Transforming vulnerability intelligence with knowledge graphs
Files
Supplementary Defense Presentation
Main dissertation
Date
2026
DOI
Authors
Version
OA Version
Citation
Abstract
Effective vulnerability management in modern software supply chains demands accurate characterization of vulnerabilities and their root causes, and a clear understanding on how they propagate through complex dependency networks. However, databases that enrich vulnerabilities, such as the National Vulnerability Database (NVD), often contain inconsistent or incomplete metadata such as root cause weakness mappings of vulnerabilities. Likewise, tools commonly employed to produce Software Bills of Materials (SBOM) and perform Software Composition Analysis (SCA) provide only a partial picture of the paths to vulnerabilities in large-scale projects. This thesis addresses both challenges through two complementary contributions. In Thrust I, we introduce FixV2W, a lightweight approach that leverages longitudinal trends and knowledge graph embeddings to improve vulnerability-weakness mapping accuracy in the NVD without relying on large, semantic data such as descriptions. FixV2W systematically analyzes historical Common Vulnerabilities and Exposures (CVE) remapping patterns within NVD and leverages hierarchical relationships in the Common Weakness Enumeration (CWE) database to predict precise CWE mappings for vulnerabilities. We focus on vulnerabilities mapped to prohibited and discouraged weakness classes, and werun extensive experimental evaluation of FixV2W, based on test data set collected between a time frame of over three years. Crafted for each mapping, we construct a set of candidate weaknesses. We propose and compare different approaches for constructing such sets, in terms of accuracy and coverage metrics. We further show that FixV2W significantly improves the performance of ML models relying on NVD data. For instance, for an embedding model geared at uncovering unknown CVE-CWE mappings, FixV2W improves the Mean Reciprocal Rank (MRR) from 0.174 to 0.608. Last, we show the practical impact of FixV2W by analyzing known exploited vulnerabilities that were mapped to invalid weakness classes. Considering the Top-10 ranked predictions, the results show that FixV2W predicts the correct CWE mappings for 69% of exploited vulnerabilities that had invalid CWEs before they were exploited. In Thrust II, we introduce VDGraph, a holistic and queryable dependency-vulnerability graph, to provide a comprehensive view of the vulnerabilities nested within project’s de- pendencies. We formally analyze the properties of VDGraph, resolve dependency and vulnerability data conflicts, and demonstrate its automation and scalability across over 200 Java, Go, and JavaScript projects using CycloneDX plugins and Google’s OSV-Scanner. Queries on VDGraph expose concentrated risk points, vulnerable transitive dependencies, and vulnerable components that have available fixed versions; while also supporting efficient visualization and patch planning. Unlike existing tools, VDGraph reveals actionable direct dependency updates, resolving vulnerabilities at any depth. Through path enumeration and component depth analysis, developers can strategize in different ways beyond prioritizing vulnerabilities based on their severity scores, and customize queries craftedspecifically for their own needs. Together, FixV2W and VDGraph advance the state of the art in vulnerability intelligence by improving the quality of vulnerability metadata and providing a framework for understanding and remediating risk across the software supply chain.
Description
2026
License
Attribution-NonCommercial 4.0 International