Security Vulnerabilities in Software Supply Chain for Autonomous Vehicles

Source:arXiv
July 17, 2026
5 mins
Citations

Research Excerpt

Authors: MD WASIUL HAQUE, MD ERFAN, SAGAR DASGUPTA, MD RAYHANUR RAHMAN, MIZANUR RAHMAN | Year: 2025 | arXiv

  • The Crux (TL;DR): This paper demonstrates that open-source autonomous vehicle (AV) software stacks (Apollo, Autoware, and openpilot) contain significant, recurring security vulnerabilities in both their source code and third-party dependencies. It argues that early and systematic implementation of supply chain security practices is essential to prevent these software flaws from causing real-world safety hazards.

  • Primary Contribution: An empirical, comparative study utilizing static analysis and Software Bill of Materials (SBOM) tools to systematically identify and categorize Common Weakness Enumerations (CWEs) and third-party dependency vulnerabilities across three major open-source AV platforms.

Core Focus Tags: #AutonomousVehicles | #SoftwareSupplyChain | #VulnerabilityManagement | #Cybersecurity | #StaticAnalysis

1. Core Areas Covered

  • Scope & Boundaries: The research explicitly focuses on the software supply chain of three specific open-source AV platforms (Autoware, Apollo, and openpilot). It utilizes static analysis tools (e.g., Flawfinder, Bandit, Semgrep) and SBOM tools (e.g., Microsoft sbom-tool, Grype). It does not cover dynamic/runtime vulnerability analysis, proprietary closed-source AV stacks, or hardware-level security.

2. The Problem

  • Core Issue: AVs are increasingly "Software Defined Vehicles" (SDVs) that rely heavily on complex, interconnected open-source software supply chains. These components often lack rigorous, early-stage security best practices, leading to pervasive vulnerabilities such as buffer overflows, command injections, and insecure third-party dependencies.

  • Real-World Impact: Because AVs are cyber-physical systems, software defects or compromised dependencies can cascade into safety-critical failures (e.g., misclassification of obstacles, loss of synchronization between perception and control), directly threatening passenger safety and public trust.

3. The Proposed Solution & Recommendations

  • Approach: The authors proposed and demonstrated a multi-layered vulnerability analysis workflow that includes:

    • Code Vulnerability Identification: Using static analyzers to detect CWEs in C/C++ and Python codebases.

    • Third-Party Library Analysis: Utilizing SBOM generation and scanning to detect vulnerable external dependencies.

  • Recommendations:

    • Embed secure development practices early in the software development lifecycle (SDLC).

    • Implement regular, automated SBOM scanning and continuous monitoring of dependencies.

    • Prioritize remediation based on both technical severity (e.g., CVSS/CWE) and system-level safety impact.

    • Adopt hardened build pipelines and provenance tracking.

4. Core Areas Covered (Technical/Regulatory/Architectural)

  • Technical Domains: Software Supply Chain Security, Static Code Analysis, Vulnerability Enumeration (CWE), and Dependency Management.

  • Regulatory/Standard Domains: ISO/SAE 21434 (Road vehicles – Cybersecurity engineering), UN R155 (Cybersecurity Management System), and NIST Secure Software Development Framework (SSDF).

  • Architectural Domains: AV Software-Defined Vehicle (SDV) stacks, specifically Middleware (ROS/ROS 2, Cyber RT), Perception, Planning, and Control modules.

5. Key Areas of the Literature Review

  • Existing Research: The authors build upon established studies regarding supply chain attacks in open-source software (e.g., [Ladisa et al. 2023]) and the general security challenges of cyber-physical systems.

  • Frameworks: The review highlights standard cybersecurity risk assessment methods such as STRIDE, PASTA, and LINDDUN, as well as automotive-specific standards like ISO/SAE 21434 and the NIST SSDF for software assurance.

6. Practical Utility

  • Industry Relevance: Highly relevant for cybersecurity teams, automotive OEMs, AV software developers, and regulators.

  • Implementation Readiness: The workflow is prototype-tested via the case study on three major open-source platforms and provides actionable scripts for replication.

  • Methodology: The findings are empirical, based on systematic scans and vulnerability analysis of actual open-source repositories.

Get Research Briefings Weekly

Join 5,000+ practitioners who read Cyfiz research summaries every Monday.

Subscribe to Briefings