{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,16]],"date-time":"2026-06-16T03:44:00Z","timestamp":1781581440359,"version":"3.54.5"},"reference-count":73,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2024,11,6]],"date-time":"2024-11-06T00:00:00Z","timestamp":1730851200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2024,11,6]],"date-time":"2024-11-06T00:00:00Z","timestamp":1730851200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62141209"],"award-info":[{"award-number":["62141209"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Guangxi Collaborative Innovation Center of Multi-source Information Integration and Intelligent"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2025,1]]},"DOI":"10.1007\/s10664-024-10581-2","type":"journal-article","created":{"date-parts":[[2024,11,6]],"date-time":"2024-11-06T09:07:02Z","timestamp":1730884022000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":15,"title":["Understanding vulnerabilities in software supply chains"],"prefix":"10.1007","volume":"30","author":[{"given":"Yijun","family":"Shen","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Xiang","family":"Gao","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Hailong","family":"Sun","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yu","family":"Guo","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2024,11,6]]},"reference":[{"key":"10581_CR1","doi-asserted-by":"publisher","unstructured":"Abreu R, Zoeteweij P, Van\u00a0Gemund AJ (2007) On the accuracy of spectrum-based fault localization. In: Testing: Academic and industrial conference practice and research techniques-mutation (TAICPART-MUTATION 2007), pp 89\u201398. https:\/\/doi.org\/10.1007\/10.1109\/TAIC.PART.2007.13","DOI":"10.1007\/10.1109\/TAIC.PART.2007.13"},{"key":"10581_CR2","unstructured":"AFL (2019) American fuzzy lop (afl). http:\/\/lcamtuf.coredump.cx\/afl Accessed 08 Apr 2023"},{"key":"10581_CR3","doi-asserted-by":"publisher","unstructured":"Alfadel M, Costa DE, Shihab E (2021) Empirical analysis of security vulnerabilities in python packages. In: 2021 IEEE International conference on software analysis, evolution and reengineering (SANER), pp 446\u2013457. https:\/\/doi.org\/10.1109\/SANER50967.2021.00048","DOI":"10.1109\/SANER50967.2021.00048"},{"key":"10581_CR4","doi-asserted-by":"publisher","unstructured":"Almhana R, Mkaouer MW, Kessentini M, Ouni A (2016) Recommending relevant classes for bug reports using multi-objective search. 2016 31st IEEE\/ACM International conference on automated software engineering (ASE) pp 286\u2013295. https:\/\/doi.org\/10.1145\/2970276.2970344","DOI":"10.1145\/2970276.2970344"},{"key":"10581_CR5","unstructured":"BlackDuck (2023) Black duck. https:\/\/www.synopsys.com\/software-integrity\/security-testing\/software-composition-analysis.html Accessed 31 May 2023"},{"key":"10581_CR6","doi-asserted-by":"publisher","unstructured":"Bui QC, Scandariato R, Ferreyra NED (2022) Vul4j: a dataset of reproducible java vulnerabilities geared towards the study of program repair techniques. In: 2022 IEEE\/ACM 19th International conference on mining software repositories (MSR), pp 464\u2013468. https:\/\/doi.org\/10.1145\/3524842.3528482","DOI":"10.1145\/3524842.3528482"},{"key":"10581_CR7","doi-asserted-by":"publisher","first-page":"3280","DOI":"10.1109\/TSE.2021.3087402","volume":"48","author":"S Chakraborty","year":"2020","unstructured":"Chakraborty S, Krishna R, Ding Y, Ray B (2020) Deep learning based vulnerability detection: are we there yet? IEEE Trans Softw Eng 48:3280\u20133296. https:\/\/doi.org\/10.1109\/TSE.2021.3087402","journal-title":"IEEE Trans Softw Eng"},{"key":"10581_CR8","doi-asserted-by":"publisher","unstructured":"Cox J, Bouwers E, Van\u00a0Eekelen M, Visser J (2015) Measuring dependency freshness in software systems. In: 2015 IEEE\/ACM 37th IEEE International conference on software engineering (ICSE), vol\u00a02, pp 109\u2013118. https:\/\/doi.org\/10.1109\/ICSE.2015.140","DOI":"10.1109\/ICSE.2015.140"},{"key":"10581_CR9","unstructured":"CVEProgram (2024) Key details phrasing. https:\/\/www.cve.org\/Resources\/General\/Key-Details-Phrasing.pdf Accessed 12 June 2024"},{"key":"10581_CR10","unstructured":"CWE (2021) 2021 cwe top 25 most dangerous software weaknesses. https:\/\/cwe.mitre.org\/top25\/archive\/2021\/2021_cwe_top25.html Accessed 25 April 2024"},{"issue":"9","key":"10581_CR11","doi-asserted-by":"publisher","first-page":"3613","DOI":"10.1109\/TSE.2021.3101739","volume":"48","author":"A Dann","year":"2022","unstructured":"Dann A, Plate H, Hermann B, Ponta SE, Bodden E (2022) Identifying challenges for oss vulnerability scanners - a study & test suite. IEEE Trans Softw Eng 48(9):3613\u20133625. https:\/\/doi.org\/10.1109\/TSE.2021.3101739","journal-title":"IEEE Trans Softw Eng"},{"key":"10581_CR12","doi-asserted-by":"publisher","first-page":"989","DOI":"10.1002\/spe.1146","volume":"43","author":"V Debroy","year":"2013","unstructured":"Debroy V, Wong WE (2013) A consensus-based strategy to improve the quality of fault localization. Softw Pract Experience 43:989\u20131011. https:\/\/doi.org\/10.1002\/spe.1146","journal-title":"Softw Pract Experience"},{"key":"10581_CR13","doi-asserted-by":"publisher","unstructured":"Decan A, Mens T, Constantinou E (2018) On the impact of security vulnerabilities in the npm package dependency network. 2018 IEEE\/ACM 15th International conference on mining software repositories (MSR) pp 181\u2013191. https:\/\/doi.org\/10.1145\/3196398.3196401","DOI":"10.1145\/3196398.3196401"},{"key":"10581_CR14","unstructured":"Dependabot (2023) Dependabot. https:\/\/github.com\/dependabot Accessed 30 May 2023"},{"key":"10581_CR15","unstructured":"Dependency-Check (2023) Owasp dependency check. https:\/\/owasp.org\/www-project-dependency-check Accessed 30 May 2023"},{"key":"10581_CR16","doi-asserted-by":"publisher","unstructured":"Dodge Y (2008) Spearman rank correlation coefficient. In: The Concise encyclopedia of statistics, Springer, New York, NY, pp 502\u2013505. https:\/\/doi.org\/10.1007\/978-0-387-32833-1_379","DOI":"10.1007\/978-0-387-32833-1_379"},{"issue":"2","key":"10581_CR17","doi-asserted-by":"publisher","first-page":"96","DOI":"10.1109\/MSEC.2022.3142338","volume":"20","author":"W Enck","year":"2022","unstructured":"Enck W, Williams L (2022) Top five challenges in software supply chain security: observations from 30 industry and government organizations. IEEE Secur Priv 20(2):96\u2013100. https:\/\/doi.org\/10.1109\/MSEC.2022.3142338","journal-title":"IEEE Secur Priv"},{"key":"10581_CR18","unstructured":"Foundation TL (2020) Open source software supply chain security. https:\/\/www.linuxfoundation.org\/tools\/open-source-software-supply-chain-security\/ Accessed 06 May 2022"},{"key":"10581_CR19","doi-asserted-by":"publisher","unstructured":"Gao X, Wang B, Duck GJ, Ji R, Xiong Y, Roychoudhury A (2020) Beyond tests: program vulnerability repair via crash constraint extraction. ACM Trans Softw Eng Methodol (TOSEM) 30(2). https:\/\/doi.org\/10.1145\/3418461","DOI":"10.1145\/3418461"},{"key":"10581_CR20","unstructured":"Gartner (2021) Application development will shift to application assembly and integration. https:\/\/www.gartner.com\/en\/newsroom\/press-releases\/2021-11-10-gartner-says-cloud-will-be-the-centerpiece-of-new-digital-experiences Accessed 12 Apr 2023"},{"key":"10581_CR21","doi-asserted-by":"publisher","first-page":"110653","DOI":"10.1016\/j.jss.2020.110653","volume":"172","author":"A Gkortzis","year":"2021","unstructured":"Gkortzis A, Feitosa D, Spinellis D (2021) Software reuse cuts both ways: an empirical analysis of its relationship with security vulnerabilities. J Syst Softw 172:110653. https:\/\/doi.org\/10.1016\/j.jss.2020.110653","journal-title":"J Syst Softw"},{"key":"10581_CR22","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1145\/3318162","volume":"62","author":"CL Goues","year":"2019","unstructured":"Goues CL, Pradel M, Roychoudhury A (2019) Automated program repair. Commun ACM 62:56\u201365. https:\/\/doi.org\/10.1145\/3318162","journal-title":"Commun ACM"},{"key":"10581_CR23","doi-asserted-by":"publisher","unstructured":"Grieco G, Grinblat GL, Uzal LC, Rawat S, Feist J, Mounier L (2016) Toward large-scale vulnerability discovery using machine learning. Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy. https:\/\/doi.org\/10.1145\/2857705.2857720","DOI":"10.1145\/2857705.2857720"},{"key":"10581_CR24","doi-asserted-by":"publisher","unstructured":"Huang Z, Lie D, Tan G, Jaeger T (2019) Using safety properties to generate vulnerability patches. In: Proceedings of the 40th IEEE symposium on security and privacy (S &P), pp 539\u2013554. https:\/\/doi.org\/10.1109\/SP.2019.00071","DOI":"10.1109\/SP.2019.00071"},{"key":"10581_CR25","doi-asserted-by":"publisher","unstructured":"Imtiaz N, Thorn S, Williams L (2021) A comparative study of vulnerability reporting by software composition analysis tools. In: Proceedings of the 15th ACM \/ IEEE International symposium on empirical software engineering and measurement (ESEM). https:\/\/doi.org\/10.1145\/3475716.347576","DOI":"10.1145\/3475716.347576"},{"key":"10581_CR26","doi-asserted-by":"publisher","unstructured":"Islam MJ, Pan R, Nguyen G, Rajan H (2020) Repairing deep neural networks: fix patterns and challenges. In: Proceedings of the ACM\/IEEE 42nd international conference on software engineering, pp 1135\u20131146. https:\/\/doi.org\/10.1145\/3377811.3380378","DOI":"10.1145\/3377811.3380378"},{"key":"10581_CR27","doi-asserted-by":"publisher","unstructured":"Jang J, Agrawal A, Brumley D (2012) Redebug: finding unpatched code clones in entire os distributions. In: 2012 IEEE Symposium on security and privacy, pp 48\u201362. https:\/\/doi.org\/10.1109\/SP.2012.13","DOI":"10.1109\/SP.2012.13"},{"key":"10581_CR28","doi-asserted-by":"publisher","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","volume":"23","author":"RG Kula","year":"2018","unstructured":"Kula RG, German DM, Ouni A, Ishio T, Inoue K (2018) Do developers update their library dependencies? an empirical study on the impact of security advisories on library migration. Empir Softw Eng 23:384\u2013417. https:\/\/doi.org\/10.1007\/s10664-017-9521-5","journal-title":"Empir Softw Eng"},{"key":"10581_CR29","doi-asserted-by":"publisher","unstructured":"Lam AN, Nguyen AT, Nguyen HA, Nguyen TN (2017) Bug localization with combination of deep learning and information retrieval. In: 2017 IEEE\/ACM 25th International conference on program comprehension (ICPC), pp 218\u2013229. https:\/\/doi.org\/10.1109\/ICPC.2017.24","DOI":"10.1109\/ICPC.2017.24"},{"key":"10581_CR30","doi-asserted-by":"crossref","unstructured":"Lauinger T, Chaabane A, Arshad S, Robertson W, Wilson C, Kirda E (2017) Thou shalt not depend on me: analysing the use of outdated javascript libraries on the web. https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/2017\/09\/ndss2017_02B-1_Lauinger_paper.pdf Accessed 02 July 2024","DOI":"10.14722\/ndss.2017.23414"},{"key":"10581_CR31","doi-asserted-by":"publisher","unstructured":"Li F, Paxson V (2017) A large-scale empirical study of security patches. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, pp 2201\u20132215. https:\/\/doi.org\/10.1145\/3133956.3134072","DOI":"10.1145\/3133956.3134072"},{"key":"10581_CR32","doi-asserted-by":"publisher","unstructured":"Li Z, Zou D, Xu S, Ou X, Jin H, Wang S, Deng Z, Zhong Y (2018) Vuldeepecker: a deep learning-based system for vulnerability detection. In: Network and Distributed Systems Security (NDSS) symposium 2018. https:\/\/doi.org\/10.14722\/ndss.2018.23158","DOI":"10.14722\/ndss.2018.23158"},{"key":"10581_CR33","doi-asserted-by":"publisher","unstructured":"Liu C, Chen S, Fan L, Chen B, Liu Y, Peng X (2022) Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. 2022 IEEE\/ACM 44th International conference on software engineering (ICSE) pp 672\u2013684. https:\/\/doi.org\/10.1145\/3510003.3510142","DOI":"10.1145\/3510003.3510142"},{"key":"10581_CR34","doi-asserted-by":"publisher","unstructured":"Liu K, Koyuncu A, Bissyande TF, Kim D, Klein J, Le\u00a0Traon Y (2019) You cannot fix what you cannot find! an investigation of fault localization bias in benchmarking automated program repair systems. In: 2019 12th IEEE Conference on software testing, validation and verification (ICST), pp 102\u2013113. https:\/\/doi.org\/10.1109\/ICST.2019.00020","DOI":"10.1109\/ICST.2019.00020"},{"key":"10581_CR35","doi-asserted-by":"publisher","unstructured":"Mirhosseini S, Parnin C (2017) Can automated pull requests encourage software developers to upgrade out-of-date dependencies? In: 2017 32nd IEEE\/ACM International conference on automated software engineering (ASE), pp 84\u201394. https:\/\/doi.org\/10.1109\/ASE.2017.8115621","DOI":"10.1109\/ASE.2017.8115621"},{"key":"10581_CR36","doi-asserted-by":"publisher","unstructured":"Moreno L, Treadway JJ, Marcus A, Shen W (2014) On the use of stack traces to improve text retrieval-based bug localization. In: 2014 IEEE International conference on software maintenance and evolution, pp 151\u2013160. https:\/\/doi.org\/10.1109\/ICSME.2014.37","DOI":"10.1109\/ICSME.2014.37"},{"key":"10581_CR37","doi-asserted-by":"publisher","unstructured":"Perl H, Dechand S, Smith M, Arp D, Yamaguchi F, Rieck K, Fahl S, Acar Y (2015) Vccfinder: finding potential vulnerabilities in open-source projects to assist code audits. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp 426\u2013437. https:\/\/doi.org\/10.1145\/2810103.2813604","DOI":"10.1145\/2810103.2813604"},{"key":"10581_CR38","doi-asserted-by":"publisher","unstructured":"Pfretzschner B, ben Othmane L (2017) Identification of dependency-based attacks on node.js. In: Proceedings of the 12th international conference on availability, reliability and security, pp 1\u20136. https:\/\/doi.org\/10.1145\/3098954.3120928","DOI":"10.1145\/3098954.3120928"},{"key":"10581_CR39","doi-asserted-by":"publisher","unstructured":"Pham NH, Nguyen TT, Nguyen HA, Nguyen TN (2010) Detection of recurring software vulnerabilities. Proceedings of the 25th IEEE\/ACM international conference on automated software engineering pp 447\u2013456. https:\/\/doi.org\/10.1145\/1858996.1859089","DOI":"10.1145\/1858996.1859089"},{"key":"10581_CR40","doi-asserted-by":"publisher","unstructured":"Ponta SE, Plate H, Sabetta A, Bezzi M, Dangremont C (2019) A manually-curated dataset of fixes to vulnerabilities of open-source software. In: Proceedings of the 16th international conference on mining software repositories, pp 383\u2013387. https:\/\/doi.org\/10.1109\/MSR.2019.00064","DOI":"10.1109\/MSR.2019.00064"},{"issue":"4","key":"10581_CR41","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s10664-021-09959-3","volume":"26","author":"GAA Prana","year":"2021","unstructured":"Prana GAA, Sharma A, Shar LK, Foo D, Santosa AE, Sharma A, Lo D (2021) Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empir Softw Eng 26(4):1\u201334. https:\/\/doi.org\/10.1007\/s10664-021-09959-3","journal-title":"Empir Softw Eng"},{"key":"10581_CR42","doi-asserted-by":"publisher","unstructured":"Reid D, Jahanshahi M, Mockus A (2022) The extent of orphan vulnerabilities from code reuse in open source software. In: Proceedings of the 44th international conference on software engineering, pp 2104\u20132115. https:\/\/doi.org\/10.1145\/3510003.3510216","DOI":"10.1145\/3510003.3510216"},{"key":"10581_CR43","doi-asserted-by":"publisher","unstructured":"Reps T, Ball T, Das M, Larus J (1997) The use of program profiling for software maintenance with applications to the year 2000 problem. In: Joint european software engineering conference and symposium on the foundations of software engineering (ESEC\/FSE), pp 432\u2013449. https:\/\/doi.org\/10.1145\/267896.267925","DOI":"10.1145\/267896.267925"},{"key":"10581_CR44","doi-asserted-by":"publisher","unstructured":"Saha RK, Lease M, Khurshid S, Perry DE (2013) Improving bug localization using structured information retrieval. In: 2013 28th IEEE\/ACM International conference on automated software engineering (ASE), pp 345\u2013355. https:\/\/doi.org\/10.1109\/ASE.2013.6693093","DOI":"10.1109\/ASE.2013.6693093"},{"key":"10581_CR45","doi-asserted-by":"publisher","unstructured":"Santelices R, Jones JA, Yu Y, Harrold MJ (2009) Lightweight fault-localization using multiple coverage types. In: 2009 IEEE 31st International conference on software engineering, pp 56\u201366. https:\/\/doi.org\/10.1109\/ICSE.2009.5070508","DOI":"10.1109\/ICSE.2009.5070508"},{"key":"10581_CR46","doi-asserted-by":"publisher","unstructured":"Sejfia A, Sch\u00e4fer M (2022) Practical automated detection of malicious npm packages. In: 2022 IEEE\/ACM 44th International conference on software engineering (ICSE), pp 1681\u20131692. https:\/\/doi.org\/10.1145\/3510003.3510104","DOI":"10.1145\/3510003.3510104"},{"key":"10581_CR47","unstructured":"Serebryany K, Bruening D, Potapenko A, Vyukov D (2012) Addresssanitizer: a fast address sanity checker. https:\/\/www.usenix.org\/conference\/atc12\/technical-sessions\/presentation\/serebryany Accessed 30 June 2024"},{"key":"10581_CR48","doi-asserted-by":"publisher","unstructured":"Sheng VS, Provost F, Ipeirotis PG (2008) Get another label? improving data quality and data mining using multiple, noisy labelers. In: Proceedings of the 14th ACM SIGKDD international conference on knowledge discovery and data mining, pp 614\u2013622. https:\/\/doi.org\/10.1145\/1401890.1401965","DOI":"10.1145\/1401890.1401965"},{"key":"10581_CR49","unstructured":"Sonatype (2021) 2021 state of the software supply chain. https:\/\/www.sonatype.com\/resources\/state-of-the-software-supply-chain-2021 Accessed 06 May 2022"},{"key":"10581_CR50","doi-asserted-by":"publisher","first-page":"45","DOI":"10.1007\/s10664-020-09914-8","volume":"26","author":"C Soto-Valero","year":"2021","unstructured":"Soto-Valero C, Harrand N, Monperrus M, Baudry B (2021) A comprehensive study of bloated dependencies in the maven ecosystem. Empir Softw Eng 26:45. https:\/\/doi.org\/10.1007\/s10664-020-09914-8","journal-title":"Empir Softw Eng"},{"key":"10581_CR51","unstructured":"Staicu CA, Pradel M, Livshits B (2016) Understanding and automatically preventing injection attacks on node.js. https:\/\/www.doc.ic.ac.uk\/~livshits\/papers\/tr\/nodejs_tr.pdf Accessed 02 July 2024"},{"key":"10581_CR52","unstructured":"Synopsys (2022) 2022 open source security and risk analysis report. https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html Accessed 06 May 2022"},{"key":"10581_CR53","unstructured":"Synopsys (2024) 2024 open source security and risk analysis report. https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html Accessed 12 June 2024"},{"key":"10581_CR54","doi-asserted-by":"publisher","unstructured":"Tan X, Gao K, Zhou M, Zhang L (2022) An exploratory study of deep learning supply chain. In: 2022 IEEE\/ACM 43rd International conference on software engineering (ICSE), pp 86\u201398. https:\/\/doi.org\/10.1145\/3510003.3510199","DOI":"10.1145\/3510003.3510199"},{"key":"10581_CR55","doi-asserted-by":"publisher","unstructured":"Viega J, Bloch J, Kohno Y, McGraw G (2000) Its4: a static vulnerability scanner for c and c++ code. In: Proceedings 16th annual computer security applications conference (ACSAC\u201900), pp 257\u2013267. https:\/\/doi.org\/10.1109\/ACSAC.2000.898880","DOI":"10.1109\/ACSAC.2000.898880"},{"key":"10581_CR56","doi-asserted-by":"publisher","unstructured":"Vu DL, Pashchenko I, Massacci F, Plate H, Sabetta A (2020) Towards using source code repositories to identify software supply chain attacks. In: Proceedings of the 2020 ACM SIGSAC conference on computer and communications security, pp 2093\u20132095. https:\/\/doi.org\/10.1145\/3372297.3420015","DOI":"10.1145\/3372297.3420015"},{"key":"10581_CR57","doi-asserted-by":"publisher","unstructured":"Wang S, Lo D, Lawall J (2014) Compositional vector space models for improved bug localization. In: 2014 IEEE International conference on software maintenance and evolution, pp 171\u2013180. https:\/\/doi.org\/10.1109\/ICSME.2014.39","DOI":"10.1109\/ICSME.2014.39"},{"key":"10581_CR58","doi-asserted-by":"publisher","unstructured":"Wang Y, Chen B, Huang K, Shi B, Xu C, Peng X, Wu Y, Liu Y (2020) An empirical study of usages, updates and risks of third-party libraries in java projects. In: 2020 IEEE International conference on software maintenance and evolution (ICSME), pp 35\u201345. https:\/\/doi.org\/10.1109\/ICSME46990.2020.00014","DOI":"10.1109\/ICSME46990.2020.00014"},{"key":"10581_CR59","doi-asserted-by":"publisher","unstructured":"Wijayasekara D, Manic M, McQueen M (2014) Vulnerability identification and classification via text mining bug databases. In: IECON 2014-40th Annual conference of the IEEE industrial electronics society, pp 3612\u20133618. https:\/\/doi.org\/10.1109\/IECON.2014.7049035","DOI":"10.1109\/IECON.2014.7049035"},{"key":"10581_CR60","doi-asserted-by":"publisher","unstructured":"Wong CP, Xiong Y, Zhang H, Hao D, Zhang L, Mei H (2014) Boosting bug-report-oriented fault localization with segmentation and stack-trace analysis. In: 2014 IEEE International conference on software maintenance and evolution, pp 181\u2013190. https:\/\/doi.org\/10.1109\/ICSME.2014.40","DOI":"10.1109\/ICSME.2014.40"},{"issue":"8","key":"10581_CR61","doi-asserted-by":"publisher","first-page":"707","DOI":"10.1007\/10.1109\/TSE.2016.2521368","volume":"42","author":"WE Wong","year":"2016","unstructured":"Wong WE, Gao R, Li Y, Abreu R, Wotawa F (2016) A survey on software fault localization. IEEE Trans Softw Eng 42(8):707\u2013740. https:\/\/doi.org\/10.1007\/10.1109\/TSE.2016.2521368","journal-title":"IEEE Trans Softw Eng"},{"key":"10581_CR62","doi-asserted-by":"publisher","unstructured":"Wu Y, Yu Z, Wen M, Li Q, Zou D, Jin H (2023) Understanding the threats of upstream vulnerabilities to downstream projects in the maven ecosystem. In: 2023 IEEE\/ACM 45th International conference on software engineering (ICSE), pp 1046\u2013105\u00a0https:\/\/doi.org\/10.1109\/ICSE48619.2023.00095","DOI":"10.1109\/ICSE48619.2023.00095"},{"key":"10581_CR63","doi-asserted-by":"publisher","unstructured":"Wyss E, De\u00a0Carli L, Davidson D (2022) What the fork? finding hidden code clones in npm. In: Proceedings of the 44th international conference on software engineering, pp 2415\u20132426. https:\/\/doi.org\/10.1145\/3510003.3510168","DOI":"10.1145\/3510003.3510168"},{"key":"10581_CR64","doi-asserted-by":"publisher","unstructured":"Xia P, Matsushita M, Yoshida N, Inoue K (2013) Studying reuse of out-dated third-party code in open source projects. J Inf Process 9:155\u2013161. https:\/\/doi.org\/10.11309\/JSSST.30.4_98","DOI":"10.11309\/JSSST.30.4_98"},{"key":"10581_CR65","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/2522920.2522924","volume":"22","author":"X Xie","year":"2013","unstructured":"Xie X, Chen TY, Kuo FC, Xu B (2013) A theoretical analysis of the risk evaluation formulas for spectrum-based fault localization. ACM Trans Softw Eng Methodol (TOSEM) 22:1\u201340. https:\/\/doi.org\/10.1145\/2522920.2522924","journal-title":"ACM Trans Softw Eng Methodol (TOSEM)"},{"key":"10581_CR66","doi-asserted-by":"publisher","unstructured":"Xu Z, Chen B, Chandramohan M, Liu Y, Song F (2017) Spain: security patch analysis for binaries towards understanding the pain and pills. In: 2017 IEEE\/ACM 39th International conference on software engineering (ICSE), pp 462\u2013472. https:\/\/doi.org\/10.1109\/ICSE.2017.49","DOI":"10.1109\/ICSE.2017.49"},{"key":"10581_CR67","doi-asserted-by":"publisher","unstructured":"Xuan J, Monperrus M (2014) Learning to combine multiple ranking metrics for fault localization. In: 2014 IEEE International conference on software maintenance and evolution, pp 191\u2013200. https:\/\/doi.org\/10.1109\/ICSME.2014.41","DOI":"10.1109\/ICSME.2014.41"},{"key":"10581_CR68","doi-asserted-by":"publisher","unstructured":"Yamaguchi F, Wressnegger C, Gascon H, Rieck K (2013) Chucky: exposing missing checks in source code for vulnerability discovery. Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security https:\/\/doi.org\/10.1145\/2508859.2516665","DOI":"10.1145\/2508859.2516665"},{"key":"10581_CR69","doi-asserted-by":"publisher","unstructured":"Yasumatsu T, Watanabe T, Kanei F, Shioji E, Akiyama M, Mori T (2019) Understanding the responsiveness of mobile app developers to software library updates. In: Proceedings of the ninth ACM conference on data and application security and privacy, pp 13\u201324. https:\/\/doi.org\/10.1145\/3292006.3300020","DOI":"10.1145\/3292006.3300020"},{"key":"10581_CR70","doi-asserted-by":"publisher","unstructured":"Youm KC, Ahn J, Kim J, Lee E (2015) Bug localization based on code change histories and bug reports. In: 2015 Asia-Pacific software engineering conference (APSEC), pp 190\u2013197. https:\/\/doi.org\/10.1109\/APSEC.2015.23","DOI":"10.1109\/APSEC.2015.23"},{"key":"10581_CR71","doi-asserted-by":"publisher","unstructured":"Zapata RE, Kula RG, Chinthanet B, Ishio T, Matsumoto K, Ihara A (2018) Towards smoother library migrations: a look at vulnerable dependency migrations at function level for npm javascript packages. In: 2018 IEEE International conference on software maintenance and evolution (ICSME), pp 559\u2013563. https:\/\/doi.org\/10.1007\/10.1109\/ICSME.2018.00067","DOI":"10.1007\/10.1109\/ICSME.2018.00067"},{"key":"10581_CR72","doi-asserted-by":"publisher","unstructured":"Zhou J, Zhang H, Lo D (2012) Where should the bugs be fixed? more accurate information retrieval-based bug localization based on bug reports. In: 2012 34th International conference on software engineering (ICSE), pp 14\u201324. https:\/\/doi.org\/10.1109\/ICSE.2012.6227210","DOI":"10.1109\/ICSE.2012.6227210"},{"key":"10581_CR73","doi-asserted-by":"publisher","unstructured":"Zimmermann M, Staicu CA, Tenny C, Pradel M (2019) Smallworld with high risks: a study of security threats in the npm ecosystem. In: Proceedings of the 28th USENIX conference on security symposium, pp 995\u20131010. https:\/\/doi.org\/10.5555\/3361338.3361407","DOI":"10.5555\/3361338.3361407"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-024-10581-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-024-10581-2\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-024-10581-2.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,1,7]],"date-time":"2025-01-07T14:11:55Z","timestamp":1736259115000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-024-10581-2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,6]]},"references-count":73,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1]]}},"alternative-id":["10581"],"URL":"https:\/\/doi.org\/10.1007\/s10664-024-10581-2","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,11,6]]},"assertion":[{"value":"21 October 2024","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 November 2024","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declared that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of Interest"}}],"article-number":"20"}}