Hidden Amplifiers: Cross-Level Risk in Software Supply Chains

📅 2026-07-07
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses a critical limitation in existing Software Composition Analysis (SCA) tools, which treat ecosystem-level dependencies and code-level static analysis in isolation, often yielding false positives for unreachable CVEs while overlooking disproportionate supply chain risks posed by structurally critical micro-dependencies. To bridge this gap, the authors propose the first cross-layer risk propagation framework that unifies code structural features with ecosystem dependency exposure through a novel risk formulation. This approach jointly models and identifies “hidden amplifiers”—minimalist packages with few methods yet widely depended upon across numerous projects—revealing their outsized impact on supply chain security. Empirical evaluation on npm and PyPI ecosystems uncovers multiple high-risk components within 50 open-source projects, significantly outperforming state-of-the-art SCA tools and demonstrating the efficacy of cross-layer analysis in enhancing software supply chain vulnerability detection.
📝 Abstract
Modern software supply chains comprise hundreds of transitive dependencies, yet existing analysis tools operate at either the ecosystem level (dependency graphs) or the code level (static analysis within packages). This separation creates two failure modes. First, false-positive CVE alerts for unreachable code. Second, blind spots for structurally critical micro-dependencies. We introduce cross-level risk propagation, a framework that bridges code-level risk metrics with ecosystem-level dependency exposure through a unified risk formula. Preliminary evaluation on 50 packages across npm and PyPI reveals a class of hidden amplifiers -- micro-dependencies with fewer than 50 methods but over 50,000 dependents -- that carry outsized supply-chain risk invisible to all current Software Composition Analysis (SCA) tools. Without cross-level analysis, such packages can harbor exploitable code for years because no current tool considers both internal code structure and ecosystem position simultaneously. These results suggest that cross-level analysis opens a new design space for supply-chain security.
Problem

Research questions and friction points this paper is trying to address.

software supply chain
cross-level risk
hidden amplifiers
dependency analysis
Software Composition Analysis
Innovation

Methods, ideas, or system contributions that make the work stand out.

cross-level risk propagation
hidden amplifiers
software supply chain security
Software Composition Analysis
micro-dependencies
🔎 Similar Papers
No similar papers found.