This work addresses the challenge of detecting “day-zero vulnerabilities”—vulnerabilities persisting in active fork repositories after being patched in upstream projects—where existing tools fail due to fragmented repository visibility. We propose the first commit-level, cross-fork vulnerability propagation tracking method grounded in a global code graph. Leveraging Software Heritage, we construct a public code graph encompassing 7,162 vulnerable repositories, integrating OSV vulnerability advisories with fine-grained Git commit histories to enable differential analysis and automated impact assessment. Our approach transcends conventional dependency-based scanning by uncovering previously overlooked propagation paths. Applied to 2.2 million forks, it identifies 356 vulnerability-fork pairs affecting active projects; manual validation confirms three high-severity cases. The method significantly enhances the timeliness and scope of open-source supply chain security monitoring.

Tracking vulnerabilities inherited from third-party open-source components is a well-known challenge, often addressed by tracing the threads of dependency information. However, vulnerabilities can also propagate through forking: a repository forked after the introduction of a vulnerability, but before it is patched, may remain vulnerable in the fork well after being fixed in the original project. Current approaches for vulnerability analysis lack the commit-level granularity needed to track vulnerability introductions and fixes across forks, potentially leaving one-day vulnerabilities undetected. This paper presents a novel approach to help developers identify one-day vulnerabilities in forked repositories. Leveraging the global graph of public code, as captured by the Software Heritage archive, the approach propagates vulnerability information at the commit level and performs automated impact analysis. This enables automatic detection of forked projects that have not incorporated fixes, leaving them potentially vulnerable. Starting from 7162 repositories that, according to OSV, include vulnerable commits in their development histories, we identify 2.2 M forks, containing at least one vulnerable commit. Then we perform a strict filtering, allowing us to find 356 ___vulnerability, fork___ pairs impacting active and popular GitHub forks, we manually evaluate 65 pairs, finding 3 high-severity vulnerabilities, demonstrating the impact and applicability of this approach.