Cryptbara: Dependency-Guided Detection of Python Cryptographic API Misuses

We present Cryptbara, a precise approach for detecting Python cryptographic API misuses. Cryptographic APIs are widely used to ensure data security, but their improper use can inadvertently compromise the security of entire systems. Existing approaches often fail to capture how cryptographic objects are initialized and used across inter-procedural contexts, limiting their ability to detect context-dependent misuses. In contrast, the key innovation of Cryptbara lies in synergistically combining static dependency analysis with LLM reasoning guided by dependency context, enabling context-sensitive misuse detection. To this end, Cryptbara extracts intra- and inter-procedural dependencies from Python code and encodes them into context-rich prompts, allowing the LLM to perform semantically-aware analysis despite syntactic complexity. We evaluated Cryptbara on two benchmarks containing real-world cryptographic API misuses. Cryptbara achieved F1 scores of 95.43% and 84%, outperforming existing approaches that achieved at most 73.68% and 70.59% F1 scores, respectively. Cryptbara further demonstrated its practical impact by discovering previously unknown misuses in popular Python repositories, with 22 representative cases reported to and confirmed by maintainers.