Yutao Hu (Huazhong University of Science and Technology), Chaofan Li (Huazhong University of Science and Technology), Yueming Wu (Huazhong University of Science and Technology), Yifeng Cai (Peking University), Deqing Zou (Huazhong University of Science and Technology)

With the widespread adoption of third-party libraries (TPLs) in C/C++ development, software supply chain security has become critical. Existing C/C++ supply chain vulnerability analysis approaches have notable limitations. Some focus exclusively on dependency identification, leading to false positives (FPs), while others emphasize vulnerability detection but ignore dependencies, requiring costly full-repository scans that hinder rapid response to supply chain vulnerabilities. To address this, we explore an appropriate granularity for accurate dependency construction and vulnerability detection. We propose a community-level software composition analysis (SCA) approach that models the project’s call graph as a social network and applies community detection. Dependencies between projects and TPLs are then established through community similarity. For vulnerability detection, we perform clone-based detection within dependent communities to verify the existence of vulnerabilities, and introduce a two-stage reachability analysis to determine whether they can propagate to the target project. We implement VulSCA, the first C/C++ SCA framework that integrates both vulnerability detection and reachability analysis. Experimental results show that VulSCA outperforms CENTRIS and OSSFP in SCA with a 4–12% improvement in F1-score. In supply chain vulnerability detection, it achieves 44–48% higher F1-scores than version-based methods and 17–23% higher than code-based methods. In terms of efficiency, VulSCA incurs lower overall overhead than all code-based approaches. Furthermore, VulSCA identifies 32 previously unpatched supply chain vulnerabilities in widely used open-source projects, which have already been reported to the respective vendors.

View More Papers

Insights from GitHub Community on the Matter Standard: Developer...

Muhammad Hassan (University of Illinois Urbana Champaign), Carl Gunter (University of Illinois Urbana Champaign), Susan Landau (Tufts University), Masooda Bashir (University of Illinois Urbana Champaign)

Read More

SAGA: A Security Architecture for Governing AI Agentic Systems

Georgios Syros (Northeastern University), Anshuman Suri (Northeastern University), Jacob Ginesin (Northeastern University), Cristina Nita-Rotaru (Northeastern University), Alina Oprea (Northeastern University)

Read More

Defending Job Platforms from Non-Genuine Applications Using Layered Detection...

Rama Rohit Reddy Gangula (Indeed), Vijay Vardhan Alluri (Indeed), Saif Jawaid (Indeed), Dhwaj Raj (Indeed), Udit Jindal (Indeed)

Read More