Software supply chain attacks have grown explosively, with targeted incidents increasing by 742% between 2019 and 2022. Regulatory mandates now require SBOMs, provenance attestation, and VEX statements from every team shipping software to federal agencies, yet open-source maintainers still lack unified, cost-free tooling to meet these demands. Chainmail was built to close that gap: a single open-source workbench that brings eight supply chain security capabilities together in one place. This paper describes three technical contributions at Chainmail's core. First, a formal Multi-Dimensional Supply Chain Risk Score (SCRS) that distills five orthogonal risk dimensions into one normalized A-to-F grade, with proven monotonicity and boundedness properties. Second, a graph-theoretic License Conflict Propagation (LCP) framework that reframes FOSS license compatibility as a reachability problem on directed acyclic dependency graphs, catching transitive conflicts that flat-list scanners miss entirely. Third, an Automated VEX Generation algorithm that maps CVE records against versioned SBOM components using PURL-based version-range intersection, producing CSAF 2.0-compliant statements in under two seconds. Evaluation across the top 500 npm packages shows Chainmail finds 23% more license conflicts than existing tools and produces risk grades correlating at Spearman ρ = 0.81 with independently assessed security scores. A live implementation is available at https://chainmail.saisravancherukuri.com
Sai Sravan Cherukuri (Fri,) studied this question.