VulSCA: A Community-Level SCA Approach for Accurate C/C++ Supply Chain Vulnerability Analysis

With the widespread adoption of third-party libraries (TPLs) in C/C++ development, software supply chain security has become critical. Existing C/C++ supply chain vulnerability analysis approaches have notable limitations. Some focus exclusively on dependency identification, leading to false positives (FPs), while others emphasize vulnerability detection but ignore dependencies, requiring costly full-repository scans that hinder rapid response to supply chain vulnerabilities. To address this, we explore an appropriate granularity for accurate dependency construction and vulnerability detection. We propose a community-level software composition analysis (SCA) approach that models the project’s call graph as a social network and applies community detection. Dependencies between projects and TPLs are then established through community similarity. For vulnerability detection, we perform clone-based detection within dependent communities to verify the existence of vulnerabilities, and introduce a two-stage reachability analysis to determine whether they can propagate to the target project. We implement VulSCA, the first C/C++ SCA framework that integrates both vulnerability detection and reachability analysis. Experimental results show that VulSCA outperforms CENTRIS and OSSFP in SCA with a 4–12% improvement in F1-score. In supply chain vulnerability detection, it achieves 44–48% higher F1-scores than version-based methods and 17–23% higher than code-based methods. In terms of efficiency, VulSCA incurs lower overall overhead than all code-based approaches. Furthermore, VulSCA identifies 32 previously unpatched supply chain vulnerabilities in widely used open-source projects, which have already been reported to the respective vendors.