{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,29]],"date-time":"2026-01-29T23:48:22Z","timestamp":1769730502535,"version":"3.49.0"},"reference-count":63,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2024,6,5]],"date-time":"2024-06-05T00:00:00Z","timestamp":1717545600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,6,5]],"date-time":"2024-06-05T00:00:00Z","timestamp":1717545600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"funder":[{"DOI":"10.13039\/100018941","name":"Indian Institute of Technology Gandhinagar","doi-asserted-by":"publisher","award":["IP\/IITGN\/CSE\/SM\/2324\/02"],"award-info":[{"award-number":["IP\/IITGN\/CSE\/SM\/2324\/02"]}],"id":[{"id":"10.13039\/100018941","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2024,7]]},"DOI":"10.1007\/s10664-024-10448-6","type":"journal-article","created":{"date-parts":[[2024,6,5]],"date-time":"2024-06-05T12:15:55Z","timestamp":1717589755000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["VulNet: Towards improving vulnerability management in the Maven ecosystem"],"prefix":"10.1007","volume":"29","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0390-1547","authenticated-orcid":false,"given":"Zeyang","family":"Ma","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Shouvick","family":"Mondal","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tse-Hsun","family":"Chen","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Haoxiang","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ahmed E.","family":"Hassan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2024,6,5]]},"reference":[{"key":"10448_CR1","unstructured":"Alfadel M, Costa DE, Mokhallalati M, Shihab E, Adams B (2020) On the threat of npm vulnerable dependencies in Node.js applications"},{"key":"10448_CR2","doi-asserted-by":"crossref","unstructured":"Alfadel M, Costa DE, Shihab E (2021) Empirical analysis of security vulnerabilities in Python packages. In: Proceedings of the 28th IEEE international conference on software analysis, evolution and reengineering (SANER\u201921)","DOI":"10.1109\/SANER50967.2021.00048"},{"key":"10448_CR3","unstructured":"Aloraini B (2020) Towards better static analysis security testing methodologies. PhD thesis: https:\/\/uwspace.uwaterloo.ca\/handle\/10012\/16359. Accessed 8 Aug 2022"},{"key":"10448_CR4","doi-asserted-by":"crossref","unstructured":"Alqahtani SS, Eghan EE, Rilling J (2016) SV-AF - a security vulnerability analysis framework. In: 2016 IEEE 27th international symposium on software reliability engineering (ISSRE). pp 219\u2013229","DOI":"10.1109\/ISSRE.2016.12"},{"key":"10448_CR5","unstructured":"Apache (2022a) Log4j - apache log4j 2. https:\/\/logging.apache.org\/log4j\/2.x\/. Accessed 24 Nov 2022"},{"key":"10448_CR6","unstructured":"Apache (2022b) Maven - introduction to the dependency mechanism. https:\/\/maven.apache.org\/guides\/introduction\/introduction-to-dependency-mechanism.html#dependency-scope. Accessed 17 Aug 2022"},{"key":"10448_CR7","unstructured":"Apache (2022c) Maven-Maven documentation. https:\/\/maven.apache.org\/guides\/. Accessed 23 Aug 2022"},{"key":"10448_CR8","doi-asserted-by":"crossref","unstructured":"Barik T (2016) How should static analysis tools explain anomalies to developers? In: Proceedings of the 2016 24th ACM SIGSOFT international symposium on foundations of software engineering, FSE 2016. pp 1118\u20131120","DOI":"10.1145\/2950290.2983968"},{"key":"10448_CR9","doi-asserted-by":"crossref","unstructured":"Chen TH, Shang W, Hassan AE, Nasser M, Flora P (2016) Detecting problems in the database access code of large scale systems: an industrial experience report. In: Proceedings of the 38th international conference on software engineering companion, ICSE\u201916. pp 71\u201380","DOI":"10.1145\/2889160.2889228"},{"key":"10448_CR10","doi-asserted-by":"crossref","unstructured":"Croft R, Xie Y, Zahedi M, Babar MA, Treude C (2021) An empirical study of developers\u2019 discussions about security challenges of different programming languages. arXiv:2107.13723","DOI":"10.1007\/s10664-021-10054-w"},{"issue":"6","key":"10448_CR11","doi-asserted-by":"publisher","first-page":"1226","DOI":"10.1109\/TSE.2019.2918315","volume":"47","author":"A Decan","year":"2019","unstructured":"Decan A, Mens T (2019) What do package dependencies tell us about semantic versioning? IEEE Trans Software Eng 47(6):1226\u20131240","journal-title":"IEEE Trans Software Eng"},{"key":"10448_CR12","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Claes M (2016) On the topology of package dependency networks: a comparison of three programming language ecosystems. In: Proccedings of the 10th European conference on software architecture workshops, ECSAW\u201916","DOI":"10.1145\/2993412.3003382"},{"key":"10448_CR13","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Constantinou E (2018) On the impact of security vulnerabilities in the Npm package dependency network. In: Proceedings of the 15th international conference on mining software repositories, MSR\u201918. pp 181\u2013191","DOI":"10.1145\/3196398.3196401"},{"key":"10448_CR14","doi-asserted-by":"crossref","unstructured":"D\u00fcsing, J. and Hermann B (2022) Analyzing the direct and transitive impact of vulnerabilities onto different artifact repositories. Digital Threats 3(4)","DOI":"10.1145\/3472811"},{"key":"10448_CR15","doi-asserted-by":"crossref","unstructured":"Epperson W, Wang A, DeLIne R, Drucker S (2022) Strategies for reuse and sharing among data scientists in software teams. In: ICSE 2022","DOI":"10.1109\/ICSE-SEIP55303.2022.9793945"},{"key":"10448_CR16","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1145\/1978802.1978812","volume":"43","author":"D Falessi","year":"2011","unstructured":"Falessi D, Cantone G, Kazman R, Kruchten P (2011) Decision-making techniques for software architecture design: a comparative survey. ACM Comput Surv 43:33","journal-title":"ACM Comput Surv"},{"key":"10448_CR17","doi-asserted-by":"crossref","unstructured":"Farris KA, Shah A, Cybenko G, Ganesan R, Jajodia S (2018) VULCON: a system for vulnerability prioritization, mitigation, and management. ACM Trans Priv Secur 21(4)","DOI":"10.1145\/3196884"},{"key":"10448_CR18","unstructured":"First (2022) Common vulnerability scoring system SIG. https:\/\/www.first.org\/cvss\/. Accessed 26 Aug 2022"},{"issue":"7","key":"10448_CR19","doi-asserted-by":"publisher","first-page":"529","DOI":"10.1109\/TSE.2005.85","volume":"31","author":"W Frakes","year":"2005","unstructured":"Frakes W, Kang K (2005) Software reuse research: status and future. IEEE Trans Software Eng 31(7):529\u2013536","journal-title":"IEEE Trans Software Eng"},{"key":"10448_CR20","unstructured":"GitHub (2020) github-octoverse-2020-security-report. https:\/\/octoverse.github.com\/2020\/"},{"key":"10448_CR21","doi-asserted-by":"crossref","unstructured":"Gkortzis A, Feitosa D, Spinellis D (2019) A double-edged sword? software reuse and potential security vulnerabilities. In: Peng X, Ampatzoglou A, Bhowmik T (eds) Reuse in the big data era. pp 187\u2013203","DOI":"10.1007\/978-3-030-22888-0_13"},{"key":"10448_CR22","doi-asserted-by":"publisher","first-page":"110653","DOI":"10.1016\/j.jss.2020.110653","volume":"172","author":"A Gkortzis","year":"2021","unstructured":"Gkortzis A, Feitosa D, Spinellis D (2021) Software reuse cuts both ways: an empirical analysis of its relationship with security vulnerabilities. J Syst Softw 172:110653","journal-title":"J Syst Softw"},{"key":"10448_CR23","unstructured":"Google (2022a) Google online security blog: Understanding the impact of apache log4j vulnerability. https:\/\/security.googleblog.com\/2021\/12\/understanding-impact-of-apache-log4j.html. Accessed 24 Nov 2022"},{"key":"10448_CR24","unstructured":"Google (2022b) Open source insights. https:\/\/deps.dev\/. Accessed 05 Aug 2022"},{"key":"10448_CR25","unstructured":"Google (2022c) Open source insights. https:\/\/deps.dev\/faq. Accessed 12 Oct 2022"},{"key":"10448_CR26","doi-asserted-by":"publisher","first-page":"111134","DOI":"10.1016\/j.jss.2021.111134","volume":"184","author":"N Harrand","year":"2020","unstructured":"Harrand N, Benelallam A, Soto-Valero C, Bettega D, Barais O, Baudry B (2020) API beauty is in the eye of the clients: 2.2 million Maven dependencies reveal the spectrum of client-API usages. J Syst Softw 184:111134","journal-title":"J Syst Softw"},{"issue":"11","key":"10448_CR27","doi-asserted-by":"publisher","first-page":"2822","DOI":"10.1016\/j.jss.2013.06.040","volume":"86","author":"CC Huang","year":"2013","unstructured":"Huang CC, Lin FY, Lin FYS, Sun YS (2013) A novel approach to evaluate software vulnerability prioritization. J Syst Softw 86(11):2822\u20132840","journal-title":"J Syst Softw"},{"key":"10448_CR28","doi-asserted-by":"crossref","unstructured":"Imtiaz N, Thorn S, Williams L (2021) A comparative study of vulnerability reporting by software composition analysis tools. In: Proceedings of the 15th ACM \/ IEEE international symposium on empirical software engineering and measurement (ESEM), ESEM\u201921","DOI":"10.1145\/3475716.3475769"},{"key":"10448_CR29","doi-asserted-by":"crossref","unstructured":"Johnson B, Song Y, Murphy-Hill E, Bowdidge R (2013) Why don\u2019t software developers use static analysis tools to find bugs? In: Proceedings of the 2013 international conference on software engineering, ICSE\u201913. pp 672\u2013681","DOI":"10.1109\/ICSE.2013.6606613"},{"key":"10448_CR30","doi-asserted-by":"publisher","first-page":"102639","DOI":"10.1016\/j.cose.2022.102639","volume":"116","author":"B Jung","year":"2022","unstructured":"Jung B, Li Y, Bechor T (2022) CAVP: a context-aware vulnerability prioritization model. Comput Secur 116:102639","journal-title":"Comput Secur"},{"key":"10448_CR31","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"R Kula","year":"2018","unstructured":"Kula R, German D, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? Empir Softw Eng 23:1\u201334","journal-title":"Empir Softw Eng"},{"key":"10448_CR32","doi-asserted-by":"crossref","unstructured":"Latendresse J, Mujahid S, Costa DE, Shihab E (2022) Not all dependencies are equal: an empirical study on production dependencies in NPM","DOI":"10.1145\/3551349.3556896"},{"key":"10448_CR33","doi-asserted-by":"crossref","unstructured":"LaToza TD, Myers BA (2010) Developers ask reachability questions. In: Proceedings of the 32nd ACM\/IEEE international conference on software engineering, vol 1, ICSE\u201910. pp 185\u2013194","DOI":"10.1145\/1806799.1806829"},{"key":"10448_CR34","doi-asserted-by":"crossref","unstructured":"Le THM, Chen H, Babar MA (2022) A survey on data-driven software vulnerability assessment and prioritization. ACM Comput Surv","DOI":"10.1145\/3529757"},{"key":"10448_CR35","unstructured":"Lemos R (2022) Dependency problems increase for open source components. https:\/\/www.darkreading.com\/application-security\/dependency-problems-increase-for-open-source-components. Accessed 05 Aug 2022"},{"key":"10448_CR36","unstructured":"Libraries.io (2022) Libraries.io-The open source discovery service. https:\/\/libraries.io\/. Accessed 14 Nov 2022"},{"key":"10448_CR37","doi-asserted-by":"crossref","unstructured":"Lipp S, Banescu S, Pretschner A (2022) An empirical study on the effectiveness of static C code analyzers for vulnerability detection. In: Proceedings of the 31st ACM SIGSOFT international symposium on software testing and analysis, ISSTA 2022. pp 544\u2013555","DOI":"10.1145\/3533767.3534380"},{"key":"10448_CR38","doi-asserted-by":"crossref","unstructured":"Liu C, Chen S, Fan L, Chen B, Liu Y, Peng X (2022) Demystifying the vulnerability propagation and its evolution via dependency trees in the NPM ecosystem. In: 2022 IEEE\/ACM 44th international conference on software engineering (ICSE). pp 672\u2013684","DOI":"10.1145\/3510003.3510142"},{"issue":"8","key":"10448_CR39","doi-asserted-by":"publisher","first-page":"1699","DOI":"10.1016\/j.jss.2012.03.057","volume":"85","author":"Q Liu","year":"2012","unstructured":"Liu Q, Zhang Y, Kong Y, Wu Q (2012) Improving VRSS-based vulnerability prioritization using analytic hierarchy process. J Syst Softw 85(8):1699\u20131708","journal-title":"J Syst Softw"},{"key":"10448_CR40","doi-asserted-by":"crossref","unstructured":"Louridas P, Spinellis D, Vlachos V (2008) Power laws in software. ACM Trans Softw Eng Methodol 18(1)","DOI":"10.1145\/1391984.1391986"},{"key":"10448_CR41","unstructured":"Ma Z, Mondal S, Chen THP, Zhang H (2022) Vulnet. https:\/\/github.com\/SPEAR-SE\/Vulnet"},{"key":"10448_CR42","doi-asserted-by":"crossref","unstructured":"Massacci F, Pashchenko I (2021) Technical leverage in a software ecosystem: development opportunities and security risks. In: 2021 IEEE\/ACM 43rd international conference on software engineering (ICSE). pp 1386\u20131397","DOI":"10.1109\/ICSE43902.2021.00125"},{"key":"10448_CR43","unstructured":"Maven (2022) Maven-optional dependencies and dependency exclusions. Accessed 17 Aug 2022"},{"key":"10448_CR44","unstructured":"Mitre (2022) Cve-cve-2021-44228. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=cve-2021-44228. Accessed 17 Nov 2022"},{"issue":"2","key":"10448_CR45","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1109\/MS.2013.142","volume":"31","author":"IJ Mojica","year":"2014","unstructured":"Mojica IJ, Adams B, Nagappan M, Dienst S, Berger T, Hassan AE (2014) A large-scale empirical study on software reuse in mobile apps. IEEE Softw 31(2):78\u201386","journal-title":"IEEE Softw"},{"key":"10448_CR46","doi-asserted-by":"crossref","unstructured":"Nachtigall M, Schlichtig M, Bodden E (2022) A large-scale study of usability criteria addressed by static analysis tools. In: Proceedings of the 31st ACM SIGSOFT international symposium on software testing and analysis, ISSTA 2022. pp 532\u2013543","DOI":"10.1145\/3533767.3534374"},{"key":"10448_CR47","unstructured":"Oracle (2022) JDBC drivers | oracle. https:\/\/www.oracle.com\/ca-en\/database\/technologies\/appdev\/jdbc.html. Accessed 12 Oct 2022"},{"key":"10448_CR48","doi-asserted-by":"crossref","unstructured":"Pashchenko I, Plate H, Ponta SE, Sabetta A, Massacci F (2018) Vulnerable open source dependencies: counting those that matter. Proceedings of the 12th ACM\/IEEE international symposium on empirical software engineering and measurement","DOI":"10.1145\/3239235.3268920"},{"issue":"01","key":"10448_CR49","first-page":"1","volume":"48","author":"I Pashchenko","year":"2020","unstructured":"Pashchenko I, Plate H, Ponta S, Sabetta A, Massacci F (2020) Vuln4Real: a methodology for counting actually vulnerable dependencies. IEEE Trans Softw Eng 48(01):1\u20131","journal-title":"IEEE Trans Softw Eng"},{"key":"10448_CR50","doi-asserted-by":"crossref","unstructured":"Prana G, Sharma A, Shar LK, Foo D, Santosa A, Sharma A, Lo D (2021) Out of sight, out of mind? How vulnerable dependencies affect open-source projects. Empirical Software Engineering 26","DOI":"10.1007\/s10664-021-09959-3"},{"key":"10448_CR51","unstructured":"Renjin (2022) Renjin | Integrating R and Java | The JVM-based interpreter for the R language for statistical computing. https:\/\/www.renjin.org\/. Accessed 08 Sep 2022"},{"key":"10448_CR52","unstructured":"Repository M (2022a) Maven Repository: Search\/Browse\/Explore. https:\/\/mvnrepository.com\/. Accessed 05 Aug 2022"},{"key":"10448_CR53","unstructured":"Repository M (2022b) Maven repository: top projects at Maven repository. https:\/\/mvnrepository.com\/popular. Accessed 06 Aug 2022"},{"key":"10448_CR54","doi-asserted-by":"crossref","unstructured":"Ruiz IJM, Nagappan M, Adams B, Hassan AE (2012) Understanding reuse in the Android Market. In: 2012 20th IEEE international conference on program comprehension (ICPC). pp 113\u2013122","DOI":"10.1109\/ICPC.2012.6240477"},{"key":"10448_CR55","unstructured":"Saaty TL (1994) Fundamentals of decision making and priority theory with the analytic hierarchy process. RWS publications"},{"key":"10448_CR56","doi-asserted-by":"crossref","unstructured":"Shen H, Fang J, Zhao J (2011) EFindBugs: effective error ranking for FindBugs. In: 2011 Fourth IEEE international conference on software testing, verification and validation. pp 299\u2013308","DOI":"10.1109\/ICST.2011.51"},{"key":"10448_CR57","doi-asserted-by":"crossref","unstructured":"Smith J, Johnson B, Murphy-Hill E, Chu B, Lipford HR (2015) Questions developers ask while diagnosing potential security vulnerabilities with static analysis. In: Proceedings of the 2015 10th joint meeting on foundations of software engineering, ESEC\/FSE 2015. New York USA, pp 248\u2013259","DOI":"10.1145\/2786805.2786812"},{"key":"10448_CR58","unstructured":"Snyk (2022) Snyk vulnerability database | Snyk. https:\/\/security.snyk.io\/. Accessed 14 Nov 2022"},{"key":"10448_CR59","unstructured":"Sonatype (2022) Sonatype oss index. https:\/\/ossindex.sonatype.org\/. Accessed 08 Mar 2023"},{"key":"10448_CR60","doi-asserted-by":"crossref","unstructured":"Soto-Valero C, Harrand N, Monperrus M, Baudry B (2021) A comprehensive study of bloated dependencies in the Maven ecosystem. Empirical Softw Engg 26(3)","DOI":"10.1007\/s10664-020-09914-8"},{"key":"10448_CR61","unstructured":"Synopsys (2022). Synopsys | EDA tools, semiconductor IP and application security solutions. https:\/\/www.synopsys.com\/. Accessed 05 Aug 2022"},{"key":"10448_CR62","doi-asserted-by":"crossref","unstructured":"Valiev M, Vasilescu B, Herbsleb J (2018) Ecosystem-level determinants of sustained activity in open-source projects: a case study of the PyPI ecosystem. In: Proceedings of the 2018 26th ACM joint meeting on european software engineering conference and symposium on the foundations of software engineering, ESEC\/FSE 2018. pp 644\u2013655","DOI":"10.1145\/3236024.3236062"},{"issue":"5","key":"10448_CR63","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-022-10154-1","volume":"27","author":"A Zerouali","year":"2022","unstructured":"Zerouali A, Mens T, Decan A, De Roover C (2022) On the impact of security vulnerabilities in the NPM and RubyGems dependency networks. Empir Softw Eng 27(5):1\u201345","journal-title":"Empir Softw Eng"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-024-10448-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-024-10448-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-024-10448-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,5]],"date-time":"2024-07-05T15:16:58Z","timestamp":1720192618000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-024-10448-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,6,5]]},"references-count":63,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2024,7]]}},"alternative-id":["10448"],"URL":"https:\/\/doi.org\/10.1007\/s10664-024-10448-6","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,6,5]]},"assertion":[{"value":"16 January 2024","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 June 2024","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declared that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interest"}}],"article-number":"83"}}