pith. sign in

arxiv: 2605.00179 · v1 · submitted 2026-04-30 · 💻 cs.SE

DEPTEX: Organization-First, Open Source Dependency Risk Monitoring

Henry Ruckman-Utting , Vrushal Nedungadi , Taiga Okuma , Letian Wang , Stephen Ehebald , Mohammad A. Tayebi This is my paper

Pith reviewed 2026-05-09 20:07 UTC · model grok-4.3

classification 💻 cs.SE
keywords dependency risk monitoringexecution path dominancecode property graphsoftware supply chain securityopen source dependenciesvulnerability blast radiusas code governancesoftware composition analysis
0
0 comments X

The pith

Deptex calculates a vulnerability's true operational blast radius by fusing code graph slicing with language model verification.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces Deptex as a platform that treats open-source dependency risks as emergent properties rather than fixed traits of individual components. It claims this shift reduces alert fatigue by focusing security efforts only on vulnerabilities that actually reach operational code paths in an organization's systems. The core method combines structural analysis of code relationships with semantic checks to assess real impact. A programmable governance engine then lets teams encode custom rules for compliance and policy enforcement directly into workflows. Readers would care if this approach replaces broad, context-blind scans with precise, context-aware decisions that scale to large codebases.

Core claim

Deptex introduces Execution Path Dominance (EPD) to compute a vulnerability's true operational blast radius. EPD works by applying slicing techniques to Code Property Graphs to trace reachable paths and then using large language model verification to confirm semantic relevance in the specific codebase context. This replaces the standard view of risk as an intrinsic property of a dependency with an emergent view based on actual execution dominance.

What carries the argument

Execution Path Dominance (EPD), which fuses Code Property Graph slicing for structural reachability with large language model semantic verification to isolate only those vulnerabilities that affect live code paths.

Load-bearing premise

The fusion of code property graph slicing and large language model semantic verification will reliably identify a vulnerability's true operational blast radius without excessive false positives or negatives in real codebases.

What would settle it

A comparison of Deptex blast radius outputs against exhaustive manual execution path reviews on a set of known vulnerable open-source dependencies would settle the claim if the two disagree on dominance for multiple cases.

Figures

Figures reproduced from arXiv: 2605.00179 by Henry Ruckman-Utting, Letian Wang, Mohammad A. Tayebi, Stephen Ehebald, Taiga Okuma, Vrushal Nedungadi.

Figure 1
Figure 1. Figure 1: The hierarchical risk propagation model. Vulnerability signals ( [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: The Depscore calculation pipeline. B. Pillar II: Context-Aware Prioritization (Depscore) To operationalize the Contrib(s, a) function, DEPTEX intro￾duces Execution Path Dominance (EPD), or the Depscore. The engine abandons static severity in favor of a three-phase calculation: 1) Structural Slicing: Using the atom parser, the system generates Code Property Graph (CPG) slices. This determin￾istic phase extr… view at source ↗
Figure 2
Figure 2. Figure 2: System architecture [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
read the original abstract

Open-source software (OSS) dependencies introduce systemic risks that are difficult to manage at scale. Existing Software Composition Analysis (SCA) and reachability tools generate severe alert fatigue by treating risk as an intrinsic component property, ignoring semantic context and forcing enterprises into rigid compliance frameworks. We present Deptex, an organization-first, graph-based platform treating supply chain risk as emergent. Deptex introduces Execution Path Dominance (EPD), fusing Code Property Graph (CPG) slicing with Large Language Model (LLM) semantic verification to calculate a vulnerability's true operational blast radius. To handle bespoke compliance, Deptex abstracts governance into a programmable ``As Code'' engine, enabling security teams to natively enforce dynamic pull request policies, custom asset tiers, and external API integrations. By shifting from reactive scanning to context-aware governance, Deptex enables proactive, efficient, and aligned supply chain risk management.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript presents Deptex as an organization-first, graph-based platform for managing risks from open-source software dependencies. It argues that existing SCA and reachability tools cause alert fatigue by treating risk as an intrinsic property rather than emergent from semantic context. The core contribution is Execution Path Dominance (EPD), which fuses Code Property Graph (CPG) slicing with LLM semantic verification to compute a vulnerability's true operational blast radius. Deptex also includes a programmable 'As Code' governance engine for enforcing dynamic policies, custom asset tiers, and external integrations, shifting to proactive, context-aware supply chain risk management.

Significance. If the EPD fusion reliably distinguishes reachable from unreachable vulnerabilities at scale, the work could reduce alert fatigue in enterprise settings and support more flexible compliance than rigid SCA frameworks. The programmable governance engine is a clear strength for handling organization-specific requirements. The open-source framing and focus on emergent risk are timely given current supply-chain security concerns. Significance remains prospective, however, because the manuscript supplies no empirical grounding for the accuracy claims.

major comments (2)
  1. [Abstract] Abstract: The central claim that EPD 'calculates a vulnerability's true operational blast radius' by fusing CPG slicing with LLM semantic verification is load-bearing for the paper's contribution yet is presented solely as an architectural description. No precision, recall, false-positive rates, case studies on real codebases, or comparisons against baseline reachability tools (e.g., existing CPG or call-graph analyses) are reported anywhere in the manuscript.
  2. [EPD description] The manuscript (architecture and EPD sections): The assumption that LLM semantic verification will correctly interpret CPG slices without unacceptable error rates is stated without any error-bound analysis, ablation study, or discussion of LLM hallucination risks on code semantics. This directly undermines the assertion that the method yields the 'true' blast radius rather than a plausible one.
minor comments (2)
  1. [Introduction] The term 'Execution Path Dominance' is introduced in the abstract but would benefit from an explicit formal or operational definition in the first technical section to aid readers unfamiliar with the fusion approach.
  2. [System overview] Figure or diagram captions for the system architecture and governance engine should explicitly label data flows between CPG slicing, LLM verification, and the policy engine.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on the Deptex manuscript. We agree that the current version is primarily an architectural description and lacks the empirical grounding needed to substantiate the accuracy claims for Execution Path Dominance. We will revise the paper to address this. Our responses to the major comments are below.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The central claim that EPD 'calculates a vulnerability's true operational blast radius' by fusing CPG slicing with LLM semantic verification is load-bearing for the paper's contribution yet is presented solely as an architectural description. No precision, recall, false-positive rates, case studies on real codebases, or comparisons against baseline reachability tools (e.g., existing CPG or call-graph analyses) are reported anywhere in the manuscript.

    Authors: We acknowledge that the manuscript presents EPD as an architectural contribution without accompanying quantitative evaluation. This is a valid observation and a limitation of the initial submission. In the revised version we will add a new Evaluation section that includes preliminary case studies on real open-source codebases, precision and recall figures for reachable-vulnerability detection, and direct comparisons against standard CPG slicing and call-graph reachability baselines. We will also qualify the 'true operational blast radius' phrasing to reflect that the current results are indicative rather than definitive. revision: yes

  2. Referee: [EPD description] The manuscript (architecture and EPD sections): The assumption that LLM semantic verification will correctly interpret CPG slices without unacceptable error rates is stated without any error-bound analysis, ablation study, or discussion of LLM hallucination risks on code semantics. This directly undermines the assertion that the method yields the 'true' blast radius rather than a plausible one.

    Authors: The referee is correct that the manuscript does not yet analyze potential LLM errors or hallucination risks. We will revise the EPD section to include an explicit Limitations subsection that discusses hallucination risks, provides qualitative examples of verification outcomes, and describes mitigation approaches such as confidence thresholding and optional human review for critical assets. A full ablation study is beyond the scope of the current revision, but we will add a forward-looking paragraph outlining planned experiments to quantify error rates. revision: partial

Circularity Check

0 steps flagged

No circularity: descriptive systems proposal with no equations or derivations

full rationale

The manuscript is a high-level architectural description of the Deptex platform. It introduces Execution Path Dominance (EPD) conceptually as a fusion of CPG slicing and LLM verification but supplies no equations, no fitted parameters, no predictions that reduce to inputs, and no self-citations invoked as load-bearing premises. The central claim is a systems proposal rather than a mathematical derivation, so none of the enumerated circularity patterns apply. The derivation chain is empty by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 2 invented entities

The central claims rest on the unproven effectiveness of LLM semantic verification for determining operational context and on the utility of the newly defined EPD metric; no free parameters are used because there is no quantitative model.

axioms (1)
  • domain assumption Large Language Models can perform reliable semantic verification of code execution contexts and vulnerability reachability
    Invoked as the core mechanism for EPD calculation in the abstract description.
invented entities (2)
  • Execution Path Dominance (EPD) no independent evidence
    purpose: To quantify the true operational blast radius of a vulnerability by fusing CPG slicing with LLM verification
    Newly introduced metric whose accuracy is not demonstrated in the provided abstract.
  • Deptex platform no independent evidence
    purpose: To serve as an organization-first graph-based system for dependency risk monitoring and programmable governance
    The main proposed artifact whose benefits are asserted without supporting measurements.

pith-pipeline@v0.9.0 · 5468 in / 1394 out tokens · 76154 ms · 2026-05-09T20:07:37.532906+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

44 extracted references · 44 canonical work pages

  1. [1]

    Alfadel, D

    M. Alfadel, D. E. Costa, E. Shihab, and B. Adams, On the Use of Dependabot Security Pull Requests, inProc. MSR, 2021

    work page 2021

  2. [2]

    A. H. M. Al-Sharif et al., A survey on software vulnerability prioritiza- tion,J. Syst. Softw., vol. 201, 2023

    work page 2023

  3. [3]

    Amreen, N

    S. Amreen, N. A. Z. Sadi, and C. K. Roy, Why Software Developers Do Not Use Static Analysis Tools to Find Bugs, inProc. IEEE/ACM 41st Intl. Conf. on Softw. Eng. (ICSE), 2019

    work page 2019

  4. [4]

    Sheet, Apr

    CISA and NIST, Defending Against Software Supply Chain Attacks, Cybersecurity and Infrastructure Security Agency, Washington, DC, Info. Sheet, Apr. 2021

    work page 2021

  5. [5]

    CISA, Securing the Software Supply Chain: Recommended Practices Guide for Developers, Cybersecurity & Infrastructure Security Agency, Aug. 2022

    work page 2022

  6. [6]

    Sheet, 2023

    CISA, Types of Software Bill of Materials (SBOM) Documents, Cyber- security & Infrastructure Security Agency, Info. Sheet, 2023

    work page 2023

  7. [7]

    CISA, Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library (CVE-2024-3094), CISA, Alert AA24-090A, Mar. 2024

    work page 2024

  8. [8]

    J. P. Cornejo-Lupa et al., Visualizing Software Systems Dependencies: A Systematic Mapping Study,IEEE Access, vol. 9, 2021

    work page 2021

  9. [9]

    Dann et al., Identifying reachable vulnerabilities in software depen- dencies, inProc

    A. Dann et al., Identifying reachable vulnerabilities in software depen- dencies, inProc. ICSE, 2021

    work page 2021

  10. [10]

    Dashevskyi et al., Screening for Exploitable Vulnerabilities in Open Source Dependencies,IEEE Trans

    S. Dashevskyi et al., Screening for Exploitable Vulnerabilities in Open Source Dependencies,IEEE Trans. Softw. Eng., vol. 45, no. 10, 2019

    work page 2019

  11. [11]

    Decan et al., On the evolution of technical lag in the npm, PyPI, and RubyGems ecosystems, inProc

    T. Decan et al., On the evolution of technical lag in the npm, PyPI, and RubyGems ecosystems, inProc. ICSME, 2018

    work page 2018

  12. [12]

    Food & Drug Admin., Guidance, Sep

    FDA, Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions, U.S. Food & Drug Admin., Guidance, Sep. 2023

    work page 2023

  13. [13]

    D. M. German, Y . Manabe, and K. Inoue, A sentence-matching method for automatic license identification, inProc. IEEE/ACM Intl. Conf. on Automated Softw. Eng. (ASE), 2010

    work page 2010

  14. [14]

    GitHub, The State of the Octoverse 2023, GitHub, San Francisco, CA, Rep., 2023

    work page 2023

  15. [15]

    He et al., Automating Dependency Updates in Practice: An Ex- ploratory Study on GitHub Dependabot,IEEE Trans

    H. He et al., Automating Dependency Updates in Practice: An Ex- ploratory Study on GitHub Dependabot,IEEE Trans. Softw. Eng., vol. 49, no. 8, 2023

    work page 2023

  16. [16]

    Hejderup and G

    J. Hejderup and G. Gousios, Can We Trust Tests to Automate Depen- dency Updates?J. Syst. Softw., vol. 183, 2022

    work page 2022

  17. [17]

    Huang et al., Measuring Effectiveness of Graph Visualizations: A Cognitive Load Perspective,Information Visualization, 2009

    W. Huang et al., Measuring Effectiveness of Graph Visualizations: A Cognitive Load Perspective,Information Visualization, 2009

    work page 2009

  18. [18]

    Jarukitpipat et al., See to Believe: Using Visualization To Motivate Updating Third-party Dependencies,arXiv preprint arXiv:2405.09074, 2024

    V . Jarukitpipat et al., See to Believe: Using Visualization To Motivate Updating Third-party Dependencies,arXiv preprint arXiv:2405.09074, 2024

    work page arXiv 2024

  19. [19]

    Kianpour and S

    S. Kianpour and S. Netz, Evolving Trends in the Adoption and Effec- tiveness of Dependabot Security Pull Requests, Student Thesis, Umeå University, 2024

    work page 2024

  20. [20]

    Rep., Nov

    Kroll, Retail Sector’s Resilience to Scattered Spider and Cl0p, Kroll, Tech. Rep., Nov. 2025

    work page 2025

  21. [21]

    R. G. Kula, C. De Roover, D. M. German, T. Ishio, and K. Inoue, Visualizing Systems and their Library Dependencies, inProc. 2nd IEEE Working Conf. on Software Visualization (VISSOFT), 2014, pp. 127–136

    work page 2014

  22. [22]

    Ladisa et al., Taxonomy of Attacks on Open-Source Software Supply Chains, inProc

    P. Ladisa et al., Taxonomy of Attacks on Open-Source Software Supply Chains, inProc. IEEE S&P, 2022

    work page 2022

  23. [23]

    Mirhosseini and C

    S. Mirhosseini and C. Parnin, Can Automated Pull Requests Encourage Software Maintenance? inProc. IEEE/ACM ASE, 2017, pp. 84–95

    work page 2017

  24. [24]

    NTIA, The Minimum Elements for a Software Bill of Materials (SBOM), U.S. Dept. of Commerce, Jul. 2021

    work page 2021

  25. [25]

    Ohm et al., Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks, inProc

    R. Ohm et al., Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks, inProc. DIMVA, 2020

    work page 2020

  26. [26]

    Okafor, T

    C. Okafor, T. R. Schorlemmer, S. Torres-Arias, and J. C. Davis, SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties, inProc. ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED), 2022

    work page 2022

  27. [27]

    Rep., 2023

    Oligo Security, The State of Open Source Security: Reachability Anal- ysis, Oligo, Tech. Rep., 2023

    work page 2023

  28. [28]

    OW ASP, Dependency-Track: Intelligent Supply Chain Component Anal- ysis, OW ASP Foundation, 2023

    work page 2023

  29. [29]

    Rep., Jan

    Panorays, 2026 CISO Survey for Third-Party Cyber Risk Management, Panorays, Tech. Rep., Jan. 2026

    work page 2026

  30. [30]

    Pashchenko et al., Vulnerable Open Source Dependencies: Counting the Cost, inProc

    A. Pashchenko et al., Vulnerable Open Source Dependencies: Counting the Cost, inProc. ESEM, 2018

    work page 2018

  31. [31]

    S. E. Ponta, H. Plate, and A. Sabetta, Detection and analysis of vulnerability propagation in software dependencies, inProc. ICSE, 2018

    work page 2018

  32. [32]

    Snyk, State of Open Source Security Report, Snyk, Boston, MA, Rep., 2023

    work page 2023

  33. [33]

    Rep., 2024

    Station 9 Research Team, State of Dependency Management 2024, Endor Labs, Tech. Rep., 2024

    work page 2024

  34. [34]

    Stringer et al., Technical Lag of Dependencies in Major Package Managers, inProc

    J. Stringer et al., Technical Lag of Dependencies in Major Package Managers, inProc. APSEC, 2020

    work page 2020

  35. [35]

    Rep., 2024

    Synopsys, 2024 Open Source Security and Risk Analysis Report, Synopsys, Tech. Rep., 2024

    work page 2024

  36. [36]

    Vaidya, Drew Davidson, Lorenzo De Carli, and Vaibhav Rastogi

    M. Taylor, T. Rutkowski, and K. S. P. Payer, SpellBound: Defending Against Package Typosquatting, inarXiv preprint arXiv:2003.03471, 2020

    work page arXiv 2003

  37. [37]

    E. R. Tufte,The Visual Display of Quantitative Information, 2nd ed. Cheshire, CT: Graphics Press, 2001

    work page 2001

  38. [38]

    S. Wang, C. Vendome, and D. Poshyvanyk, A large-scale study on the usage of third-party libraries in open source software, inProc. IEEE/ACM 25th Intl. Conf. on Program Comprehension (ICPC), 2017

    work page 2017

  39. [39]

    White House, Executive Order 14028: Improving the Nation’s Cyberse- curity, Washington, DC, 2021

    work page 2021

  40. [40]

    B. Xia, T. Bi, Z. Xing, T. F. Bissyande, and D. Lo, BOMs Away! A Comprehensive Study of SBOMs, inProc. IEEE/ACM 45th Intl. Conf. on Softw. Eng. (ICSE), 2023

    work page 2023

  41. [41]

    Xu et al., LiDetector: Automatic License Incompatibility Detection, inProc

    S. Xu et al., LiDetector: Automatic License Incompatibility Detection, inProc. IEEE/ACM 44th Intl. Conf. on Softw. Eng. (ICSE), 2022

    work page 2022

  42. [42]

    S. G. Yoon, S. Kim, and H. K. Kim, A Survey on Security Alert Prioritization Techniques,IEEE Access, vol. 9, 2021

    work page 2021

  43. [43]

    Zerouali et al., An empirical analysis of technical lag in npm package dependencies, inProc

    A. Zerouali et al., An empirical analysis of technical lag in npm package dependencies, inProc. ICSR, 2019

    work page 2019

  44. [44]

    Zimmermann et al., Small World with High Risks: A Study of Security Threats in the npm Ecosystem, inProc

    M. Zimmermann et al., Small World with High Risks: A Study of Security Threats in the npm Ecosystem, inProc. USENIX Security, 2019

    work page 2019