Skip to main content

REC-005: Dependency Analysis

CategoryReconnaissance
FrameworksOWASP: LLM05 · ATLAS: ML Supply Chain

Infer AI stack from exposed dependency files, Docker images, and package manifests.

Technique

# Key indicators in requirements.txt
langchain, llama-index    # RAG framework
chromadb, qdrant-client   # Vector database
transformers, torch       # Local model inference
openai                    # Cloud API dependency
sentence-transformers     # Embedding model

Key Concepts

  • Exposed dependency files (requirements.txt, package.json, Pipfile.lock) are a goldmine for attackers because they reveal the exact libraries, versions, and therefore the known vulnerabilities present in the AI stack.
  • Docker images for AI applications frequently include full dependency manifests. Public registries, misconfigured registries, or container escape can expose the complete software bill of materials.
  • The presence of specific libraries maps directly to architecture. langchain plus chromadb means RAG with ChromaDB. transformers plus torch means local model inference. This narrows the attack surface to known vulnerability classes for those specific components.
  • Version pinning (or lack thereof) reveals patching posture. Unpinned dependencies may pull vulnerable versions, while pinned but outdated versions indicate known-exploitable software.
  • Supply chain attacks target these exact dependency chains. A compromised PyPI package in the AI dependency tree (e.g., a typosquatted langchain variant) can achieve code execution in the model serving environment.

Detection

  • Scan web-accessible paths for exposed dependency files, Docker Compose files, and configuration files that reveal the application stack.
  • Monitor for HTTP requests probing common dependency file paths (/requirements.txt, /package.json, /Pipfile.lock, /docker-compose.yml).
  • Audit container image registries for public or improperly scoped access that could expose image layers and their installed packages.

Mitigation

  • Ensure dependency files, Docker Compose configurations, and build manifests are never served by the web server. Add explicit deny rules for these paths.
  • Use multi-stage Docker builds so that build dependencies and manifests are not present in the final production image.
  • Implement automated dependency scanning (Dependabot, Snyk, pip-audit) with alerts for known vulnerabilities in AI/ML library dependencies, and enforce version pinning.