Python Exposes Phantom Dependencies With SBOM Screening

In June, Python programmer Seth Michael Larson was hired by the Python Software Foundation to act as security-developer-in-residence. But he was already working on what Python’s thorniest security problems are: Hidden software dependencies, or phantom dependencies.

The term “phantom dependencies” was coined by Endor Labs in 2023 to describe code embedded in an application that was not declared in any sort of manifest file, thus making it invisible to vulnerability scanners.

Every open source software package should have a manifest of…