Search papers, labs, and topics across Lattice.
This paper introduces a novel framework for cross-level risk propagation that integrates code-level risk metrics with ecosystem-level dependency exposure, addressing the limitations of existing Software Composition Analysis (SCA) tools. By evaluating 50 packages from npm and PyPI, the authors identify "hidden amplifiers"鈥攎icro-dependencies that, despite their small size, pose significant supply-chain risks due to their extensive reach. The findings highlight that without this cross-level analysis, critical vulnerabilities can remain undetected for extended periods, emphasizing the need for a more holistic approach to software supply chain security.
Micro-dependencies can pose outsized risks, with some hiding exploitable vulnerabilities in plain sight due to their extensive network of dependents.
Modern software supply chains comprise hundreds of transitive dependencies, yet existing analysis tools operate at either the ecosystem level (dependency graphs) or the code level (static analysis within packages). This separation creates two failure modes. First, false-positive CVE alerts for unreachable code. Second, blind spots for structurally critical micro-dependencies. We introduce cross-level risk propagation, a framework that bridges code-level risk metrics with ecosystem-level dependency exposure through a unified risk formula. Preliminary evaluation on 50 packages across npm and PyPI reveals a class of hidden amplifiers -- micro-dependencies with fewer than 50 methods but over 50,000 dependents -- that carry outsized supply-chain risk invisible to all current Software Composition Analysis (SCA) tools. Without cross-level analysis, such packages can harbor exploitable code for years because no current tool considers both internal code structure and ecosystem position simultaneously. These results suggest that cross-level analysis opens a new design space for supply-chain security.