Python Malware Dependency

There are dependencies that have been detected as malware; this detector checks the project dependencies and reports those detected as malware.

Artifacts known as malware (or versions of existing artifacts with malware) are blacklisted.

You can configure black and white list in the directory conf/suspectdeps/malwareLists in the files python.black.list and python.white.list

The format to declare dependencies in these files is:

You can also configure the detector to consider minor and patch versions when determining if a dependency is malware by setting the properties checkMinor and checkPatch to true. They are enabled by default.

If the dependency contains malware, the consequences could be catastrophic for the company, since these dependencies could reach production environments.

The problematic dependency could be included as a sub-dependency of one or more direct dependencies. To fix this you need to remove all direct dependencies that add the problematic dependency.

If the malicious package is an indirect dependency, you should remove the version of your direct dependency in the path to the problematic dependency. You may use the dependency search in Xygeni for this analysis.