{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T15:50:23Z","timestamp":1774540223921,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":77,"publisher":"ACM","license":[{"start":{"date-parts":[[2022,11,8]],"date-time":"2022-11-08T00:00:00Z","timestamp":1667865600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100004351","name":"Cisco","doi-asserted-by":"publisher","id":[{"id":"10.13039\/100004351","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"NSF (National Science Foundation)","doi-asserted-by":"publisher","award":["2229703"],"award-info":[{"award-number":["2229703"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2022,11,11]]},"DOI":"10.1145\/3560835.3564556","type":"proceedings-article","created":{"date-parts":[[2022,11,9]],"date-time":"2022-11-09T02:38:26Z","timestamp":1667961506000},"page":"15-24","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":36,"title":["SoK: Analysis of Software Supply Chain Security by Establishing Secure Design Properties"],"prefix":"10.1145","author":[{"given":"Chinenye","family":"Okafor","sequence":"first","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]},{"given":"Taylor R.","family":"Schorlemmer","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]},{"given":"Santiago","family":"Torres-Arias","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]},{"given":"James C.","family":"Davis","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, IN, USA"}]}],"member":"320","published-online":{"date-parts":[[2022,11,8]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"About code scanning. href=\"https:\/\/docs.github.com\/en\/code-security\/code-scanning\/automatically-scanning-your-code-for-vulnerabilities-and-errors\/about-code-scanning\">https:\/\/docs.github.com\/en\/code-security\/code-scanning\/automatically-scanning-your-code-for-vulnerabilities-and-errors\/about-code-scanning."},{"key":"e_1_3_2_1_2_1","unstructured":"Cyclonedx is sbom: Software bill of materials. href=\"https:\/\/cyclonedx.org\">https:\/\/cyclonedx.org."},{"key":"e_1_3_2_1_3_1","unstructured":"Reproducible builds. href=\"https:\/\/reproducible-builds.org\/\">https:\/\/reproducible-builds.org\/."},{"key":"e_1_3_2_1_4_1","unstructured":"Secure at every step: What is software supply chain security and why does it matter? href=\"https:\/\/github.blog\/2020-09-02-secure-your-software-supply-chain-and-protect-against-supply-chain-threats-github-blog\/\">https:\/\/github.blog\/2020-09-02-secure-your-software-supply-chain-and-protect-against-supply-chain-threats-github-blog\/."},{"key":"e_1_3_2_1_5_1","unstructured":"Security issue: compromised npm packages of ua-parser-js (0.7.29 0.8.0 1.0.0) - questions about deprecated npm package ua-parser-js \u00b7 issue #536 \u00b7 faisalman\/ua-parser-js. href=\"https:\/\/github.com\/faisalman\/ua-parser-js\/issues\/536\">https:\/\/github.com\/faisalman\/ua-parser-js\/issues\/536."},{"key":"e_1_3_2_1_6_1","unstructured":"Software Bill of Materials. href=\"https:\/\/www.cisa.gov\/sbom\">https:\/\/www.cisa.gov\/sbom."},{"key":"e_1_3_2_1_7_1","unstructured":"The Update Framework (TUF). href=\"https:\/\/theupdateframework.github.io\/\">https:\/\/theupdateframework.github.io\/."},{"key":"e_1_3_2_1_8_1","volume-title":"Supply chain integrity model. href=\"https:\/\/github.com\/microsoft\/scim\">https:\/\/github.com\/microsoft\/scim","author":"SCIM","year":"2022","unstructured":"SCIM: Supply chain integrity model. href=\"https:\/\/github.com\/microsoft\/scim\">https:\/\/github.com\/microsoft\/scim, 2022. Accessed: 2022-09--14."},{"key":"e_1_3_2_1_9_1","unstructured":"In-toto ongoing integrations Retrieved July 30. href=\"https:\/\/in-toto.io\/integrations\/\">https:\/\/in-toto.io\/integrations\/."},{"key":"e_1_3_2_1_10_1","unstructured":"Enable dependabot by milgradesec \u00b7 pull request #4317 \u00b7 caddyserver\/caddy Retrieved July 31. href=\"https:\/\/github.com\/caddyserver\/caddy\/pull\/4317\">https:\/\/github.com\/caddyserver\/caddy\/pull\/4317."},{"key":"e_1_3_2_1_11_1","unstructured":"Catalin Cimpanu . Microsoft fireeye confirm solarwinds supply chain attack. href=\"https:\/\/www.zdnet.com\/article\/microsoft-fireeye-confirm-solarwinds-supply-chain-attack\/\">https:\/\/www.zdnet.com\/article\/microsoft-fireeye-confirm-solarwinds-supply-chain-attack\/."},{"key":"e_1_3_2_1_12_1","unstructured":"A. Cherepanov. Analysis of TeleBots' cunning backdoor. href=\"https:\/\/www.welivesecurity.com\/2017\/07\/04\/analysis-of-telebots-cunning-backdoor\">https:\/\/www.welivesecurity.com\/2017\/07\/04\/analysis-of-telebots-cunning-backdoor."},{"key":"e_1_3_2_1_14_1","unstructured":"J. M. Boyens C. Paulsen R. Moorthy and N. Bartol. Supply chain risk management practices for federal information systems and organizations. https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800--161.pdf."},{"key":"e_1_3_2_1_15_1","unstructured":"Chris Williams. How one developer just broke node babel and thousands of projects in 11 lines of javascript. href=\"https:\/\/www.theregister.com\/2016\/03\/23\/npm_left_pad_chaos\/\">https:\/\/www.theregister.com\/2016\/03\/23\/npm_left_pad_chaos\/."},{"key":"e_1_3_2_1_16_1","unstructured":"CISA. Malware discovered in popular NPM package ua-parser-js. href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/current-activity\/2021\/10\/22\/malware-discovered-popular-npm-package-ua-parser-js\">https:\/\/www.cisa.gov\/uscert\/ncas\/current-activity\/2021\/10\/22\/malware-discovered-popular-npm-package-ua-parser-js."},{"key":"e_1_3_2_1_17_1","volume-title":"Verifiable credentials data model 1.0: Expressing verifiable information on the web. https:\/\/www. w3. org\/TR\/vc-data-model\/?# core-data-model","author":"W. W. W. Consortium et al.","year":"2019","unstructured":"W. W. W. Consortium et al. Verifiable credentials data model 1.0: Expressing verifiable information on the web. https:\/\/www. w3. org\/TR\/vc-data-model\/?# core-data-model, 2019."},{"key":"e_1_3_2_1_18_1","volume-title":"f. Cybersecurity. ENISA threat landscape for supply chain attacks. Technical report","author":"E. U.","year":"2021","unstructured":"E. U. A. f. Cybersecurity. ENISA threat landscape for supply chain attacks. Technical report, Publications Office, LU, July 2021."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_2_1_20_1","volume-title":"Jan.","author":"Dellavecchia A.","year":"2022","unstructured":"A. Dellavecchia. How a Rogue Developer Ruined Millions of Software (happened this weekend), Jan. 2022."},{"key":"e_1_3_2_1_21_1","volume-title":"Evaluating and mitigating software supply chain security risks","author":"Ellison R. J.","year":"2010","unstructured":"R. J. Ellison, J. B. Goodenough, C. B. Weinstock, and C. Woody. Evaluating and mitigating software supply chain security risks. 2010."},{"key":"e_1_3_2_1_23_1","volume-title":"Google Cloud","author":"Ensor M.","year":"2021","unstructured":"M. Ensor and D. Stevens. Shifting left on security - Securing software supply chains. Technical report, Google Cloud, Feb. 2021."},{"key":"e_1_3_2_1_24_1","unstructured":"FireEye. Highly evasive attacker leverages solarwinds supply chain to compromise multiple global victims with sunburst backdoor. href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2020\/12\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\">https:\/\/www.fireeye.com\/blog\/threat-research\/2020\/12\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html."},{"key":"e_1_3_2_1_25_1","unstructured":"Forbes. Supply chains are in the crosshairs of cyberattacks. href=\"https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2022\/04\/27\/supply-chains-are-in-the-cyberattack-crosshairs\/'sh=24e002951808\">https:\/\/www.forbes.com\/sites\/forbestechcouncil\/2022\/04\/27\/supply-chains-are-in-the-cyberattack-crosshairs\/'sh=24e002951808."},{"key":"e_1_3_2_1_26_1","volume-title":"SLSA: Supply-chain levels for software artifacts. href=\"https:\/\/slsa.dev\">https:\/\/slsa.dev","author":"Foundation T. L.","year":"2022","unstructured":"T. L. Foundation. SLSA: Supply-chain levels for software artifacts. href=\"https:\/\/slsa.dev\">https:\/\/slsa.dev, 2022. Accessed: 2022-04--30."},{"key":"e_1_3_2_1_27_1","unstructured":"Git SCM. Signing your work. href=\"https:\/\/git-scm.com\/book\/en\/v2\/Git-Tools-Signing-Your-Work\">https:\/\/git-scm.com\/book\/en\/v2\/Git-Tools-Signing-Your-Work."},{"key":"e_1_3_2_1_28_1","unstructured":"GitHub. Best practices for securing your build system. href=\"https:\/\/docs.github.com\/en\/code-security\/supply-chain-security\/end-to-end-supply-chain\/securing-builds\">https:\/\/docs.github.com\/en\/code-security\/supply-chain-security\/end-to-end-supply-chain\/securing-builds."},{"key":"e_1_3_2_1_29_1","unstructured":"GitHub. Secure your supply chain Retrieved July 30. href=\"https:\/\/github.com\/features\/security\/software-supply-chain\">https:\/\/github.com\/features\/security\/software-supply-chain."},{"key":"e_1_3_2_1_30_1","first-page":"677","volume-title":"2020 IEEE International Conference on Software Maintenance and Evolution (ICSME)","author":"Goswami P.","unstructured":"P. Goswami, S. Gupta, Z. Li, N. Meng, and D. Yao. Investigating the reproducibility of NPM packages. In 2020 IEEE International Conference on Software Maintenance and Evolution (ICSME), pages 677--681. IEEE."},{"key":"e_1_3_2_1_31_1","volume-title":"Cloud Native Computing Foundation","author":"S. T. A. Group","year":"2021","unstructured":"S. T. A. Group. Software Supply Chain Best Practices. Technical report, Cloud Native Computing Foundation, May 2021."},{"key":"e_1_3_2_1_32_1","volume-title":"Cloud Native Computing Foundation","author":"S. T. A. Group","year":"2022","unstructured":"S. T. A. Group. The Secure Software Factory: A reference architecture to securing the software supply chain. Technical report, Cloud Native Computing Foundation, June 2022."},{"key":"e_1_3_2_1_33_1","volume-title":"Automating dependency updates in practice: An exploratory study on GitHub dependabot","author":"He R.","year":"2022","unstructured":"R. He, H. He, Y. Zhang, and M. Zhou. Automating dependency updates in practice: An exploratory study on GitHub dependabot. 2022. href=\"https:\/\/arxiv.org\/abs\/2206.07230\">https:\/\/arxiv.org\/abs\/2206.07230."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1109\/FOSE.2007.11"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/52.2014"},{"key":"e_1_3_2_1_36_1","unstructured":"International Organization for Standardization and the International Electrotechnical Commission. ISO - ISO\/IEC 27001 - information security management. href=\"https:\/\/www.iso.org\/isoiec-27001-information-security.html\">https:\/\/www.iso.org\/isoiec-27001-information-security.html."},{"key":"e_1_3_2_1_37_1","first-page":"3","article-title":"Standardization and the International Electrotechnical Commission","author":"International Organization for","year":"2024","unstructured":"International Organization for Standardization and the International Electrotechnical Commission. ISO\/IEC 20243--1:2018 - mitigating maliciously tainted and counterfeit products. href=\"https:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/contents\/data\/standard\/07\/43\/74399.html\">https:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/contents\/data\/standard\/07\/43\/74399.html.","journal-title":"ISO\/IEC"},{"key":"e_1_3_2_1_38_1","unstructured":"International Organization for Standardization and the International Electrotechnical Commission. ISO\/IEC 27002:2013- code of practice for information security controls. href=\"https:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/contents\/data\/standard\/05\/45\/54533.html\">https:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/contents\/data\/standard\/05\/45\/54533.html."},{"key":"e_1_3_2_1_39_1","unstructured":"International Organization for Standardization and the International Electrotechnical Commission. ISO\/IEC 27036--4:2016 - information security for supplier relationships. href=\"https:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/contents\/data\/standard\/05\/96\/59689.html\">https:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/contents\/data\/standard\/05\/96\/59689.html."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-53r5"},{"key":"e_1_3_2_1_41_1","unstructured":"Joint Task Force Transformation Initiative. Security and privacy controls for federal information systems and organizations. href=\"https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800--53r4.pdf\">https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800--53r4.pdf."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.1986.6312924"},{"key":"e_1_3_2_1_43_1","volume-title":"Taxonomy of Attacks on Open-Source Software Supply Chains","author":"Ladisa P.","year":"2022","unstructured":"P. Ladisa, H. Plate, M. Martinez, and O. Barais. Taxonomy of Attacks on Open-Source Software Supply Chains, 2022."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2021.3073045"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510142"},{"key":"e_1_3_2_1_46_1","volume-title":"June","author":"Martin L.","year":"2022","unstructured":"L. Martin. Cyber Kill Chain\u00ae, June 2022."},{"key":"e_1_3_2_1_47_1","volume-title":"Differential Testing for Software. 10(1):8","author":"McKeeman W. M.","year":"1998","unstructured":"W. M. McKeeman. Differential Testing for Software. 10(1):8, 1998."},{"key":"e_1_3_2_1_48_1","volume-title":"Microsoft","year":"2021","unstructured":"Microsoft. 3 ways to mitigate risk when using private package feeds. Technical report, Microsoft, Mar. 2021."},{"key":"e_1_3_2_1_49_1","unstructured":"Microsoft Security Response Center. Customer guidance on recent nation-state cyber attacks. href=\"https:\/\/msrc-blog.microsoft.com\/2020\/12\/13\/customer-guidance-on-recent-nation-state-cyber-attacks\/\">https:\/\/msrc-blog.microsoft.com\/2020\/12\/13\/customer-guidance-on-recent-nation-state-cyber-attacks\/."},{"key":"e_1_3_2_1_50_1","unstructured":"National Telecommunications and Information Administration. NTIA Software Component Transparency. href=\"https:\/\/www.ntia.doc.gov\/SoftwareTransparency\">https:\/\/www.ntia.doc.gov\/SoftwareTransparency."},{"key":"e_1_3_2_1_51_1","volume-title":"Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security","author":"Newman Z.","year":"2021","unstructured":"Z. Newman, J. S. Meyers, and S. Torres-Arias. Sigstore: software signing for everybody. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2021."},{"key":"e_1_3_2_1_52_1","volume-title":"MITRE CORP MCLEAN VA","author":"Nissen C.","year":"2018","unstructured":"C. Nissen, J. E. Gronager, R. S. Metzger, and H. Rishikof. Deliver uncompromised: A strategy for supply chain security and resilience in response to the changing character of war. Technical report, MITRE CORP MCLEAN VA, 2018."},{"key":"e_1_3_2_1_53_1","unstructured":"NPM. Proxy. href=\"https:\/\/www.npmjs.com\/package\/proxy\">https:\/\/www.npmjs.com\/package\/proxy."},{"key":"e_1_3_2_1_54_1","unstructured":"NPM. Scope. href=\"https:\/\/docs.npmjs.com\/cli\/v8\/using-npm\/scope\">https:\/\/docs.npmjs.com\/cli\/v8\/using-npm\/scope."},{"key":"e_1_3_2_1_55_1","unstructured":"npm Docs. npm-audit. href=\"https:\/\/docs.npmjs.com\/cli\/v8\/commands\/npm-audit\/\">https:\/\/docs.npmjs.com\/cli\/v8\/commands\/npm-audit\/."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-021-09959-3"},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1007\/s12130-999-1026-0"},{"key":"e_1_3_2_1_61_1","volume-title":"Mar. 19","author":"Ronda T. J.","year":"2019","unstructured":"T. J. Ronda, P. A. Roberge, D. Barinov, M. Varley, D. A. Stark, G. H. Wolfond, A. Likic, and M. J. Page. Systems and methods for distributed identity verification, Mar. 19 2019. US Patent 10,237,259."},{"key":"e_1_3_2_1_62_1","volume-title":"Systems security engineering: considerations for a multidisciplinary approach in the engineering of trustworthy secure systems","author":"Ross R.","unstructured":"R. Ross, M. McEvilley, and J. C. Oren. Systems security engineering: considerations for a multidisciplinary approach in the engineering of trustworthy secure systems, volume 1."},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510104"},{"key":"e_1_3_2_1_64_1","volume-title":"C. Wohlin, T. Gorschek, and R. Feldt. Empirical evidence in global software engineering: a systematic review. Empirical software engineering, 15(1):91--118","author":"D.","year":"2010","unstructured":"D. mite, C. Wohlin, T. Gorschek, and R. Feldt. Empirical evidence in global software engineering: a systematic review. Empirical software engineering, 15(1):91--118, 2010."},{"key":"e_1_3_2_1_65_1","volume-title":"Dec.","year":"2021","unstructured":"Solarwinds. Setting the New Standard in Secure Software Development The SolarWinds Next-Generation Build System. Technical report, solarwinds, Dec. 2021."},{"key":"e_1_3_2_1_66_1","volume-title":"State of the software supply chain","year":"2021","unstructured":"Sonatype. State of the software supply chain, 2021. href=\"https:\/\/www.sonatype.com\/resources\/state-of-the-software-supply-chain-2021\">https:\/\/www.sonatype.com\/resources\/state-of-the-software-supply-chain-2021."},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-74512-9"},{"key":"e_1_3_2_1_68_1","volume-title":"Internet threat security report","author":"Symantec Corporation","year":"2018","unstructured":"Symantec Corporation. Internet threat security report, 2018. href=\"https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-23--2018-en.pdf\">https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-23--2018-en.pdf."},{"key":"e_1_3_2_1_69_1","volume-title":"Internet threat security report","author":"Symantec Corporation","year":"2019","unstructured":"Symantec Corporation. Internet threat security report, 2019. href=\"https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-24--2019-en.pdf\">https:\/\/www.symantec.com\/content\/dam\/symantec\/docs\/reports\/istr-24--2019-en.pdf."},{"key":"e_1_3_2_1_70_1","volume-title":"July","author":"N. Telecommunications and I. Administration","year":"2021","unstructured":"N. Telecommunications and I. Administration. The Minimum Elements For a Software Bill of Materials (SBOM), July 2021. href=\"https:\/\/www.ntia.doc.gov\/report\/2021\/minimum-elements-software-bill-materials-sbom\">https:\/\/www.ntia.doc.gov\/report\/2021\/minimum-elements-software-bill-materials-sbom."},{"key":"e_1_3_2_1_71_1","unstructured":"K. Thomas J. Pullman K. Yeo A. Raghunathan P. G. Kelley L. Invernizzi B. Benko T. Pietraszek S. Patel D. Boneh and E. Bursztein. Protecting accounts from credential stuf?ng with password breach alerting. page 18."},{"key":"e_1_3_2_1_72_1","first-page":"1393","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Torres-Arias S.","year":"2019","unstructured":"S. Torres-Arias, H. Afzali, T. K. Kuppusamy, R. Curtmola, and J. Cappos. in-toto: Providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security 19), pages 1393--1410, Santa Clara, CA, Aug. 2019. USENIX Association."},{"key":"e_1_3_2_1_73_1","volume-title":"Proc. of the 28th USENIX Security Symposium","author":"Torres-Arias S.","year":"2019","unstructured":"S. Torres-Arias, H. Afzali, T. K. Kuppusamy, R. Curtmola, and J. Cappos. in-toto: Providing farm-to-table guarantees for bits and bytes. Proc. of the 28th USENIX Security Symposium, Aug. 2019."},{"key":"e_1_3_2_1_74_1","volume-title":"Flexible Application Compartmentalization. In Proceedings 2018 Network and Distributed System Security Symposium","author":"Vasilakis N.","year":"2018","unstructured":"N. Vasilakis, B. Karel, N. Roessler, N. Dautenhahn, A. DeHon, and J. M. Smith. BreakApp: Automated, Flexible Application Compartmentalization. In Proceedings 2018 Network and Distributed System Security Symposium, San Diego, CA, 2018. Internet Society."},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468592"},{"key":"e_1_3_2_1_76_1","volume-title":"Software engineering at google: Lessons learned from programming over time","author":"Winters T.","year":"2020","unstructured":"T. Winters, T. Manshreck, and H. Wright. Software engineering at google: Lessons learned from programming over time. O'Reilly Media, 2020."},{"key":"e_1_3_2_1_77_1","volume-title":"Proc. Oakland","author":"Wu Q.","year":"2021","unstructured":"Q. Wu and K. Lu. On the feasibility of stealthily introducing vulnerabilities in open-source software via hypocrite commits. In Proc. Oakland, 2021."},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510168"},{"key":"e_1_3_2_1_79_1","volume-title":"What are Weak Links in the npm Supply Chain?","author":"Zahan N.","year":"2022","unstructured":"N. Zahan, T. Zimmermann, P. Godefroid, B. Murphy, C. Maddila, and L. Williams. What are Weak Links in the npm Supply Chain?, 2022."},{"key":"e_1_3_2_1_80_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-022-10154-1"},{"key":"e_1_3_2_1_81_1","volume-title":"USENIX Security Symposium","author":"Zimmermann M.","year":"2019","unstructured":"M. Zimmermann, C.-A. Staicu, and M. Pradel. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. In USENIX Security Symposium, 2019."}],"event":{"name":"CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security","location":"Los Angeles CA USA","acronym":"CCS '22","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3560835.3564556","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3560835.3564556","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3560835.3564556","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:49:09Z","timestamp":1750182549000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3560835.3564556"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,11,8]]},"references-count":77,"alternative-id":["10.1145\/3560835.3564556","10.1145\/3560835"],"URL":"https:\/\/doi.org\/10.1145\/3560835.3564556","relation":{},"subject":[],"published":{"date-parts":[[2022,11,8]]},"assertion":[{"value":"2022-11-08","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}