OSS-RISK-6 : Untracked Dependencies
Description:
Project developers may not be aware of a dependency on a component at all, e.g., because it is not part of an upstream component’s SBOM, because SCA tools are not run or do not detect it, or because the dependency is not established using a package manager.
Flying under the radar, the respective component cannot be checked or monitored for any of the other deficiencies.
Examples:
- Incomplete SBOMs received for upstream components or produced by SCA tools
- Inclusion of 3rd-party code in a managed (tracked) dependency, e.g.
- code snippets
- source code files (copied as-is into the dependency’s sources, also called “vendored”)
- compiled code (e.g., platform-specific binaries or Java archives/class files, also called rebundling)
- Dependencies not established through the manifest files of package managers like PIP or Maven, e.g. manual or scripted installation through brew or apt-get
- IDE plugins, build scripts, test dependencies or other developer tools, though not included in the dependent software itself, still pose security and operational risks
Actions:
- Evaluate and compare SCA tools regarding their capability to produce accurate bills of materials, both at coarse-granular level (e.g., dependencies declared with help of package management tools likes Maven or npm) and fine-granular level (e.g., artifacts like single files included “out of band”, i.e., without using package managers).
References:
- OWASP Software Component Versification Standard (SCVS) V1 Inventory and V2 Software Bills of Materials
- Research on rebundling
- Anand Sawant: Dependency Resolution in Python: Beware The Phantom Dependency (2023)