Brussels / 3 & 4 February 2024


Phantom dependencies in Python (and what to do about them)

The increasing use of AI-driven Python libraries necessitates robust scanning of Python projects for vulnerabilities. However, Python's dynamic typing and reliance on manifest files for dependency management make it challenging to detect hidden "phantom" dependencies. These unreported dependencies introduce uncertainty and risk into software composition analysis, as seen in OpenAI's baseline codebase. This session explores program analysis, particularly reachability analysis, to expose these phantom dependencies and create accurate dependency sets. Despite the challenges posed by Python's dynamic nature, program analysis remains crucial for secure and reliable software development. Understanding phantom dependencies and their impact is vital for Python developers to build robust and secure software.


Photo of Georgios Gousios Georgios Gousios