Cascaded Vulnerability Attacks in Software Supply Chains
Laura Baird, Armin Moin
TL;DR
This paper addresses cascaded vulnerabilities in software supply chains by leveraging SBOMs to build enriched, heterogeneous graphs that include software components, dependencies, CVEs, and CWEs. A two-headed HGAT learns to predict whether a component is associated with any known vulnerability, while a lightweight MLP performs CVE-pair link prediction to rank possible multi-step exploitation paths. The approach yields strong initial results, achieving 91.03% accuracy and 0.93 ROC-AUC on early benchmarks, and is supported by open-source code and publicly available data. The work contributes a practical framework for dependency-aware, cascade-oriented security analysis that can improve downstream vulnerability prioritization and remediation strategies.
Abstract
Most of the current software security analysis tools assess vulnerabilities in isolation. However, sophisticated software supply chain security threats often stem from cascaded vulnerability and security weakness chains that span dependent components. Moreover, although the adoption of Software Bills of Materials (SBOMs) has been accelerating, downstream vulnerability findings vary substantially across SBOM generators and analysis tools. We propose a novel approach to SBOM-driven security analysis methods and tools. We model vulnerability relationships over dependency structure rather than treating scanner outputs as independent records. We represent enriched SBOMs as heterogeneous graphs with nodes being the SBOM components and dependencies, the known software vulnerabilities, and the known software security weaknesses. We then train a Heterogeneous Graph Attention Network (HGAT) to predict whether a component is associated with at least one known vulnerability. Since documented multi-vulnerability chains are scarce, we model cascade discovery as a link prediction problem over CVE pairs using a multi-layer perceptron neural network. This way, we produce ranked candidate links that can be composed into multi-step paths. The HGAT component classifier achieves an Accuracy of 91.03% and an F1-score of 74.02%.
