python Tackles “Phantom Dependencies” with New SBOM Standard
The Python Software Foundation is addressing a critical security issue in open-source software: “phantom dependencies.” These are dependencies used by a package but aren’t declared in standard packaging metadata,making them invisible to vulnerability scanners and compliance tools.A new white paper, authored by the PSF’s Security Developer-in-Residence Seth Larson (sponsored by the Open Source Security Foundation’s Alpha-Omega project), details the problem and proposes a solution: leveraging Software Bill-of-Materials (SBOMs).
Larson’s work culminated in Python Enhancement Proposal 770, a backwards-compatible standard that allows packages to easily provide SBOM metadata. Crucially, PEP 770 is designed to minimize burden on maintainers by utilizing a directory of files rather than requiring a new metadata field.Many tools can be enabled to use it by default,meaning most projects won’t need to actively opt-in.Why is Python notably vulnerable? Several factors contribute to the prevalence of phantom dependencies in the Python ecosystem:
Interoperability: Python frequently interfaces with software written in other languages (C, C++, Rust, etc.) via the C-API and Foreign Function Interface (FFI).
Scientific Computing & AI: Python’s dominance in these fields relies heavily on high-performance libraries often written in system languages.
* Wheel Distribution: Python’s “wheel” package format is essentially a pre-compiled zip file, requiring binaries to be pre-compiled before distribution.
The PSF is now working to integrate PEP 770 support into popular SBOM and vulnerability scanning tools. The white paper also extends an invitation to other open-source ecosystems facing similar challenges to adopt the Python approach.
you can read the full white paper here and find more information in the PSF announcement.
