You've built an SBOM scanner into your CI/CD pipeline. It dutifully reads your package.json or pom.xml, reports that no CVEs were found and gives the green light for production. Yet the next day you can be hacked through a library that, according to the scanner, you don't even use.
Welcome to the treacherous world of phantom components (phantom dependencies). This is code that physically runs in your application but appears nowhere on the official ingredient list.
How do phantom components arise?
- Vendoring & Copy-Paste: Developers under time pressure sometimes manually copy the source code of a handy open-source function straight into their own project's folder structure. The package manager knows nothing about it, so it is invisible to standard scanners.
- Statically Linked Libraries: A Python or Java package looks safe, but under the hood it uses C/C++ libraries that the original author hard-compiled into it. That's how a badly outdated version of OpenSSL can end up hidden inside your modern app.
From reading to action
Curious how far your organisation is with the CRA? Test it in two minutes with the free Quickscan, or dive into the 4-week Survival Challenge.