Authors:
(1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de);
(2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de);
(3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de);
(4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de). Table of Links Abstract and 1 Introduction 2 Background 3 Design and Implementation of Licma and 3.1 Design 3.2 Implementation 4 Methodology and 4.1 Searching and Downloading Python Apps 4.2 Comparison with Previous Studies 5 Evaluation and 5.1 GitHub Python Projects 5.2 MicroPython 6 Comparison with previous studies 7 Threats to Validity 8 Related Work 9 Conclusion, Acknowledgments, and References 4 METHODOLOGY To analyze Python applications, we constructed two distinct data sets of popular Python and MicroPython projects. Furthermore, we compared our findings in Python programs with previous studies about Java and C code. 4.1 Searching and Downloading Python Apps Both data sets represent very different domains where Python is used, ranging from server and desktop use to low-level embedded code. How we selected the projects in both data sets for our empirical study is described in the following. 4.1.1 Python Projects from GitHub. For our evaluation of crypto misuses in Python code we focus on open-source code. Thus, we crawled and downloaded the top 895 Python repositories from GitHub sorted by stars. To further understand the influence of dependencies, we downloaded them with Pythons standard dependency manager pip for each project. Afterwards, we ended up with 14,442 Python packages of which 3,420 are unique. As our analysis works upon a per-file basis, we reduced our set to only those source code files that include the function calls referenced in our rules, e.g., AES.new (...) . In addition, we filter for production code and ignore test code which should be non-existent during the execution of the application. After applying these 2 filter steps, we ended up with 946 source files from 155 different repositories. Unfortunately, Babelfish was unable to parse 35 of these files, and reached the maximum recursion depth for the AST XPath queries for at least one rule in 50 files. These 85 parsing failures are distributed amongst 61 different projects. However, for each of the projects at least 1 file with a crypto usage was analyzed successfully. In total, we successfully analyzed 861 different files within 155 Python repositories with LICMA. 4.1.2 Curated Top MicroPython Projects. As an extension to our Python application set, we crawled 51 MicroPython projects which are stated as the top announced MicroPython projects[5]. Like for the regular Python applications, we downloaded all dependencies with pip and got 113 dependencies with 1 duplicate dependency. Afterwards, we applied the same filter steps as before: The usage of crypto and the exclusion of test files. These steps, resulted in 5 files which seem to use the Python crypto libraries supported by LICMA. Note that we included the MicroPython crypto library ucryptolib in LICMA and our filtering steps. To further understand this small number of potential usages, we also analyzed our data set of MicroPython applications manually. This analysis reveals that we potentially missed five crypto usages. This paper is available on arxiv under CC BY 4.0 DEED license. [5] https://awesomeopensource.com/projects/micropython Lead image by Roman Synkevych on Unplash Authors: (1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de); (2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de); (3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de); (4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de). Authors: Authors: (1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de); (2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de); (3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de); (4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de). Table of Links Abstract and 1 Introduction Abstract and 1 Introduction 2 Background 2 Background 3 Design and Implementation of Licma and 3.1 Design 3 Design and Implementation of Licma and 3.1 Design 3.2 Implementation 3.2 Implementation 4 Methodology and 4.1 Searching and Downloading Python Apps 4 Methodology and 4.1 Searching and Downloading Python Apps 4.2 Comparison with Previous Studies 4.2 Comparison with Previous Studies 5 Evaluation and 5.1 GitHub Python Projects 5 Evaluation and 5.1 GitHub Python Projects 5.2 MicroPython 5.2 MicroPython 6 Comparison with previous studies 6 Comparison with previous studies 7 Threats to Validity 7 Threats to Validity 8 Related Work 8 Related Work 9 Conclusion, Acknowledgments, and References 9 Conclusion, Acknowledgments, and References 4 METHODOLOGY To analyze Python applications, we constructed two distinct data sets of popular Python and MicroPython projects. Furthermore, we compared our findings in Python programs with previous studies about Java and C code. 4.1 Searching and Downloading Python Apps Both data sets represent very different domains where Python is used, ranging from server and desktop use to low-level embedded code. How we selected the projects in both data sets for our empirical study is described in the following. 4.1.1 Python Projects from GitHub. For our evaluation of crypto misuses in Python code we focus on open-source code. Thus, we crawled and downloaded the top 895 Python repositories from GitHub sorted by stars. To further understand the influence of dependencies, we downloaded them with Pythons standard dependency manager pip for each project. Afterwards, we ended up with 14,442 Python packages of which 3,420 are unique. 4.1.1 Python Projects from GitHub. As our analysis works upon a per-file basis, we reduced our set to only those source code files that include the function calls referenced in our rules, e.g., AES.new (...) . In addition, we filter for production code and ignore test code which should be non-existent during the execution of the application. After applying these 2 filter steps, we ended up with 946 source files from 155 different repositories. Unfortunately, Babelfish was unable to parse 35 of these files, and reached the maximum recursion depth for the AST XPath queries for at least one rule in 50 files. These 85 parsing failures are distributed amongst 61 different projects. However, for each of the projects at least 1 file with a crypto usage was analyzed successfully. In total, we successfully analyzed 861 different files within 155 Python repositories with LICMA . Babelfish LICMA 4.1.2 Curated Top MicroPython Projects . As an extension to our Python application set, we crawled 51 MicroPython projects which are stated as the top announced MicroPython projects[5]. Like for the regular Python applications, we downloaded all dependencies with pip and got 113 dependencies with 1 duplicate dependency. Afterwards, we applied the same filter steps as before: The usage of crypto and the exclusion of test files. These steps, resulted in 5 files which seem to use the Python crypto libraries supported by LICMA. Note that we included the MicroPython crypto library ucryptolib in LICMA and our filtering steps. To further understand this small number of potential usages, we also analyzed our data set of MicroPython applications manually. This analysis reveals that we potentially missed five crypto usages. 4.1.2 Curated Top MicroPython Projects This paper is available on arxiv under CC BY 4.0 DEED license. This paper is available on arxiv under CC BY 4.0 DEED license. available on arxiv [5] https://awesomeopensource.com/projects/micropython https://awesomeopensource.com/projects/micropython Lead image by Roman Synkevych on Unplash Lead image by Roman Synkevych on Unplash Roman Synkevych on Unplash

Part of HackerNoon's growing list of open-source research papers, promoting free access to academic material.

How We Analyzed Crypto API Misuses in 895 GitHub Projects

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Grassroots Distributed Systems for Digital Sovereignty: Abstract and Introduction

When APIs Talk Too Much – A Lesson About Hidden Paths

What MCP Means for Secure AI Integrations and the Future of Agentic Workflows

How to Implement API Versioning in ASP.NET Core

Securing Your MCP Server: a Step-by-Step Guide

What Happens in The Cloud Doesn’t Stay in The Cloud: A Not-So-Serious Guide to NIST SP 800–228

Grassroots Distributed Systems for Digital Sovereignty: Abstract and Introduction

When APIs Talk Too Much – A Lesson About Hidden Paths

What MCP Means for Secure AI Integrations and the Future of Agentic Workflows

How to Implement API Versioning in ASP.NET Core

Securing Your MCP Server: a Step-by-Step Guide

What Happens in The Cloud Doesn’t Stay in The Cloud: A Not-So-Serious Guide to NIST SP 800–228

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps