{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,19]],"date-time":"2026-03-19T12:10:13Z","timestamp":1773922213947,"version":"3.50.1"},"publisher-location":"Cham","reference-count":27,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783030228873","type":"print"},{"value":"9783030228880","type":"electronic"}],"license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019]]},"DOI":"10.1007\/978-3-030-22888-0_13","type":"book-chapter","created":{"date-parts":[[2019,6,18]],"date-time":"2019-06-18T02:22:10Z","timestamp":1560824530000},"page":"187-203","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["A Double-Edged Sword? Software Reuse and Potential Security Vulnerabilities"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-7628-1780","authenticated-orcid":false,"given":"Antonios","family":"Gkortzis","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9371-232X","authenticated-orcid":false,"given":"Daniel","family":"Feitosa","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4231-1897","authenticated-orcid":false,"given":"Diomidis","family":"Spinellis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2019,6,19]]},"reference":[{"key":"13_CR1","unstructured":"April 2014 Web Server Survey\u2014Netcraft. \n                      https:\/\/news.netcraft.com\/archives\/2014\/04\/02\/april-2014-web-server-survey.html"},{"key":"13_CR2","unstructured":"Cybersecurity Incident & Important Consumer Information\u2014Equifax. \n                      https:\/\/www.equifaxsecurity2017.com\/"},{"key":"13_CR3","doi-asserted-by":"publisher","unstructured":"Ayewah, N., Pugh, W.: The Google FindBugs fixit. In: Proceedings of 19th International Symposium on Software Testing and Analysis (ISSTA 2010), pp. 241\u2013252. ACM, Trento (2010). \n                      https:\/\/doi.org\/10.1145\/1831708.1831738","DOI":"10.1145\/1831708.1831738"},{"key":"13_CR4","doi-asserted-by":"publisher","unstructured":"Ayewah, N., Pugh, W., Morgenthaler, J.D., Penix, J., Zhou, Y.: Evaluating static analysis defect warnings on production software. In: Proceedings of 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE 2007), pp. 1\u20138. ACM Press, San Diego (2007). \n                      https:\/\/doi.org\/10.1145\/1251535.1251536","DOI":"10.1145\/1251535.1251536"},{"key":"13_CR5","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.infsof.2018.07.014","volume":"105","author":"Daniel Feitosa","year":"2019","unstructured":"Feitosa, D., Ampatzoglou, A., Avgeriou, P., Chatzigeorgiou, A., Nakagawa, E.: What can violations of good practices tell about the relationship between GoF patterns and run-time quality attributes? Inf. Softw. Technol. (2018). \n                      https:\/\/doi.org\/10.1016\/j.infsof.2018.07.014","journal-title":"Information and Software Technology"},{"key":"13_CR6","doi-asserted-by":"publisher","unstructured":"Feitosa, D., Ampatzoglou, A., Avgeriou, P., Nakagawa, E.Y.: Investigating quality trade-offs in open source critical embedded systems. In: Proceedings of 11th International ACM SIGSOFT Conference on the Quality of Software Architectures (QoSA 2015), pp. 113\u2013122. ACM, Montreal (2015). \n                      https:\/\/doi.org\/10.1145\/2737182.2737190","DOI":"10.1145\/2737182.2737190"},{"key":"13_CR7","volume-title":"Discovering Statistics Using IBM SPSS Statistics","author":"A Field","year":"2013","unstructured":"Field, A.: Discovering Statistics Using IBM SPSS Statistics, 4th edn. SAGE Publications Ltd., Thousand Oaks (2013)","edition":"4"},{"key":"13_CR8","doi-asserted-by":"publisher","unstructured":"Gousios, G., Spinellis, D.: GHTorrent: GitHub\u2019s data from a firehose. In: Proceedings of 9th IEEE Working Conference on Mining Software Repositories (MSR 2012), pp. 12\u201321. IEEE, June 2012. \n                      https:\/\/doi.org\/10.1109\/MSR.2012.6224294","DOI":"10.1109\/MSR.2012.6224294"},{"key":"13_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"207","DOI":"10.1007\/978-3-642-21347-2_16","volume-title":"Top Productivity through Software Reuse","author":"L Heinemann","year":"2011","unstructured":"Heinemann, L., Deissenboeck, F., Gleirscher, M., Hummel, B., Irlbeck, M.: On the extent and nature of software reuse in open source Java projects. In: Schmid, K. (ed.) ICSR 2011. LNCS, vol. 6727, pp. 207\u2013222. Springer, Heidelberg (2011). \n                      https:\/\/doi.org\/10.1007\/978-3-642-21347-2_16"},{"issue":"12","key":"13_CR10","doi-asserted-by":"publisher","first-page":"92","DOI":"10.1145\/1052883.1052895","volume":"39","author":"D Hovemeyer","year":"2004","unstructured":"Hovemeyer, D., Pugh, W.: Finding bugs is easy. ACM SIGPLAN Not. 39(12), 92\u2013106 (2004). \n                      https:\/\/doi.org\/10.1145\/1052883.1052895","journal-title":"ACM SIGPLAN Not."},{"issue":"4","key":"13_CR11","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1109\/MS.2015.29","volume":"33","author":"H Khalid","year":"2016","unstructured":"Khalid, H., Nagappan, M., Hassan, A.E.: Examining the relationship between FindBugs warnings and app ratings. IEEE Softw. 33(4), 34\u201339 (2016). \n                      https:\/\/doi.org\/10.1109\/MS.2015.29","journal-title":"IEEE Softw."},{"issue":"1","key":"13_CR12","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"RG Kula","year":"2018","unstructured":"Kula, R.G., German, D.M., Ouni, A., Ishio, T., Inoue, K.: Do developers update their library dependencies? Empirical Softw. Eng. 23(1), 384\u2013417 (2018). \n                      https:\/\/doi.org\/10.1007\/s10664-017-9521-5","journal-title":"Empirical Softw. Eng."},{"key":"13_CR13","doi-asserted-by":"publisher","unstructured":"Kulenovic, M., Donko, D.: A survey of static code analysis methods for security vulnerabilities detection. In: Proceedings of 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO 2014), pp. 1381\u20131386, May 2014. \n                      https:\/\/doi.org\/10.1109\/MIPRO.2014.6859783","DOI":"10.1109\/MIPRO.2014.6859783"},{"key":"13_CR14","doi-asserted-by":"publisher","unstructured":"Meneely, A., Williams, L.: Secure open source collaboration: an empirical study of Linus\u2019 law. In: Proceedings of 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 453\u2013462. ACM (2009). \n                      https:\/\/doi.org\/10.1145\/1653662.1653717","DOI":"10.1145\/1653662.1653717"},{"key":"13_CR15","doi-asserted-by":"publisher","unstructured":"Mitropoulos, D., Karakoidas, V., Louridas, P., Gousios, G., Spinellis, D.: The bug catalog of the Maven ecosystem. In: Proceedings of 11th Working Conference on Mining Software Repositories (MSR 2014), pp. 372\u2013375. ACM, Hyderabad (2014). \n                      https:\/\/doi.org\/10.1145\/2597073.2597123","DOI":"10.1145\/2597073.2597123"},{"key":"13_CR16","unstructured":"Mohagheghi, P., Conradi, R., Killi, O.M., Schwarz, H.: An empirical study of software reuse vs. defect-density and stability. In: Proceedings of 26th International Conference on Software Engineering (ICSE 2004), pp. 282\u2013292. IEEE Computer Society, Washington, DC (2004). \n                      http:\/\/dl.acm.org\/citation.cfm?id=998675.999433"},{"issue":"6","key":"13_CR17","doi-asserted-by":"publisher","first-page":"3219","DOI":"10.1007\/s10664-017-9512-6","volume":"22","author":"N Munaiah","year":"2017","unstructured":"Munaiah, N., Kroh, S., Cabrey, C., Nagappan, M.: Curating GitHub for engineered software projects. Empirical Softw. Eng. 22(6), 3219\u20133253 (2017). \n                      https:\/\/doi.org\/10.1007\/s10664-017-9512-6","journal-title":"Empirical Softw. Eng."},{"key":"13_CR18","unstructured":"Neuhaus, S., Zimmermann, T.: The beauty and the beast: vulnerabilities in red hat\u2019s packages. In: Proceedings of 2009 USENIX Annual Technical Conference (USENIX 2009) (2009)"},{"key":"13_CR19","doi-asserted-by":"publisher","unstructured":"Pashchenko, I., Plate, H., Ponta, S.E., Sabetta, A., Massacci, F.: Vulnerable open source dependencies: counting those that matter. In: Proceedings of 12th ACM\/IEEE Internatinal Symposium on Empirical Software Engineering and Measurement (ESEM 2018), pp. 42:1\u201342:10. ACM, Oulu (2018). \n                      https:\/\/doi.org\/10.1145\/3239235.3268920","DOI":"10.1145\/3239235.3268920"},{"key":"13_CR20","doi-asserted-by":"publisher","unstructured":"Pham, N.H., Nguyen, T.T., Nguyen, H.A., Wang, X., Nguyen, A.T., Nguyen, T.N.: Detecting recurring and similar software vulnerabilities. In: Proceedings of 32nd ACM\/IEEE International Conference on Software Engineering (ICSE 2010), pp. 227\u2013230. ACM, Cape Town (2010). \n                      https:\/\/doi.org\/10.1145\/1810295.1810336","DOI":"10.1145\/1810295.1810336"},{"key":"13_CR21","doi-asserted-by":"publisher","unstructured":"Ponta, S.E., Plate, H., Sabetta, A.: Beyond metadata: code-centric and usage-based analysis of known vulnerabilities in open-source software. In: Proceedings of 34th IEEE International Conference on Software Maintenance and Evolution (ICSME 2018), September 2018. \n                      https:\/\/doi.org\/10.1109\/ICSME.2018.00054","DOI":"10.1109\/ICSME.2018.00054"},{"key":"13_CR22","doi-asserted-by":"publisher","DOI":"10.1002\/9781118181034","volume-title":"Case Study Research in Software Engineering: Guidelines and Examples","author":"P Runeson","year":"2012","unstructured":"Runeson, P., Host, M., Rainer, A., Regnell, B.: Case Study Research in Software Engineering: Guidelines and Examples. Wiley, Hoboken (2012)"},{"issue":"6","key":"13_CR23","doi-asserted-by":"publisher","first-page":"772","DOI":"10.1109\/TSE.2010.81","volume":"37","author":"Yonghee Shin","year":"2011","unstructured":"Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities, 37(6), 772\u2013787. \n                      https:\/\/doi.org\/10.1109\/TSE.2010.81","journal-title":"IEEE Transactions on Software Engineering"},{"key":"13_CR24","doi-asserted-by":"publisher","unstructured":"van Solingen, R., Basili, V., Caldiera, G., Rombach, H.D.: Goal question metric (GQM) approach. In: Encyclopedia of Software Engineering, pp. 528\u2013532. Wiley, Hoboken (2002). \n                      https:\/\/doi.org\/10.1002\/0471028959.sof142","DOI":"10.1002\/0471028959.sof142"},{"key":"13_CR25","doi-asserted-by":"publisher","unstructured":"Tomassi, D.A.: Bugs in the wild: examining the effectiveness of static analyzers at finding real-world bugs. In: Proceedings of 2018 26th ACM Joint Meeting on European Software Engineering Conference on and Symposium on the Foundations of Software Engineering (ESEC\/FSE 2018), pp. 980\u2013982. ACM, Lake Buena Vista (2018). \n                      https:\/\/doi.org\/10.1145\/3236024.3275439","DOI":"10.1145\/3236024.3275439"},{"key":"13_CR26","doi-asserted-by":"publisher","unstructured":"Tripathi, A.K., Gupta, A.: A controlled experiment to evaluate the effectiveness and the efficiency of four static program analysis tools for Java programs. In: Proceedings of 18th Interantional Conference on Evaluation and Assessment in Software Engineering (EASE 2014), pp. 23:1\u201323:4. ACM, London (2014). \n                      https:\/\/doi.org\/10.1145\/2601248.2601288","DOI":"10.1145\/2601248.2601288"},{"issue":"4","key":"13_CR27","doi-asserted-by":"publisher","first-page":"240","DOI":"10.1109\/TSE.2006.38","volume":"32","author":"J Zheng","year":"2006","unstructured":"Zheng, J., Williams, L., Nagappan, N., Snipes, W., Hudepohl, J.P., on Vouk, M.A.S.E.I.T.: On the value of static analysis for fault detection in software. IEEE Trans. Softw. Eng. 32(4), 240\u2013253 (2006). \n                      https:\/\/doi.org\/10.1109\/TSE.2006.38","journal-title":"IEEE Trans. Softw. Eng."}],"container-title":["Lecture Notes in Computer Science","Reuse in the Big Data Era"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-22888-0_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,18]],"date-time":"2019-06-18T02:27:11Z","timestamp":1560824831000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-22888-0_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"ISBN":["9783030228873","9783030228880"],"references-count":27,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-22888-0_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019]]},"assertion":[{"value":"19 June 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ICSR","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Software and Systems Reuse","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Cincinnati, OH","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"USA","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2019","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 June 2019","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"28 June 2019","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"icsr2019","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.uc.edu\/eventservices\/ICSR2019.html","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Single-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"EasyChair","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"32","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"13","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"2","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"41% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"3","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"2","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}},{"value":"No","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information"}}]}}