Python Incomplete Dependencies In Requirements

Description

Detects incomplete dependency declarations in Python requirements.txt files by comparing explicitly listed packages against all required dependencies that would be installed. Missing dependencies pose a security risk as they could lead to runtime failures or allow untrusted package versions to be installed.

Weakness:

120 - Improper dependency pinning

Category: Functionality Abuse

Detection Strategy

• Scans Python requirements.txt files to identify declared dependencies

• Creates a temporary virtual environment and simulates package installation to determine all required dependencies

• Reports a vulnerability if there are dependencies that would be installed but are not explicitly declared in requirements.txt

• Handles package name variations (e.g., 'typing-extensions' vs 'typing_extensions') to avoid false positives

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.