This study addresses the limitation of existing SBOM-based security analysis methods, which typically treat vulnerabilities as isolated CVEs and fail to model attack chains formed by cascading vulnerabilities across the software supply chain. To overcome this, the authors propose a novel paradigm that integrates CycloneDX SBOMs with vulnerability data into a heterogeneous evidence graph, where nodes represent software components and CVEs, and edges encode dependency and vulnerability relationships—augmented for the first time with explicit dependency constraints. Leveraging this graph, they employ a Heterogeneous Graph Attention Network (HGAT) to predict component–vulnerability associations and a lightweight MLP to infer cascading links between CVEs. Evaluated on 200 real-world SBOMs, the approach achieves 91.03% accuracy (F1: 74.02%) in component classification and attains a ROC-AUC of 0.93 on 35 known attack chains.

Software supply chain security compromises often stem from cascaded interactions of vulnerabilities, for example, between multiple vulnerable components. Yet, Software Bill of Materials (SBOM)-based pipelines for security analysis typically treat scanner findings as independent per-CVE (Common Vulnerabilities and Exposures) records. We propose a new research direction based on learning multi-vulnerability attack chains through a novel SBOM-driven graph-learning approach. This treats SBOM structure and scanner outputs as a dependency-constrained evidence graph rather than a flat list of vulnerabilities. We represent vulnerability-enriched CycloneDX SBOMs as heterogeneous graphs whose nodes capture software components and known vulnerabilities (i.e, CVEs), connected by typed relations, such as dependency and vulnerability links. We train a Heterogeneous Graph Attention Network (HGAT) to predict whether a component is associated with at least one known vulnerability as a feasibility check for learning over this structure. Additionally, we frame the discovery of cascading vulnerabilities as CVE-pair link prediction using a lightweight Multi-Layer Perceptron (MLP) neural network trained on documented multi-vulnerability chains. Validated on 200 real-world SBOMs from the Wild SBOMs public dataset, the HGAT component classifier achieves 91.03% Accuracy and 74.02% F1-score, while the cascade predictor model (MLP) achieves a Receiver Operating Characteristic - Area Under Curve (ROC-AUC) of 0.93 on a seed set of 35 documented attack chains.