Yutao Hu (Huazhong University of Science and Technology), Chaofan Li (Huazhong University of Science and Technology), Yueming Wu (Huazhong University of Science and Technology), Yifeng Cai (Peking University), Deqing Zou (Huazhong University of Science and Technology)
With the widespread adoption of third-party libraries (TPLs) in C/C++ development, software supply chain security has become critical. Existing C/C++ supply chain vulnerability analysis approaches have notable limitations. Some focus exclusively on dependency identification, leading to false positives (FPs), while others emphasize vulnerability detection but ignore dependencies, requiring costly full-repository scans that hinder rapid response to supply chain vulnerabilities. To address this, we explore an appropriate granularity for accurate dependency construction and vulnerability detection. We propose a community-level software composition analysis (SCA) approach that models the project’s call graph as a social network and applies community detection. Dependencies between projects and TPLs are then established through community similarity. For vulnerability detection, we perform clone-based detection within dependent communities to verify the existence of vulnerabilities, and introduce a two-stage reachability analysis to determine whether they can propagate to the target project. We implement VulSCA, the first C/C++ SCA framework that integrates both vulnerability detection and reachability analysis. Experimental results show that VulSCA outperforms CENTRIS and OSSFP in SCA with a 4–12% improvement in F1-score. In supply chain vulnerability detection, it achieves 44–48% higher F1-scores than version-based methods and 17–23% higher than code-based methods. In terms of efficiency, VulSCA incurs lower overall overhead than all code-based approaches. Furthermore, VulSCA identifies 32 previously unpatched supply chain vulnerabilities in widely used open-source projects, which have already been reported to the respective vendors.