Current software supply chain vulnerability assessment faces two key limitations: (1) coarse-grained, package-level analysis leads to high false-positive rates and hinders ecosystem-wide propagation analysis; and (2) a lack of dedicated quantitative metrics to characterize the dynamic propagation impact of vulnerabilities. To address these, we propose a hierarchical working-set algorithm that enables, for the first time, cross-ecosystem, call-graph-level end-to-end propagation modeling. We further design VPSS (Vulnerability Propagation and Severity Scoring), a dynamic scoring system that quantifies vulnerability impact along three dimensions—propagation breadth, depth, and temporal evolution. Evaluated on the Java/Maven ecosystem via static analysis and empirical validation across 100 real-world vulnerabilities, our approach significantly reduces false positives while enabling interpretable, comparable, and scalable supply-chain-level risk assessment.

Identifying the impact scope and scale is critical for software supply chain vulnerability assessment. However, existing studies face substantial limitations. First, prior studies either work at coarse package-level granularity, producing many false positives, or fail to accomplish whole-ecosystem vulnerability propagation analysis. Second, although vulnerability assessment indicators like CVSS characterize individual vulnerabilities, no metric exists to specifically quantify the dynamic impact of vulnerability propagation across software supply chains. To address these limitations and enable accurate and comprehensive vulnerability impact assessment, we propose a novel approach: (i) a hierarchical worklist-based algorithm for whole-ecosystem and call-graph-level vulnerability propagation analysis and (ii) the Vulnerability Propagation Scoring System (VPSS), a dynamic metric to quantify the scope and evolution of vulnerability impacts in software supply chains. We implement a prototype of our approach in the Java Maven ecosystem and evaluate it on 100 real-world vulnerabilities. Experimental results demonstrate that our approach enables effective ecosystem-wide vulnerability propagation analysis, and provides a practical, quantitative measure of vulnerability impact through VPSS.