Cascaded Vulnerability Attacks in Software Supply Chains

TL;DR

This paper introduces a novel SBOM-driven security analysis approach that models vulnerability relationships as heterogeneous graphs and employs neural networks to predict cascaded vulnerabilities in software supply chains.

Contribution

It proposes a new method using heterogeneous graph modeling and neural networks to identify cascaded vulnerabilities, improving detection accuracy over existing tools.

Findings

HGAT achieves 91.03% accuracy in vulnerability classification.

The approach effectively predicts multi-step vulnerability chains.

Enriched SBOM graphs enhance vulnerability relationship understanding.

Abstract

Most of the current software security analysis tools assess vulnerabilities in isolation. However, sophisticated software supply chain security threats often stem from cascaded vulnerability and security weakness chains that span dependent components. Moreover, although the adoption of Software Bills of Materials (SBOMs) has been accelerating, downstream vulnerability findings vary substantially across SBOM generators and analysis tools. We propose a novel approach to SBOM-driven security analysis methods and tools. We model vulnerability relationships over dependency structure rather than treating scanner outputs as independent records. We represent enriched SBOMs as heterogeneous graphs with nodes being the SBOM components and dependencies, the known software vulnerabilities, and the known software security weaknesses. We then train a Heterogeneous Graph Attention Network (HGAT) to predict whether a component is associated with at least one known vulnerability. Since documented multi-vulnerability chains are scarce, we model cascade discovery as a link prediction problem over CVE pairs using a multi-layer perceptron neural network. This way, we produce ranked candidate links that can be composed into multi-step paths. The HGAT component classifier achieves an Accuracy of 91.03% and an F1-score of 74.02%.