Yingyuan Pu (QI-ANXIN Technology Research Institute), Lingyun Ying (QI-ANXIN Technology Research Institute), Yacong Gu (Tsinghua University; Tsinghua University-QI-ANXIN Group JCNS)
npm is the largest open-source software ecosystem with over 3 million packages. However, its complex dependencies between packages expose it to significant security threats as many packages directly or indirectly depend on other ones with known vulnerabilities.
Timely updating these vulnerable dependencies is a big challenge in software supply chain security, primarily due to the widespread effect of vulnerabilities and the huge cost of fixing them. Recent studies have shown that existing package-level vulnerability-propagation-analysis tools lead to high false positives, while function-level tools are not yet feasible for large-scale analysis in the npm ecosystem.
In this paper, we propose a novel framework VulTracer, which can precisely and efficiently perform vulnerability propagation analysis at function level. By constructing a rich semantic graph for each package independently and then stitching them together, VulTracer can locate vulnerability propagation paths and identify truly affected packages precisely. Through comparative evaluations, our framework achieves an F1 score of 0.905 in call graph construction and reduces false positives from npm audit by 94%. We conducted the largest-to-date function-level vulnerability impact measurement on the entire npm ecosystem, covering 34 million package versions. The results demonstrate that 68.28% of potential impacts identified by package-level analysis are merely noise, as the vulnerable code is unreachable. Furthermore, our findings also uncover that true vulnerability propagation (the signal) is shallow, with impact attenuating significantly within just a few dependency hops. VulTracer provides a practical path to mitigate alert fatigue and enables security efforts to focus on genuine, reachable threats.