Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Propagation-Based Vulnerability Impact Assessment for Software Supply Chains

Bonan Ruan, Zhiwei Lin, Jiahao Liu, Chuqi Zhang, Kaihang Ji, Zhenkai Liang

TL;DR

This work introduces Propagation-Based Vulnerability Impact Assessment, combining a hierarchical, worklist-driven vulnerability propagation analysis with the Vulnerability Propagation Scoring System (VPSS) to quantify cross-ecosystem risk. By constructing a scalable P-level dependency graph and using patch-based VF identification plus LLM-assisted filtering, the approach achieves ecosystem-wide CG-level propagation analysis for software supply chains, demonstrated on 100 real-world Maven vulnerabilities. VPSS provides a time-aware, interpretable score that blends propagation breadth and depth (VPSS_raw = PBF × PDF; VPSS = 10 × (1 − e^{−VPSS_raw/k})), enabling longitudinal risk tracking and prioritization. Implemented prototypes and evaluations show strong pruning efficiency, meaningful VPSS dynamics, and practical applicability for vulnerability management and cyber-insurance contexts.

Abstract

Identifying the impact scope and scale is critical for software supply chain vulnerability assessment. However, existing studies face substantial limitations. First, prior studies either work at coarse package-level granularity, producing many false positives, or fail to accomplish whole-ecosystem vulnerability propagation analysis. Second, although vulnerability assessment indicators like CVSS characterize individual vulnerabilities, no metric exists to specifically quantify the dynamic impact of vulnerability propagation across software supply chains. To address these limitations and enable accurate and comprehensive vulnerability impact assessment, we propose a novel approach: (i) a hierarchical worklist-based algorithm for whole-ecosystem and call-graph-level vulnerability propagation analysis and (ii) the Vulnerability Propagation Scoring System (VPSS), a dynamic metric to quantify the scope and evolution of vulnerability impacts in software supply chains. We implement a prototype of our approach in the Java Maven ecosystem and evaluate it on 100 real-world vulnerabilities. Experimental results demonstrate that our approach enables effective ecosystem-wide vulnerability propagation analysis, and provides a practical, quantitative measure of vulnerability impact through VPSS.

Propagation-Based Vulnerability Impact Assessment for Software Supply Chains

TL;DR

This work introduces Propagation-Based Vulnerability Impact Assessment, combining a hierarchical, worklist-driven vulnerability propagation analysis with the Vulnerability Propagation Scoring System (VPSS) to quantify cross-ecosystem risk. By constructing a scalable P-level dependency graph and using patch-based VF identification plus LLM-assisted filtering, the approach achieves ecosystem-wide CG-level propagation analysis for software supply chains, demonstrated on 100 real-world Maven vulnerabilities. VPSS provides a time-aware, interpretable score that blends propagation breadth and depth (VPSS_raw = PBF × PDF; VPSS = 10 × (1 − e^{−VPSS_raw/k})), enabling longitudinal risk tracking and prioritization. Implemented prototypes and evaluations show strong pruning efficiency, meaningful VPSS dynamics, and practical applicability for vulnerability management and cyber-insurance contexts.

Abstract

Identifying the impact scope and scale is critical for software supply chain vulnerability assessment. However, existing studies face substantial limitations. First, prior studies either work at coarse package-level granularity, producing many false positives, or fail to accomplish whole-ecosystem vulnerability propagation analysis. Second, although vulnerability assessment indicators like CVSS characterize individual vulnerabilities, no metric exists to specifically quantify the dynamic impact of vulnerability propagation across software supply chains. To address these limitations and enable accurate and comprehensive vulnerability impact assessment, we propose a novel approach: (i) a hierarchical worklist-based algorithm for whole-ecosystem and call-graph-level vulnerability propagation analysis and (ii) the Vulnerability Propagation Scoring System (VPSS), a dynamic metric to quantify the scope and evolution of vulnerability impacts in software supply chains. We implement a prototype of our approach in the Java Maven ecosystem and evaluate it on 100 real-world vulnerabilities. Experimental results demonstrate that our approach enables effective ecosystem-wide vulnerability propagation analysis, and provides a practical, quantitative measure of vulnerability impact through VPSS.

Paper Structure

This paper contains 34 sections, 6 equations, 9 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Motivations
  3. Background
  4. Terminology
  5. Vulnerability Propagation Analysis
  6. Limitations of Existing Solutions
  7. Vulnerability Propagation Analysis
  8. Vulnerability Assessment
  9. Approach
  10. Overview
  11. Dependency Graph Construction
  12. Vulnerable Function Identification
  13. Vulnerability Propagation Analysis
  14. Overall Procedure
  15. Pruning Mechanism
  16. ...and 19 more sections

Figures (9)

  • Figure 1: Approach Overview
  • Figure 2: Vulnerable Function Identification
  • Figure 3: Call Path Illustration
  • Figure 4: Dependency Scenarios
  • Figure 5: Vulnerability Propagation Analysis
  • ...and 4 more figures