. While the typical use case for many of these packages means that actual risk is low probability or low impact, this is not true for all cases…

Luckily, organizations have already updated these dependencies in their latest releases. But, unfortunately, many organizations have yet to push new releases or update the JAR in their latest release. And even worse, some packages are no longer actively maintained or supported…Classic software supply chain risks.

It’s clear that log4j is an acute example of risk — and awareness, thankfully. But log4j is certainly not the only Java dependency in PyPI. Organizations should be asking themselves questions like:

  • What other JARs are commonly vendored and might need to be monitored for high-risk CVEs?

While the best solution is to implement a comprehensive risk monitoring program — both as part of your own SDLC process and as part of your “procurement” process — we obviously can’t all snap our fingers and get to “perfect” overnight. For many organizations, there’s still a large degree of reactive, manual review when <=0-day or CVEs become known.

To help in this process, we’re sharing a list of the top 25 most-vendored Java libraries within PyPI. While there over 3,000 unique JARs distributed on PyPI over the last 17 years, these top 25 JARs are responsible for over 15% of all uses — and most of the most recent exposure in releases.

And in case you’re wondering, this was not a transient trend. In absolute terms, cross-language dependency from Python to Java is only increasing over time.

In our next post in this series, we’ll talk about how we’ve seen data science use cases as a particularly high-risk area when it comes to Python and Java — and how we recommend effectively armoring this soft underbelly.

PS: If you’re curious, the first JAR on PyPI was in a package called clearsilver, which had a single PyPI release in 2005.