Propagation-Based Vulnerability Impact Assessment for Software Supply Chains

TL;DR

This paper introduces a new method for accurately assessing the impact of vulnerabilities across software supply chains by analyzing propagation at ecosystem and call-graph levels, and proposes a dynamic scoring system to quantify impact.

Contribution

It presents a hierarchical algorithm for vulnerability propagation analysis and the VPSS metric, addressing limitations of prior coarse-grained and incomplete approaches.

Findings

Effective ecosystem-wide vulnerability propagation analysis demonstrated

VPSS provides a practical measure of vulnerability impact

Prototype evaluated on 100 real-world vulnerabilities

Abstract

Identifying the impact scope and scale is critical for software supply chain vulnerability assessment. However, existing studies face substantial limitations. First, prior studies either work at coarse package-level granularity, producing many false positives, or fail to accomplish whole-ecosystem vulnerability propagation analysis. Second, although vulnerability assessment indicators like CVSS characterize individual vulnerabilities, no metric exists to specifically quantify the dynamic impact of vulnerability propagation across software supply chains. To address these limitations and enable accurate and comprehensive vulnerability impact assessment, we propose a novel approach: (i) a hierarchical worklist-based algorithm for whole-ecosystem and call-graph-level vulnerability propagation analysis and (ii) the Vulnerability Propagation Scoring System (VPSS), a dynamic metric to quantify the scope and evolution of vulnerability impacts in software supply chains. We implement a prototype of our approach in the Java Maven ecosystem and evaluate it on 100 real-world vulnerabilities. Experimental results demonstrate that our approach enables effective ecosystem-wide vulnerability propagation analysis, and provides a practical, quantitative measure of vulnerability impact through VPSS.