Characterizing Build Compromises Through Vulnerability Disclosure Analysis

Maimouna Tamah Diao; Moustapha Awwalou Diouf; Iyiola Emmanuel Olatunji; Abdoul Kader Kabor\'e; Gervais Mendy; Jacques Klein; Tegawend\'e F. Bissyand\'e

arXiv:2511.01395·cs.SE·November 4, 2025

Characterizing Build Compromises Through Vulnerability Disclosure Analysis

Maimouna Tamah Diao, Moustapha Awwalou Diouf, Iyiola Emmanuel Olatunji, Abdoul Kader Kabor\'e, Gervais Mendy, Jacques Klein, Tegawend\'e F. Bissyand\'e

PDF

Open Access

TL;DR

This paper develops a comprehensive taxonomy of attack vectors targeting software build processes, based on large-scale CVE analysis and validation with documented supply chain attacks, highlighting prevalent vulnerabilities like dependency confusion and build script injection.

Contribution

It introduces the first empirically-derived taxonomy of build attack vectors, categorizing them by injection points and validating with real-world attack data.

Findings

01

23.8% of supply chain attacks exploit build vulnerabilities

02

Dependency confusion and build script injection are the most common attack vectors

03

The taxonomy aids in understanding and defending against build-related security threats

Abstract

The software build process transforms source code into deployable artifacts, representing a critical yet vulnerable stage in software development. Build infrastructure security poses unique challenges: the complexity of multi-component systems (source code, dependencies, build tools), the difficulty of detecting intrusions during compilation, and prevalent build non-determinism that masks malicious modifications. Despite these risks, the security community lacks a systematic understanding of build-specific attack vectors, hindering effective defense design. This paper presents an empirically-derived taxonomy of attack vectors targeting the build process, constructed through a large-scale CVE mining (of 621 vulnerability disclosures from the NVD database). We categorize attack vectors by their injection points across the build pipeline, from source code manipulation to compiler…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsInformation and Cyber Security · Software Engineering Research · Web Application Security Vulnerabilities