Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Characterizing Build Compromises Through Vulnerability Disclosure Analysis

Maimouna Tamah Diao, Moustapha Awwalou Diouf, Iyiola Emmanuel Olatunji, Abdoul Kader Kaboré, Gervais Mendy, Jacques Klein, Tegawendé F. Bissyandé

TL;DR

The paper addresses the vulnerability of software build processes in modern CI/CD pipelines, where non-determinism and multi-component complexity enable stealthy attacks. It combines large-scale CVE mining (621 build-related CVEs) with validation against 168 software supply chain attacks to derive a taxonomy of build attack vectors and assess their real-world prevalence (23.8% of supply-chain incidents). The methodology yields 15 distinct attack vectors across five pipeline stages and validates eight of them with real incidents, highlighting dependency-resolution as the dominant entry point and revealing underexplored phases like compilation and packaging. The work provides a publicly available dataset and actionable guidance for hardening CI/CD environments against build-phase compromises.

Abstract

The software build process transforms source code into deployable artifacts, representing a critical yet vulnerable stage in software development. Build infrastructure security poses unique challenges: the complexity of multi-component systems (source code, dependencies, build tools), the difficulty of detecting intrusions during compilation, and prevalent build non-determinism that masks malicious modifications. Despite these risks, the security community lacks a systematic understanding of build-specific attack vectors, hindering effective defense design. This paper presents an empirically-derived taxonomy of attack vectors targeting the build process, constructed through a large-scale CVE mining (of 621 vulnerability disclosures from the NVD database). We categorize attack vectors by their injection points across the build pipeline, from source code manipulation to compiler compromise. To validate our taxonomy, we analyzed 168 documented software supply chain attacks, identifying 40 incidents specifically targeting build phases. Our analysis reveals that 23.8\% of supply chain attacks exploit build vulnerabilities, with dependency confusion and build script injection representing the most prevalent vectors. Dataset available at: https://anonymous.4open.science/r/Taxonomizing-Build-Attacks-8BB0.

Characterizing Build Compromises Through Vulnerability Disclosure Analysis

TL;DR

The paper addresses the vulnerability of software build processes in modern CI/CD pipelines, where non-determinism and multi-component complexity enable stealthy attacks. It combines large-scale CVE mining (621 build-related CVEs) with validation against 168 software supply chain attacks to derive a taxonomy of build attack vectors and assess their real-world prevalence (23.8% of supply-chain incidents). The methodology yields 15 distinct attack vectors across five pipeline stages and validates eight of them with real incidents, highlighting dependency-resolution as the dominant entry point and revealing underexplored phases like compilation and packaging. The work provides a publicly available dataset and actionable guidance for hardening CI/CD environments against build-phase compromises.

Abstract

The software build process transforms source code into deployable artifacts, representing a critical yet vulnerable stage in software development. Build infrastructure security poses unique challenges: the complexity of multi-component systems (source code, dependencies, build tools), the difficulty of detecting intrusions during compilation, and prevalent build non-determinism that masks malicious modifications. Despite these risks, the security community lacks a systematic understanding of build-specific attack vectors, hindering effective defense design. This paper presents an empirically-derived taxonomy of attack vectors targeting the build process, constructed through a large-scale CVE mining (of 621 vulnerability disclosures from the NVD database). We categorize attack vectors by their injection points across the build pipeline, from source code manipulation to compiler compromise. To validate our taxonomy, we analyzed 168 documented software supply chain attacks, identifying 40 incidents specifically targeting build phases. Our analysis reveals that 23.8\% of supply chain attacks exploit build vulnerabilities, with dependency confusion and build script injection representing the most prevalent vectors. Dataset available at: https://anonymous.4open.science/r/Taxonomizing-Build-Attacks-8BB0.

Paper Structure

This paper contains 31 sections, 4 figures, 1 table.

Table of Contents

  1. Introduction
  2. Motivation
  3. Methodology
  4. Mining CVEs for Taxonomy Construction
  5. CVE Extraction and Filtering
  6. Taxonomy Derivation Through Pattern Mining
  7. Validation Through Attack Report Mining
  8. Validation Dataset Construction
  9. Dataset Annotation and Enrichment
  10. Validation Methodology
  11. Reproducibility
  12. Results
  13. Classification of Attack Vectors (RQ1)
  14. Attack Propagation Across CI/CD Pipeline (RQ2)
  15. Taxonomy Validation (RQ3)
  16. ...and 16 more sections

Figures (4)

  • Figure 1: Two-phase approach for deriving and validating a taxonomy of build attack vectors. The upper workflow presents the taxonomy derivation from CVE analysis, while the lower workflow illustrates the validation dataset construction from real-world attacks.
  • Figure 2: Taxonomy of Attack Vectors Targeting the Build Process in CI/CD Environments
  • Figure 3: Distribution of Attacks Across Build Pipeline Stages
  • Figure 4: Build steps in a CI/CD environment