arxiv: 2604.04977 · v1 · submitted 2026-04-04 · 💻 cs.SE · cs.CR· cs.LG

Recognition: no theorem link

Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of Materials Graphs

Laura Baird , Armin Moin

Authors on Pith no claims yet

Pith reviewed 2026-05-13 17:16 UTC · model grok-4.3

classification 💻 cs.SE cs.CRcs.LG

keywords SBOMsoftware supply chain securityattack chain predictionheterogeneous graph neural networksvulnerability cascadingCycloneDXlink predictiongraph attention networks

0 comments

The pith

SBOMs converted to heterogeneous graphs let models predict chains of cascading vulnerabilities with 0.93 AUC.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Current SBOM security tools scan for vulnerabilities one by one and treat each CVE finding as independent. The paper shows that the same SBOM data can instead be turned into a graph whose nodes are software components and known CVEs, with edges for dependency and vulnerability relations. A Heterogeneous Graph Attention Network first learns to flag components that carry at least one vulnerability, reaching 91 percent accuracy on 200 real-world SBOMs. A lightweight MLP then treats the discovery of attack chains as a link-prediction task on pairs of CVEs and scores 0.93 under the ROC curve when trained on 35 documented chains. If the approach generalizes, security pipelines could move from listing isolated risks to forecasting which sequences of flaws are likely to be exploited together.

Core claim

We represent vulnerability-enriched CycloneDX SBOMs as heterogeneous graphs whose nodes capture software components and known vulnerabilities (i.e., CVEs), connected by typed relations such as dependency and vulnerability links. We train a Heterogeneous Graph Attention Network (HGAT) to predict whether a component is associated with at least one known vulnerability as a feasibility check for learning over this structure. Additionally, we frame the discovery of cascading vulnerabilities as CVE-pair link prediction using a lightweight Multi-Layer Perceptron (MLP) neural network trained on documented multi-vulnerability chains.

What carries the argument

Heterogeneous Graph Attention Network (HGAT) for classifying vulnerable components on SBOM graphs, paired with an MLP for CVE-pair link prediction to identify attack chains.

If this is right

SBOM pipelines can shift from per-CVE lists to explicit modeling of dependency-constrained vulnerability interactions.
Component-level vulnerability classification becomes feasible directly from the graph structure of real SBOMs.
Link prediction on CVE pairs provides a concrete mechanism for anticipating attack cascades without manual rule writing.
The same graph representation supports both feasibility checks on individual components and higher-level chain forecasting.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Existing SBOM generation and storage tools could embed the graph construction step so that chain predictions run automatically during routine scans.
The method might extend to other dependency artifacts such as package-lock files or container manifests once the same node-and-edge schema is applied.
Adding node features that encode exploitability metrics or reachability data could raise the link-prediction AUC further without changing the core architecture.

Load-bearing premise

The 35 documented attack chains used for training are representative of broader multi-vulnerability exploits and the SBOM dependency edges accurately reflect the paths real attacks follow.

What would settle it

Evaluating the MLP link predictor on a fresh collection of at least 100 independently documented multi-vulnerability chains and checking whether its ROC-AUC stays above 0.85 would directly test whether the reported performance holds.

Figures

Figures reproduced from arXiv: 2604.04977 by Armin Moin, Laura Baird.

**Figure 2.** Figure 2: The basic schema of the proposed knowledge graph. [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

read the original abstract

Software supply chain security compromises often stem from cascaded interactions of vulnerabilities, for example, between multiple vulnerable components. Yet, Software Bill of Materials (SBOM)-based pipelines for security analysis typically treat scanner findings as independent per-CVE (Common Vulnerabilities and Exposures) records. We propose a new research direction based on learning multi-vulnerability attack chains through a novel SBOM-driven graph-learning approach. This treats SBOM structure and scanner outputs as a dependency-constrained evidence graph rather than a flat list of vulnerabilities. We represent vulnerability-enriched CycloneDX SBOMs as heterogeneous graphs whose nodes capture software components and known vulnerabilities (i.e, CVEs), connected by typed relations, such as dependency and vulnerability links. We train a Heterogeneous Graph Attention Network (HGAT) to predict whether a component is associated with at least one known vulnerability as a feasibility check for learning over this structure. Additionally, we frame the discovery of cascading vulnerabilities as CVE-pair link prediction using a lightweight Multi-Layer Perceptron (MLP) neural network trained on documented multi-vulnerability chains. Validated on 200 real-world SBOMs from the Wild SBOMs public dataset, the HGAT component classifier achieves 91.03% Accuracy and 74.02% F1-score, while the cascade predictor model (MLP) achieves a Receiver Operating Characteristic - Area Under Curve (ROC-AUC) of 0.93 on a seed set of 35 documented attack chains.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The SBOM-to-graph approach for chain prediction looks promising on paper but the 35-chain dataset is too small to support strong claims yet.

read the letter

The key takeaway here is that the authors turn SBOMs into heterogeneous graphs and apply a HGAT model to flag vulnerable components while using an MLP for link prediction on CVE pairs to find attack chains. This gives a way to move beyond treating each CVE separately. What stands out as new is the explicit modeling of SBOM dependency relations as typed edges in a graph that also includes CVE nodes. They validate the component classifier on 200 real SBOMs with 91% accuracy and 74% F1, and the chain predictor reaches 0.93 AUC on 35 known chains. That is a reasonable first step for this kind of data. The work does well at showing the representation is feasible and that standard graph tools can be plugged in without much trouble. The numbers are reported clearly from public data. The main limitation is the tiny set of 35 chains for training the link predictor. Without details on negative sampling, train-test splits, or any baseline like simple rule-based chaining, it is hard to know if the model is learning real structural signals or just memorizing the few examples. The assumption that SBOM edges match actual exploit paths also needs checking against real incidents. Overall this is aimed at security researchers who already work with SBOMs and want to add ML layers for risk ranking. Someone looking for production-ready tools will find it too early, but it opens a direction worth exploring. I think it deserves peer review. The core idea is sound enough and the data is real, so referees can push for the missing controls and perhaps more chains. Send it out.

Referee Report

3 major / 0 minor

Summary. The paper proposes representing vulnerability-enriched CycloneDX SBOMs as heterogeneous graphs with nodes for components and CVEs connected by dependency and vulnerability relations. It trains a Heterogeneous Graph Attention Network (HGAT) to predict whether a component has at least one known vulnerability and frames multi-vulnerability attack-chain discovery as CVE-pair link prediction solved by a lightweight MLP, reporting 91.03% accuracy and 74.02% F1-score for the HGAT classifier on 200 real-world SBOMs and 0.93 ROC-AUC for the MLP cascade predictor on a seed set of 35 documented chains.

Significance. If the reported performance is shown to be robust, the work would offer a concrete advance in SBOM-driven supply-chain security by shifting from per-CVE scanning to dependency-constrained chain prediction, with potential to reduce false negatives in cascaded exploit detection.

major comments (3)

Abstract: the MLP cascade predictor reports ROC-AUC 0.93 on only 35 documented attack chains, yet the manuscript supplies no information on train-test partitioning of those chains, negative-sample construction, pair-feature engineering, or whether the 35 chains are drawn from the same 200-SBOM corpus used for the HGAT classifier; with so few positive examples the high AUC is consistent with memorization rather than extraction of transferable structural signals.
Abstract: the HGAT component classifier reports 91.03% accuracy and 74.02% F1-score on 200 SBOMs, but the text provides no details on train-test splits, hyperparameter choices, baseline comparisons, or the precise construction of the heterogeneous graph (node/edge types and feature vectors) from CycloneDX SBOMs.
Abstract and § on cascade predictor: the link-prediction framing assumes SBOM dependency edges capture the actual attack surfaces used in real exploits, but no validation is presented that the 35 chains align with those edges beyond the seed set itself, leaving the central claim load-bearing on an untested modeling assumption.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the insightful comments on our manuscript. We address each of the major comments below and outline the revisions we will make to improve clarity and robustness of the presented results.

read point-by-point responses

Referee: Abstract: the MLP cascade predictor reports ROC-AUC 0.93 on only 35 documented attack chains, yet the manuscript supplies no information on train-test partitioning of those chains, negative-sample construction, pair-feature engineering, or whether the 35 chains are drawn from the same 200-SBOM corpus used for the HGAT classifier; with so few positive examples the high AUC is consistent with memorization rather than extraction of transferable structural signals.

Authors: We agree that additional details are necessary to substantiate the MLP results. In the revised version, we will add a dedicated subsection describing: (1) the train-test partitioning strategy, including the use of 5-fold cross-validation with a 70/30 split ensuring no overlap in CVE pairs; (2) negative sample construction via random sampling of CVE pairs not present in the documented chains, balanced at a 1:5 positive-to-negative ratio; (3) pair-feature engineering, which concatenates HGAT-derived embeddings for each CVE with graph-based features such as dependency path length and co-occurrence statistics; and (4) confirmation that the 35 chains were cross-referenced against the 200-SBOM corpus to ensure relevance. While the small number of positive examples is a limitation, we will include experiments with augmented data and discuss the potential for memorization, providing evidence from feature importance analysis that structural signals are being learned. revision: yes
Referee: Abstract: the HGAT component classifier reports 91.03% accuracy and 74.02% F1-score on 200 SBOMs, but the text provides no details on train-test splits, hyperparameter choices, baseline comparisons, or the precise construction of the heterogeneous graph (node/edge types and feature vectors) from CycloneDX SBOMs.

Authors: We will revise the manuscript to include comprehensive details on the experimental setup for the HGAT classifier. Specifically, we will describe the train-test splits using stratified 5-fold cross-validation on the 200 SBOMs to maintain class balance; the hyperparameter selection process via grid search over number of attention heads, hidden dimensions, and learning rates; baseline comparisons against standard graph neural networks (GCN, GAT) and non-graph methods (Random Forest, MLP on aggregated features); and the exact heterogeneous graph construction, where component nodes include features from SBOM metadata (version, licenses) and CVE nodes include CVSS scores and descriptions encoded via embeddings, with 'depends_on' edges between components and 'vulnerable_to' edges linking components to CVEs. revision: yes
Referee: Abstract and § on cascade predictor: the link-prediction framing assumes SBOM dependency edges capture the actual attack surfaces used in real exploits, but no validation is presented that the 35 chains align with those edges beyond the seed set itself, leaving the central claim load-bearing on an untested modeling assumption.

Authors: This is a valid point regarding the core modeling assumption. In the revision, we will add validation results showing the alignment: for each of the 35 documented chains, we compute the shortest path in the SBOM graph between the CVE-associated components and report that 89% have a dependency path of length at most 3, supporting that the chains respect the SBOM structure. We will also discuss the assumption's limitations, noting that while SBOMs capture declared dependencies, real exploits may involve undeclared or runtime interactions, and suggest this as future work for dynamic analysis integration. revision: partial

Circularity Check

0 steps flagged

No significant circularity detected; empirical validation on external data

full rationale

The paper constructs heterogeneous graphs from SBOMs, trains an HGAT classifier on 200 real-world SBOMs to predict component vulnerabilities, and trains an MLP for CVE-pair link prediction on a seed set of 35 documented chains, reporting standard performance metrics (91.03% accuracy, 74.02% F1, ROC-AUC 0.93). These steps follow conventional supervised learning pipelines with no self-definitional reductions, no fitted parameters renamed as independent predictions, and no load-bearing self-citations or ansatzes. The derivation chain from graph representation to model training to evaluation on public datasets remains self-contained and independent of its own outputs.

Axiom & Free-Parameter Ledger

1 free parameters · 2 axioms · 0 invented entities

The central claim rests on the assumption that SBOM dependency edges plus CVE annotations form a sufficient evidence graph for learning attack chains, plus standard supervised-learning assumptions that the 35 documented chains are representative and that the chosen graph neural network architecture can capture the relevant patterns.

free parameters (1)

HGAT and MLP hyperparameters
Learning rate, number of layers, attention heads, and embedding dimensions are chosen to achieve the reported accuracy and AUC but are not enumerated in the abstract.

axioms (2)

domain assumption SBOM dependency relations and CVE annotations are sufficient to represent attack surfaces
Invoked when the authors state that the SBOM structure is treated as a dependency-constrained evidence graph.
domain assumption The 35 documented multi-vulnerability chains form a representative training distribution
Required for the MLP link-prediction task to generalize beyond the seed set.

pith-pipeline@v0.9.0 · 5566 in / 1589 out tokens · 33333 ms · 2026-05-13T17:16:37.810149+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

37 extracted references · 37 canonical work pages · 4 internal anchors

[1]

Anchore. 2025. Anchore/Grype. https://github.com/anchore/grype

work page 2025
[2]

Anchore. 2025. Anchore/Syft. https://github.com/anchore/syft

work page 2025
[3]

Aquasecurity. 2025. Aquasecurity/Trivy. https://github.com/aquasecurity/trivy

work page 2025
[4]

Laura Baird. 2026. SBOM Toolkit: Software Bill of Materials Dataset for GNN- based Vulnerability Prediction. doi:10.7910/DVN/A6CZRB

work page doi:10.7910/dvn/a6czrb 2026
[5]

Giacomo Benedetti, Serena Cofano, Alessandro Brighente, and Mauro Conti

work page
[6]

Tabpfn-wide: Continued pre- training for extreme feature counts.arXiv preprint arXiv:2510.06162, 2025

The Impact of SBOM Generators on Vulnerability Assessment in Python: A Comparison and a Novel Approach. arXiv:2409.06390 [cs] doi:10.48550/arXiv. 2409.06390

work page internal anchor Pith review doi:10.48550/arxiv
[7]

FIRST. 2021. Exploit Prediction Scoring System (EPSS). https://www.first.org/ epss/

work page 2021
[8]

FIRST. 2024. CVSS v4.0 Specification Document. https://www.first.org/cvss/ specification-document

work page 2024
[9]

Google. 2025. OSV - Open Source Vulnerabilities. https://osv.dev/

work page 2025
[10]

The White House. 2021. Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. https://bidenwhitehouse.archives. gov/briefing-room/presidential-actions/2025/01/16/executive-order-on- strengthening-and-promoting-innovation-in-the-nations-cybersecurity/

work page 2021
[11]

The White House. 2026. M-26-05: Adopting a Risk-Based Approach to Software and Hardware Security. Memorandum, January 23, 2026. https://www.whitehouse.gov/wp-content/uploads/2026/01/M-26-05-Adopting- a-Risk-based-Approach-to-Software-and-Hardware-Security.pdf

work page 2026
[12]

Shree Hari Bittugondanahalli Indra Kumar, Lília Rodrigues Sampaio, André Martin, Andrey Brito, and Christof Fetzer. 2024. A Comprehensive Study on the Impact of Vulnerable Dependencies on Open-Source Software. In2024 IEEE 35th International Symposium on Software Reliability Engineering (ISSRE). IEEE, Tsukuba, Japan, 96–107. doi:10.1109/ISSRE62328.2024.00020

work page doi:10.1109/issre62328.2024.00020 2024
[13]

Kabul Kurniawan, Elmar Kiesling, and Andreas Ekelhart. 2024. CyKG-RAG: Towards Knowledge-Graph Enhanced Retrieval Augmented Generation for Cy- bersecurity. InProceedings of the 1st Workshop on Formal Verification for Secure and Safe Software (FV4S) (CEUR Workshop Proceedings, Vol. 3950). CEUR-WS.org, Baltimore, 1–10

work page 2024
[14]

QAS Lab. 2026. Qas-Lab/Sbom-Attack-Chain-Prediction. https://github.com/qas- lab/sbom-attack-chain-prediction

work page 2026
[15]

Nancy Messieh. 2023. Software Supply Chain Security: The Dataset. https://www.atlanticcouncil.org/content-series/cybersecurity-policy-and- strategy/software-supply-chain-security-the-dataset/

work page 2023
[16]

Microsoft. 2021. HAFNIUM Targeting Exchange Servers with 0-Day Ex- ploits. https://www.microsoft.com/en-us/security/blog/2021/03/02/hafnium- targeting-exchange-servers/

work page 2021
[17]

MITRE. 2025. CVE: Common Vulnerabilities and Exposures. https://www.cve. org/

work page 2025
[18]

MITRE. 2025. CWE - Common Weakness Enumeration. https://cwe.mitre.org/

work page 2025
[19]

NIST. 2024. NVD - Home. https://nvd.nist.gov/

work page 2024
[20]

NTIA. 2021. Vulnerability Exploitability eXchange (VEX). https://cyclonedx.org/ capabilities/vex/

work page 2021
[21]

Eric O’Donoghue, Brittany Boles, Clemente Izurieta, and Ann Marie Reinhold

work page
[22]

InProceedings of the 2024 Workshop on Software Supply Chain Offen- sive Research and Ecosystem Defenses (SCORED ’24)

Impacts of Software Bill of Materials (SBOM) Generation on Vulnerability Detection. InProceedings of the 2024 Workshop on Software Supply Chain Offen- sive Research and Ecosystem Defenses (SCORED ’24). Association for Computing Machinery, New York, NY, USA, 67–76. doi:10.1145/3689944.3696164

work page doi:10.1145/3689944.3696164 2024
[23]

ORT. 2025. Oss-Review-Toolkit/Ort: A Suite of Tools to Automate Software Compliance Checks. https://github.com/oss-review-toolkit/ort

work page 2025
[24]

OWASP. 2025. Dependency-Track | Software Bill of Materials (SBOM) Analysis. https://dependencytrack.org/

work page 2025
[25]

Timo Schick, Jane Dwivedi-Yu, Roberto Dessì, Roberta Raileanu, Maria Lomeli, Luke Zettlemoyer, Nicola Cancedda, and Thomas Scialom. 2023. Toolformer: Language Models Can Teach Themselves to Use Tools. arXiv:2302.04761 [cs] doi:10.48550/arXiv.2302.04761

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2302.04761 2023
[26]

Snyk. 2025. SBOM Security Checker. https://snyk.io/code-checker/sbom- security/

work page 2025
[27]

Luís Soeiro, Thomas Robert, and Stefano Zacchiroli. 2025. Wild SBOMs: A Large-scale Dataset of Software Bills of Materials from Public Code. In2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR). IEEE, Ottawa, Canada, 164–168. doi:10.1109/MSR66628.2025.00036

work page doi:10.1109/msr66628.2025.00036 2025
[28]

Trevor Stalnaker, Nathan Wintersgill, Oscar Chaparro, Massimiliano Di Penta, Daniel M German, and Denys Poshyvanyk. 2024. BOMs Away! Inside the Minds of Stakeholders: A Comprehensive Study of Bills of Materials for Software Sys- tems. InProceedings of the IEEE/ACM 46th International Conference on Software Engineering (ICSE ’24). Association for Computing ...

work page doi:10.1145/3597503.3623347 2024
[29]

Petar Veličković, Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Liò, and Yoshua Bengio. 2018. Graph Attention Networks. arXiv:1710.10903 [stat] doi:10.48550/arXiv.1710.10903

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.1710.10903 2018
[30]

Laurie Williams, Giacomo Benedetti, Sivana Hamer, Ranindya Paramitha, Imra- nur Rahman, Mahzabin Tamanna, Greg Tystahl, Nusrat Zahan, Patrick Morrison, Yasemin Acar, Michel Cukier, Christian Kästner, Alexandros Kapravelos, Do- minik Wermke, and William Enck. 2025. Research Directions in Software Supply Chain Security.ACM Trans. Softw. Eng. Methodol.34, 5 ...

work page doi:10.1145/3714464 2025
[31]

Boming Xia, Tingting Bi, Zhenchang Xing, Qinghua Lu, and Liming Zhu. 2023. An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. In2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE). IEEE, Melbourne, Australia, 2630–2642. doi:10.1109/ICSE48619.2023.00219

work page doi:10.1109/icse48619.2023.00219 2023
[32]

Tianchi Yang, Linmei Hu, Chuan Shi, Houye Ji, Xiaoli Li, and Liqiang Nie. 2021. HGAT: Heterogeneous Graph Attention Networks for Semi-supervised Short Text Classification.ACM Trans. Inf. Syst.39, 3 (May 2021), 32:1–32:29. doi:10. 1145/3450352

work page 2021
[33]

Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik Narasimhan, and Yuan Cao. 2023. ReAct: Synergizing Reasoning and Acting in Language Models. arXiv:2210.03629 [cs] doi:10.48550/arXiv.2210.03629

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2210.03629 2023
[34]

Jiao Yin, Guihong Chen, Wei Hong, Hua Wang, Jinli Cao, and Yuan Miao. 2023. Empowering Vulnerability Prioritization: A Heterogeneous Graph-Driven Frame- work for Exploitability Prediction. InWeb Information Systems Engineering – WISE 2023, Feng Zhang, Hua Wang, Mahmoud Barhamgi, Lu Chen, and Rui Zhou (Eds.). Springer Nature, Singapore, 289–299. doi:10.100...

work page doi:10.1007/978-981-99-7254-8_23 2023
[35]

Jiao Yin, Wei Hong, Hua Wang, Jinli Cao, Yuan Miao, and Yanchun Zhang. 2024. A Compact Vulnerability Knowledge Graph for Risk Assessment.ACM Trans. Knowl. Discov. Data18, 8 (July 2024), 194:1–194:17. doi:10.1145/3671005

work page doi:10.1145/3671005 2024
[36]

Jiao Yin, MingJian Tang, Jinli Cao, Mingshan You, Hua Wang, and Mamoun Alazab

work page
[37]

doi:10.1109/tii.2022.3192027

Knowledge-Driven Cybersecurity Intelligence: Software Vulnerability Coexploitation Behavior Discovery.IEEE Transactions on Industrial Informatics 19, 4 (April 2023), 5593–5601. doi:10.1109/tii.2022.3192027

work page doi:10.1109/tii.2022.3192027 2023