{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,19]],"date-time":"2025-12-19T10:08:49Z","timestamp":1766138929772,"version":"3.40.3"},"publisher-location":"Cham","reference-count":32,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783031757631"},{"type":"electronic","value":"9783031757648"}],"license":[{"start":{"date-parts":[[2024,10,17]],"date-time":"2024-10-17T00:00:00Z","timestamp":1729123200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,10,17]],"date-time":"2024-10-17T00:00:00Z","timestamp":1729123200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-031-75764-8_9","type":"book-chapter","created":{"date-parts":[[2024,10,22]],"date-time":"2024-10-22T11:03:12Z","timestamp":1729594992000},"page":"161-182","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Adversarial Analysis of\u00a0Software Composition Analysis Tools"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-4094-6943","authenticated-orcid":false,"given":"Ekaterina","family":"Ivanova","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1923-319X","authenticated-orcid":false,"given":"Natalia","family":"Stakhanova","sequence":"additional","affiliation":[]},{"given":"Bahman","family":"Sistany","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2024,10,17]]},"reference":[{"key":"9_CR1","doi-asserted-by":"crossref","unstructured":"Alfadel, M., Costa, D.E., Shihab, E., Adams, B.: On the discoverability of npm vulnerabilities in node.js projects. ACM Trans. Softw. Eng. Methodol. 32(4), 1\u201327 (2023)","DOI":"10.1145\/3571848"},{"key":"9_CR2","doi-asserted-by":"publisher","first-page":"153","DOI":"10.1016\/j.scico.2016.01.005","volume":"121","author":"SS Alqahtani","year":"2016","unstructured":"Alqahtani, S.S., Eghan, E.E., Rilling, J.: Tracing known security vulnerabilities in software repositories - a semantic web enabled modeling approach. Sci. Comput. Program. 121, 153\u2013175 (2016)","journal-title":"Sci. Comput. Program."},{"issue":"10","key":"9_CR3","doi-asserted-by":"publisher","first-page":"169","DOI":"10.1145\/1167515.1167488","volume":"41","author":"SM Blackburn","year":"2006","unstructured":"Blackburn, S.M., et al.: The dacapo benchmarks: java benchmarking development and analysis. SIGPLAN Not. 41(10), 169\u2013190 (2006)","journal-title":"SIGPLAN Not."},{"key":"9_CR4","doi-asserted-by":"crossref","unstructured":"Chen, Z., et al.: Exploiting library vulnerability via migration based automating test generation. In: Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering, ICSE 2024, Lisbon, Portugal, April 2024","DOI":"10.1145\/3597503.3639583"},{"issue":"9","key":"9_CR5","doi-asserted-by":"publisher","first-page":"3613","DOI":"10.1109\/TSE.2021.3101739","volume":"48","author":"A Dann","year":"2022","unstructured":"Dann, A., Plate, H., Hermann, B., Ponta, S.E., Bodden, E.: Identifying challenges for OSS vulnerability scanners - a study & test suite. IEEE Trans. Software Eng. 48(9), 3613\u20133625 (2022)","journal-title":"IEEE Trans. Software Eng."},{"key":"9_CR6","doi-asserted-by":"crossref","unstructured":"Dietrich, J., Rasheed, S., Jordan, A.: On the security blind spots of software composition analysis (2023)","DOI":"10.1145\/3689944.3696165"},{"key":"9_CR7","doi-asserted-by":"crossref","unstructured":"Duan, R., Bijlani, A., Xu, M., Kim, T., Lee, W.: Identifying open-source license violation and 1-day security risk at large scale. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 2169\u20132185. Dallas, Texas, USA, October 2017","DOI":"10.1145\/3133956.3134048"},{"key":"9_CR8","doi-asserted-by":"crossref","unstructured":"Foo, D., Chua, H., Yeo, J., Ang, M.Y., Sharma, A.: Efficient static checking of library updates. In: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 791-796. ESEC\/FSE 2018, Lake Buena Vista, FL, USA, October 2018","DOI":"10.1145\/3236024.3275535"},{"key":"9_CR9","unstructured":"Foo, D., Yeo, J., Xiao, H., Sharma, A.: The dynamics of software composition analysis (2019)"},{"key":"9_CR10","doi-asserted-by":"crossref","unstructured":"Germ\u00e1n\u00a0M\u00e1rquez, A., Varela-Vaca, A.J., G\u00f3mez\u00a0L\u00f3pez, M.T., Galindo, J.A., Benavides, D.: Vulnerability impact analysis in software project dependencies based on satisfiability modulo theories (SMT). Comput. Secur. 139(C), 103669 (2024)","DOI":"10.1016\/j.cose.2023.103669"},{"key":"9_CR11","doi-asserted-by":"publisher","unstructured":"Iannone, E., Nucci, D.D., Sabetta, A., De\u00a0Lucia, A.: Toward automated exploit generation for known vulnerabilities in open-source libraries. In: 2021 IEEE\/ACM 29th International Conference on Program Comprehension (ICPC), pp. 396\u2013400. Virtual, Spain, May 2021. https:\/\/doi.org\/10.1109\/ICPC52881.2021.00046","DOI":"10.1109\/ICPC52881.2021.00046"},{"key":"9_CR12","doi-asserted-by":"crossref","unstructured":"Imtiaz, N., Thorn, S., Williams, L.: A comparative study of vulnerability reporting by software composition analysis tools. In: Proceedings of the 15th ACM \/ IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), ESEM \u201921, Virtual, Italy, October 2021","DOI":"10.1145\/3475716.3475769"},{"key":"9_CR13","doi-asserted-by":"crossref","unstructured":"Jiang, L., et al.: Binaryai: binary software composition analysis via intelligent binary source code matching. In: Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering, ICSE 2024, Lisbon, Portugal, April 2024","DOI":"10.1145\/3597503.3639100"},{"key":"9_CR14","unstructured":"JRebel: 2021 java developer productivity report. https:\/\/www.jrebel.com\/resources\/java-developer-productivity-report-2021 (2021)"},{"key":"9_CR15","doi-asserted-by":"crossref","unstructured":"Kalaiselvi, R., Ravisankar, S.: M, V., Ravindran, D.: Enhancing the container image scanning tool - grype. In: 2023 2nd International Conference on Advancements in Electrical. Electronics, Communication, Computing and Automation (ICAECA), pp. 1\u20136. Coimbatore, India (2023)","DOI":"10.1109\/ICAECA56562.2023.10200828"},{"key":"9_CR16","doi-asserted-by":"crossref","unstructured":"Kang, H.J., Nguyen, T.G., Le, B., P\u0103s\u0103reanu, C.S., Lo, D.: Test mimicry to assess the exploitability of library vulnerabilities. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 276-288. ISSTA 2022, Virtual, South Korea, July 2022","DOI":"10.1145\/3533767.3534398"},{"key":"9_CR17","doi-asserted-by":"crossref","unstructured":"Li, Q., Song, J., Tan, D., Wang, H., Liu, J.: Pdgraph: a large-scale empirical study on project dependency of security vulnerabilities. In: 2021 51st Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 161\u2013173. Virtual, Taiwan, June 2021","DOI":"10.1109\/DSN48987.2021.00031"},{"key":"9_CR18","unstructured":"Lightner, N.: Introducing synopsys AI code analysis API. https:\/\/www.synopsys.com\/blogs\/software-security\/synopsys-ai-code-analysis-service.html#3 (2023)"},{"key":"9_CR19","doi-asserted-by":"crossref","unstructured":"Mburano, B., Si, W.: Evaluation of web vulnerability scanners based on owasp benchmark. In: 2018 26th International Conference on Systems Engineering (ICSEng), pp.\u00a01\u20136. Sydney, NSW, Australia, December 2018","DOI":"10.1109\/ICSENG.2018.8638176"},{"key":"9_CR20","unstructured":"OWASP: OWASP Top 10 application security risks - 2017. https:\/\/owasp.org\/www-project-top-ten\/2017\/Top_10 (2017)"},{"key":"9_CR21","doi-asserted-by":"crossref","unstructured":"Pashchenko, I., Plate, H., Ponta, S.E., Sabetta, A., Massacci, F.: Vulnerable open source dependencies: counting those that matter. In: Proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement (ESEM) (2018)","DOI":"10.1145\/3239235.3268920"},{"key":"9_CR22","doi-asserted-by":"crossref","unstructured":"Pashchenko, I., Vu, D.L., Massacci, F.: A qualitative study of dependency management and its security implications. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, CCS 2020, pp. 1513\u20131531. Virtual, USA, November 2020","DOI":"10.1145\/3372297.3417232"},{"key":"9_CR23","unstructured":"Pereira, D., Molloy, C., Acharya, S., Ding, S.H.H.: Automating sbom generation with zero-shot semantic similarity (2024)"},{"key":"9_CR24","doi-asserted-by":"crossref","unstructured":"Plate, H., Ponta, S.E., Sabetta, A.: Impact assessment for vulnerabilities in open-source software libraries. In: 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411\u2013420. Bremen, Germany, September 2015","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"9_CR25","doi-asserted-by":"crossref","unstructured":"Ponta, S., Plate, H., Sabetta, A.: Beyond metadata: code-centric and usage-based analysis of known vulnerabilities in open-source software. In: 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 449\u2013460. Madrid, Spain, September 2018","DOI":"10.1109\/ICSME.2018.00054"},{"issue":"5","key":"9_CR26","doi-asserted-by":"publisher","first-page":"3175","DOI":"10.1007\/s10664-020-09830-x","volume":"25","author":"SE Ponta","year":"2020","unstructured":"Ponta, S.E., Plate, H., Sabetta, A.: Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empirical Softw. Engg. 25(5), 3175\u20133215 (2020)","journal-title":"Empirical Softw. Engg."},{"key":"9_CR27","doi-asserted-by":"crossref","unstructured":"Sabetta, A., Bezzi, M.: A practical approach to the automatic classification of security-relevant commits. In: 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 579\u2013582. Los Alamitos, CA, USA, September 2018","DOI":"10.1109\/ICSME.2018.00058"},{"key":"9_CR28","unstructured":"SourceClear: Evaluation framework for dependency analysis. https:\/\/github.com\/srcclr\/efda (2020)"},{"key":"9_CR29","doi-asserted-by":"crossref","unstructured":"Tran, N.K., Pallewatta, S., Babar, M.A.: Toward a reference architecture for software supply chain metadata management (2023)","DOI":"10.1145\/3661167.3661212"},{"key":"9_CR30","doi-asserted-by":"crossref","unstructured":"Wagner, A., Sametinger, J.: Using the juliet test suite to compare static security scanners. In: Proceedings of the 11th International Joint Conference on E-Business and Telecommunications - Volume 4, p. 244-252. ICETE 2014, Vienna, Austria, August 2014","DOI":"10.5220\/0005032902440252"},{"key":"9_CR31","doi-asserted-by":"crossref","unstructured":"Wu, Y., Yu, Z., Wen, M., Li, Q., Zou, D., Jin, H.: Understanding the threats of upstream vulnerabilities to downstream projects in the Maven ecosystem. In: Proceedings of the 45th International Conference on Software Engineering, ICSE 2023, pp. 1046-1058. Melbourne, Victoria, Australia (2023)","DOI":"10.1109\/ICSE48619.2023.00095"},{"key":"9_CR32","doi-asserted-by":"crossref","unstructured":"Zhao, L., et al.: Software composition analysis for vulnerability detection: An empirical study on java projects. In: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE 2023), pp. 960\u2013972. San Francisco, CA, USA, December 2023","DOI":"10.1145\/3611643.3616299"}],"container-title":["Lecture Notes in Computer Science","Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-75764-8_9","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,11,30]],"date-time":"2024-11-30T01:14:28Z","timestamp":1732929268000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-75764-8_9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,10,17]]},"ISBN":["9783031757631","9783031757648"],"references-count":32,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-75764-8_9","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2024,10,17]]},"assertion":[{"value":"17 October 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ISC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Information Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Arlington, VA","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"USA","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2024","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"24 October 2024","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 October 2024","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"27","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"isw2024","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/isc24.cs.gmu.edu\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}