{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T10:08:58Z","timestamp":1779098938628,"version":"3.51.4"},"publisher-location":"Cham","reference-count":50,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783031957635","type":"print"},{"value":"9783031957642","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"DOI":"10.1007\/978-3-031-95764-2_19","type":"book-chapter","created":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T06:45:26Z","timestamp":1750315526000},"page":"487-509","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["The Impact of\u00a0SBOM Generators on\u00a0Vulnerability Assessment in\u00a0Python: A Comparison and\u00a0a\u00a0Novel Approach"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-2609-6787","authenticated-orcid":false,"given":"Giacomo","family":"Benedetti","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-6539-9931","authenticated-orcid":false,"given":"Serena","family":"Cofano","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6138-2995","authenticated-orcid":false,"given":"Alessandro","family":"Brighente","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3612-1934","authenticated-orcid":false,"given":"Mauro","family":"Conti","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2025,6,20]]},"reference":[{"key":"19_CR1","unstructured":"bomber: Scans software bill of materials (SBOMs) for security vulnerabilities"},{"key":"19_CR2","unstructured":"False negative. https:\/\/www.contrastsecurity.com\/glossary\/false-negative. Accessed 5 Sep 2024"},{"key":"19_CR3","unstructured":"Grype. https:\/\/www.cisa.gov\/resources-tools\/services\/grype. Accessed 5 Sep 2024"},{"key":"19_CR4","unstructured":"Intrusion detection. https:\/\/owasp.org\/www-community\/controls\/Intrusion_Detection. Accessed 5 Sep 2024"},{"key":"19_CR5","unstructured":"jqlang\/jq: Command-line JSON processor. https:\/\/github.com\/jqlang\/jq. Accessed 5 Sep 2024"},{"key":"19_CR6","unstructured":"kubeClarity: KubeClarity is a tool for detection and management of software bill of materials (SBOM) and vulnerabilities of container images and filesystems"},{"key":"19_CR7","unstructured":"resolvelib. https:\/\/pypi.org\/project\/resolvelib\/. Accessed 5 Sep 2024"},{"key":"19_CR8","unstructured":"sast-scan: Scan is a free & open source DevSecOps tool for performing static analysis based security testing of your applications and its dependencies. CI and git friendly"},{"key":"19_CR9","unstructured":"SBOM-scorecard: Generate a score for your SBOM to understand if it will actually be useful"},{"key":"19_CR10","unstructured":"Secure software supply chain center. https:\/\/s3c2.org\/"},{"key":"19_CR11","unstructured":"Versioning - python packaging user guide. https:\/\/packaging.python.org\/en\/latest\/discussions\/versioning\/. Accessed 3 Sep 2024"},{"key":"19_CR12","unstructured":"Why chainguard uses grype as its first line of defense for CVEs. https:\/\/www.chainguard.dev\/unchained\/why-chainguard-uses-grype-as-its-first-line-of-defense-for-cves. Accessed 5 Sep 2024"},{"key":"19_CR13","unstructured":"Using grype to scan container images for vulnerabilities. https:\/\/edu.chainguard.dev\/chainguard\/chainguard-images\/working-with-images\/scanners\/grype-tutorial\/ (Jan 1). Accessed 5 Sep 2024"},{"key":"19_CR14","unstructured":"False positives and false negatives in information security. https:\/\/www.guardrails.io\/blog\/false-positives-and-false-negatives-in-information-security\/ (2022). Accessed 5 Sep 2024"},{"key":"19_CR15","doi-asserted-by":"publisher","unstructured":"Macaron: A Logic-based Framework for Software Supply Chain Security Assurance. In: Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, pp. 29\u201337. ACM, Copenhagen Denmark (2023). https:\/\/doi.org\/10.1145\/3605770.3625213","DOI":"10.1145\/3605770.3625213"},{"key":"19_CR16","unstructured":"Dependency Graph SBoM export for older repository versions? (2024). https:\/\/github.com\/orgs\/community\/discussions\/118612"},{"key":"19_CR17","unstructured":"Agency, C..I.S.: SBOM FAQ (2024). https:\/\/www.cisa.gov\/resources-tools\/resources\/sbom-faq"},{"key":"19_CR18","unstructured":"Anchore: Grype. https:\/\/github.com\/anchore\/grype\/"},{"key":"19_CR19","doi-asserted-by":"crossref","unstructured":"Balliu, M., et al.: Challenges of producing software bill of materials for java. IEEE Security & Privacy (2023)","DOI":"10.1109\/MSEC.2023.3302956"},{"issue":"6","key":"19_CR20","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3654442","volume":"33","author":"T Bi","year":"2024","unstructured":"Bi, T., Xia, B., Xing, Z., Lu, Q., Zhu, L.: On the way to SBOMs: investigating design issues and solutions in practice. ACM Trans. Softw. Eng. Methodol. 33(6), 1\u201325 (2024)","journal-title":"ACM Trans. Softw. Eng. Methodol."},{"key":"19_CR21","unstructured":"Cass, S.: The Top Programming Languages 2024 (2024). https:\/\/spectrum.ieee.org\/ibm-quantum-computer-2668978269"},{"key":"19_CR22","unstructured":"Cofano, S., Benedetti, G., Dell\u2019Amico, M.: SBOM Generation Tools in the Python Ecosystem: an In-Detail Analysis (2024). https:\/\/arxiv.org\/abs\/2409.01214"},{"key":"19_CR23","unstructured":"Deepbits: Evaluating and Benchmarking SBOM Generators: A Systematic Approach (2023). https:\/\/www.deepbits.com\/whitepaper\/1"},{"key":"19_CR24","unstructured":"pip developers: More on Dependency Resolution (2024). https:\/\/pip.pypa.io\/en\/stable\/topics\/more-dependency-resolution\/"},{"key":"19_CR25","doi-asserted-by":"crossref","unstructured":"Dietrich, J., Rasheed, S., Jordan, A., White, T.: On the security blind spots of software composition analysis (2023)","DOI":"10.1145\/3689944.3696165"},{"issue":"2","key":"19_CR26","doi-asserted-by":"publisher","first-page":"96","DOI":"10.1109\/MSEC.2022.3142338","volume":"20","author":"W Enck","year":"2022","unstructured":"Enck, W., Williams, L.: Top five challenges in software supply chain security: observations from 30 industry and government organizations. IEEE Secur. Priv. 20(2), 96\u2013100 (2022)","journal-title":"IEEE Secur. Priv."},{"key":"19_CR27","doi-asserted-by":"crossref","unstructured":"Guo, W., Xu, Z., Liu, C., Huang, C., Fang, Y., Liu, Y.: An empirical study of malicious code in PyPI ecosystem. In: 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE), pp. 166\u2013177. IEEE (2023)","DOI":"10.1109\/ASE56229.2023.00135"},{"key":"19_CR28","doi-asserted-by":"crossref","unstructured":"Halbritter, A., Merli, D.: Accuracy evaluation of SBOM tools for web applications and system-level software. In: Proceedings of the 19th International Conference on Availability, Reliability and Security. ACM, New York, NY, USA (2024)","DOI":"10.1145\/3664476.3670926"},{"key":"19_CR29","unstructured":"Hashemi, M.: Calendar versioning \u2013 CalVer. https:\/\/calver.org\/. Accessed 3 Sep 2024"},{"key":"19_CR30","doi-asserted-by":"publisher","unstructured":"Hejderup, J., Beller, M., Triantafyllou, K., Gousios, G.: Pr\u00e4zi: from package-based to call-based dependency networks. Empirical Softw. Eng. 27 (2022). https:\/\/doi.org\/10.1007\/s10664-021-10071-9","DOI":"10.1007\/s10664-021-10071-9"},{"key":"19_CR31","unstructured":"JR., J.R.B.: Executive Order on Improving the Nation\u2019s Cybersecurity (2021). https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/"},{"key":"19_CR32","doi-asserted-by":"crossref","unstructured":"Ladisa, P., Plate, H., Martinez, M., Barais, O.: Sok: taxonomy of attacks on open-source software supply chains. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 1509\u20131526. IEEE (2023)","DOI":"10.1109\/SP46215.2023.10179304"},{"key":"19_CR33","doi-asserted-by":"crossref","unstructured":"Merrill, K., Newman, Z., Torres-Arias, S., Sollins, K.R.: Speranza: usable, privacy-friendly software signing. In: Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, pp. 3388\u20133402 (2023)","DOI":"10.1145\/3576915.3623200"},{"key":"19_CR34","unstructured":"Network, E., Agency, I.S.: Enisa threat landscape 2021 (2021). https:\/\/www.enisa.europa.eu\/publications\/enisa-threat-landscape-2021"},{"key":"19_CR35","unstructured":"NTIA: The minimum elements for a software bill of materials (SBOM)"},{"key":"19_CR36","unstructured":"Ozkan, S.: NVD leaves thousands of vulnerabilities without analysis data (2024). https:\/\/securityscorecard.com\/blog\/national-vulnerability-database-nvd-leaves-thousands-of-vulnerabilities-without-analysis-data\/"},{"issue":"2","key":"19_CR37","doi-asserted-by":"publisher","first-page":"7","DOI":"10.1109\/MSEC.2021.3051235","volume":"19","author":"S Peisert","year":"2021","unstructured":"Peisert, S., et al.: Perspectives on the solarwinds incident. IEEE Secur. Priv. 19(2), 7\u201313 (2021)","journal-title":"IEEE Secur. Priv."},{"key":"19_CR38","doi-asserted-by":"publisher","unstructured":"Plate, H., Ponta, S.E., Sabetta, A.: Impact assessment for vulnerabilities in open-source software libraries. In: 2015 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411\u2013420 (2015). https:\/\/doi.org\/10.1109\/ICSM.2015.7332492","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"19_CR39","doi-asserted-by":"publisher","unstructured":"Ponta, S.E., Plate, H., Sabetta, A.: Beyond metadata: code-centric and usage-based analysis of known vulnerabilities in open-source software. In: 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 449\u2013460 (2018). https:\/\/doi.org\/10.1109\/ICSME.2018.00054","DOI":"10.1109\/ICSME.2018.00054"},{"key":"19_CR40","doi-asserted-by":"publisher","unstructured":"Ponta, S.E., Plate, H., Sabetta, A.: Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empirical Softw. Eng. 25, 3175\u20133215 (2020). https:\/\/doi.org\/10.1007\/s10664-020-09830-x","DOI":"10.1007\/s10664-020-09830-x"},{"key":"19_CR41","unstructured":"Preston-Werner, T.: Semantic versioning 2.0.0. https:\/\/semver.org\/. Accessed 3 Sep 2024"},{"key":"19_CR42","doi-asserted-by":"crossref","unstructured":"Rabbi, M.F., Champa, A.I., Nachuma, C., Zibran, M.F.: SBOM generation tools under microscope: a focus on the NPM ecosystem. In: Proceedings of the 39th ACM\/SIGAPP Symposium on Applied Computing, pp. 1233\u20131241 (2024)","DOI":"10.1145\/3605098.3635927"},{"key":"19_CR43","unstructured":"Sharma, A., Wittlinger, M., Baudry, B., Monperrus, M.: Sbom.exe: Countering dynamic code injection based on software bill of materials in java (2024). https:\/\/arxiv.org\/abs\/2407.00246"},{"key":"19_CR44","unstructured":"Steindler, Z.: How to Make Programming Language Package Repositories More Secure (2024). https:\/\/openssf.org\/blog\/2024\/07\/31\/how-to-make-programming-language-package-repositories-more-secure\/"},{"key":"19_CR45","unstructured":"Synopsis: 2023 OSSRA report. https:\/\/www.synopsys.com\/content\/dam\/synopsys\/sig-assets\/reports\/rep-ossra-2023.pdf"},{"issue":"6","key":"19_CR46","doi-asserted-by":"publisher","first-page":"50","DOI":"10.1109\/MSEC.2023.3315887","volume":"21","author":"S Torres-Arias","year":"2023","unstructured":"Torres-Arias, S., Geer, D., Meyers, J.S.: A viewpoint on knowing software: bill of materials quality when you see it. IEEE Secur. Priv. 21(6), 50\u201354 (2023)","journal-title":"IEEE Secur. Priv."},{"key":"19_CR47","unstructured":"Wallen, J.: Scan container images for vulnerabilities with grype. https:\/\/thenewstack.io\/scan-container-images-for-vulnerabilities-with-grype\/ (2022). Accessed 5 Sep 2024"},{"key":"19_CR48","doi-asserted-by":"crossref","unstructured":"Wermke, D., et al.: \u201calways contribute back\u201d: a qualitative study on security challenges of the open source supply chain. In: 2023 IEEE Symposium on Security and Privacy (SP), pp. 1545\u20131560. IEEE (2023)","DOI":"10.1109\/SP46215.2023.10179378"},{"key":"19_CR49","doi-asserted-by":"publisher","unstructured":"Yu, S., Song, W., Hu, X., Yin, H.: On the correctness of metadata-based SBOM generation: a differential analysis approach. In: 2024 54th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 29\u201336 (2024). https:\/\/doi.org\/10.1109\/DSN58291.2024.00018","DOI":"10.1109\/DSN58291.2024.00018"},{"key":"19_CR50","unstructured":"Zahan, N., et al.: S3C2 summit 2023-11: Industry secure supply chain summit (2024)"}],"container-title":["Lecture Notes in Computer Science","Applied Cryptography and Network Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-031-95764-2_19","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T06:45:44Z","timestamp":1750315544000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-031-95764-2_19"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783031957635","9783031957642"],"references-count":50,"URL":"https:\/\/doi.org\/10.1007\/978-3-031-95764-2_19","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"20 June 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ACNS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Applied Cryptography and Network Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Munich","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Germany","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23 June 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"26 June 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"acns2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/acns2025.fordaysec.de\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}