Python Pipfile Missing Package Lock
Description
Detects when a Python project has a Pipfile declaring dependencies but is missing the corresponding Pipfile.lock file. Missing lock files can lead to dependency version inconsistencies and potentially introduce vulnerable package versions during installation.
Detection Strategy
• Check if the Pipfile contains a [packages] section indicating declared dependencies
• Look for Pipfile.lock in the same directory as the Pipfile
• Report a vulnerability if dependencies are declared but Pipfile.lock is missing
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.