{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,8]],"date-time":"2026-05-08T02:15:27Z","timestamp":1778206527698,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":132,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,2,6]],"date-time":"2024-02-06T00:00:00Z","timestamp":1707177600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CCF-2217733"],"award-info":[{"award-number":["CCF-2217733"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,2,6]]},"DOI":"10.1145\/3597503.3623347","type":"proceedings-article","created":{"date-parts":[[2024,2,6]],"date-time":"2024-02-06T20:53:16Z","timestamp":1707252796000},"page":"1-13","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":48,"title":["BOMs Away! Inside the Minds of Stakeholders: A Comprehensive Study of Bills of Materials for Software Systems"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-6000-4227","authenticated-orcid":false,"given":"Trevor","family":"Stalnaker","sequence":"first","affiliation":[{"name":"College of William & Mary, Williamsburg, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-2123-7412","authenticated-orcid":false,"given":"Nathan","family":"Wintersgill","sequence":"additional","affiliation":[{"name":"College of William & Mary, Williamsburg, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2838-685X","authenticated-orcid":false,"given":"Oscar","family":"Chaparro","sequence":"additional","affiliation":[{"name":"College of William & Mary, Williamsburg, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0340-9747","authenticated-orcid":false,"given":"Massimiliano","family":"Di Penta","sequence":"additional","affiliation":[{"name":"University of Sannio, Benevento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5661-4392","authenticated-orcid":false,"given":"Daniel M","family":"German","sequence":"additional","affiliation":[{"name":"University of Victoria, Victoria, British Columbia, Canada"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5626-7586","authenticated-orcid":false,"given":"Denys","family":"Poshyvanyk","sequence":"additional","affiliation":[{"name":"William & Mary, Williamsburg, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,2,6]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"[n. d.]. CycloneDX History. https:\/\/cyclonedx.org\/about\/history\/."},{"key":"e_1_3_2_1_2_1","unstructured":"[n. d.]. GitOID. https:\/\/www.iana.org\/assignments\/uri-schemes\/prov\/gitoid."},{"key":"e_1_3_2_1_3_1","unstructured":"[n. d.]. OpenChain Main Mail List. https:\/\/lists.openchainproject.org\/g\/main."},{"key":"e_1_3_2_1_4_1","unstructured":"[n. d.]. OWASP. https:\/\/owasp.org\/."},{"key":"e_1_3_2_1_5_1","unstructured":"[n. d.]. Software Heritage. https:\/\/www.softwareheritage.org\/."},{"key":"e_1_3_2_1_6_1","unstructured":"[n. d.]. SPDX Overview. https:\/\/spdx.dev\/about\/."},{"key":"e_1_3_2_1_7_1","unstructured":"[n. d.]. The Linux Foundation. https:\/\/www.linuxfoundation.org\/."},{"key":"e_1_3_2_1_8_1","unstructured":"2013. SPDX Technical Team Use Cases 2.0. https:\/\/wiki.spdx.org\/view\/Technical_Team\/Use_Cases\/2.0. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_9_1","unstructured":"2016. Cybersecurity Supply Chain Risk Management. https:\/\/csrc.nist.gov\/projects\/cyber-supply-chain-risk-management"},{"key":"e_1_3_2_1_10_1","unstructured":"2021. EXECUTIVE ORDER 14028. https:\/\/www.nist.gov\/itl\/executive-order-14028-improving-nations-cybersecurity"},{"key":"e_1_3_2_1_11_1","unstructured":"2021. What is a CVE? https:\/\/www.redhat.com\/en\/topics\/security\/what-is-cve."},{"key":"e_1_3_2_1_12_1","unstructured":"2022. Annex F External repository identifiers (Normative). https:\/\/spdx.github.io\/spdx-spec\/v2.3\/external-repository-identifiers\/#f42-gitoid."},{"key":"e_1_3_2_1_13_1","unstructured":"2022. Common Platform Enumeration (CPE). https:\/\/csrc.nist.gov\/Projects\/Security-Content-Automation-Protocol\/Specifications\/cpe."},{"key":"e_1_3_2_1_14_1","unstructured":"2022. GitHub REST API documentation. https:\/\/docs.github.com\/en\/rest?apiVersion=2022-11-28. Accessed: 2023-28-03."},{"key":"e_1_3_2_1_15_1","unstructured":"2022. SBOM Drift. https:\/\/docs.anchore.com\/current\/docs\/sbom_management\/sbom_drift\/."},{"key":"e_1_3_2_1_16_1","unstructured":"2023. CycloneDX Specifications. https:\/\/github.com\/CycloneDX\/specification"},{"key":"e_1_3_2_1_17_1","unstructured":"2023. Introducing self-service SBOMs. https:\/\/tinyurl.com\/mt9jwcdx."},{"key":"e_1_3_2_1_18_1","unstructured":"2023. ITI. https:\/\/www.itic.org\/."},{"key":"e_1_3_2_1_19_1","unstructured":"2023. purl-spec. https:\/\/github.com\/package-url\/purl-spec."},{"key":"e_1_3_2_1_20_1","unstructured":"2023. SPDX Specifications. https:\/\/spdx.dev\/specifications\/"},{"key":"e_1_3_2_1_21_1","unstructured":"[n.d.]. About the dependency graph. https:\/\/tinyurl.com\/28r3v6e2. Accessed: 2023-28-03."},{"key":"e_1_3_2_1_22_1","unstructured":"[n.d.]. Anchore. https:\/\/anchore.com\/platform\/. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_23_1","unstructured":"[n.d.]. CC0 1.0 Universal (CC0 1.0) Public Domain Dedication. https:\/\/creativecommons.org\/publicdomain\/zero\/1.0\/. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_24_1","unstructured":"[n.d.]. Data Version Control. https:\/\/dvc.org\/. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_25_1","unstructured":"[n.d.]. Example of an SPDX SBOM. https:\/\/github.com\/spdx\/spdx-examples\/blob\/master\/example1\/spdx2.2\/example1.spdx."},{"key":"e_1_3_2_1_26_1","unstructured":"[n.d.]. The MIT License. https:\/\/opensource.org\/license\/mit\/."},{"key":"e_1_3_2_1_27_1","unstructured":"[n.d.]. mlflow. https:\/\/mlflow.org\/. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_28_1","unstructured":"[n.d.]. Qualtrics. https:\/\/www.qualtrics.com\/. Accessed: 2023-28-03."},{"key":"e_1_3_2_1_29_1","unstructured":"[n.d.]. ScanCode. https:\/\/www.nexb.com\/scancode\/. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_30_1","unstructured":"[n.d.]. SPDX Object Property: dataLicense. https:\/\/spdx.org\/rdf\/spdx-terms-v2.1\/objectproperties\/dataLicense___1140128580.html. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_31_1","unstructured":"[n.d.]. spdx@lists.spdx.org. https:\/\/lists.spdx.org\/g\/spdx. Accessed: 2023-28-03."},{"key":"e_1_3_2_1_32_1","unstructured":"[n.d.]. Specification Overview. https:\/\/cyclonedx.org\/specification\/overview\/."},{"key":"e_1_3_2_1_33_1","unstructured":"[n.d.]. Supported package ecosystems. https:\/\/docs.github.com\/en\/code-security\/supply-chain-security\/understanding-your-software-supply-chain\/about-the-dependency-graph#supported-package-ecosystems."},{"key":"e_1_3_2_1_34_1","unstructured":"[n.d.]. Using SPDX. https:\/\/spdx.dev\/resources\/use\/."},{"key":"e_1_3_2_1_35_1","unstructured":"Amy Nelson Jiewen Yao Vincent Zimmer. 2021. Traceable Firmware Bill of Materials Overview. https:\/\/tinyurl.com\/2p8ujxau."},{"key":"e_1_3_2_1_36_1","unstructured":"Andrei Costin. 2022. Securing Your Iot Device With Fboms From Devastating Cyberattacks. https:\/\/euhubs4data.eu\/blog\/securing-iot-device-with-fboms\/."},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.18278\/jcip.3.1.8"},{"key":"e_1_3_2_1_38_1","volume-title":"I Know What You Imported Last Summer: A study of security threats in the Python ecosystem. arXiv preprint arXiv:2102.06301","author":"Bagmar Aadesh","year":"2021","unstructured":"Aadesh Bagmar, Josiah Wedgwood, Dave Levin, and Jim Purtilo. 2021. I Know What You Imported Last Summer: A study of security threats in the Python ecosystem. arXiv preprint arXiv:2102.06301 (2021)."},{"key":"e_1_3_2_1_39_1","volume-title":"Challenges of Producing Software Bill Of Materials for Java. arXiv preprint arXiv:2303.11102","author":"Balliu Musard","year":"2023","unstructured":"Musard Balliu, Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monperrus, Javier Ron, Aman Sharma, Gabriel Skoglund, C\u00e9sar Soto-Valero, and Martin Wittlinger. 2023. Challenges of Producing Software Bill Of Materials for Java. arXiv preprint arXiv:2303.11102 (2023)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/2961111.2962628"},{"key":"e_1_3_2_1_41_1","volume-title":"Swapna Krishnakumar Radha, and Jarek Nabrzyski","author":"Barclay Iain","year":"2022","unstructured":"Iain Barclay, Alun Preece, Ian Taylor, Swapna Krishnakumar Radha, and Jarek Nabrzyski. 2022. Providing assurance and scrutability on shared data and machine learning models with verifiable credentials. Concurrency and Computation: Practice and Experience (2022), e6997."},{"key":"e_1_3_2_1_42_1","volume-title":"Towards traceability in data ecosystems using a bill of materials model. arXiv","author":"Barclay Iain","year":"2019","unstructured":"Iain Barclay, Alun Preece, Ian Taylor, and Dinesh Verma. 2019. Towards traceability in data ecosystems using a bill of materials model. arXiv (2019)."},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1162\/tacl_a_00041"},{"key":"e_1_3_2_1_44_1","unstructured":"\"Bill Bensing\". 2022. History of the Software Bill of Material (SBOM). https:\/\/billbensing.com\/software-supply-chain\/history-software-bill-of-material-sbom\/."},{"key":"e_1_3_2_1_45_1","unstructured":"Brian Ka Chan. 2017. Artificial Intelligence Bill of Materials (AI-BOM). https:\/\/minddata.org\/bill-of-artificial-intelligence-materials-boaim-Brian-Ka-Chan-AI."},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1038\/s41746-021-00403-w"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM55135.2022.10017736"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.29"},{"key":"e_1_3_2_1_49_1","unstructured":"Catalin Cimpanu. 2017. Ten Malicious Libraries Found on PyPI - Python Package Index. https:\/\/www.bleepingcomputer.com\/news\/security\/ten-malicious-libraries-found-on-pypi-python-package-index\/. Accessed: 2023-27-03."},{"key":"e_1_3_2_1_50_1","unstructured":"Cloud Security Alliance. 2022. SaaS Governance Best Practices for Cloud Customers. https:\/\/cloudsecurityalliance.org\/artifacts\/saas-governance-best-practices-for-cloud-customers\/."},{"key":"e_1_3_2_1_51_1","unstructured":"CycloneDX. [n. d.]. https:\/\/cyclonedx.org\/."},{"key":"e_1_3_2_1_52_1","unstructured":"CycloneDX. 2022. Hardware Bill of Materials (HBOM). https:\/\/github.com\/CycloneDX\/bom-examples\/tree\/master\/HBOM."},{"key":"e_1_3_2_1_53_1","unstructured":"CycloneDX. 2022. Operations Bill of Materials (OBOM). https:\/\/github.com\/CycloneDX\/bom-examples\/tree\/master\/OBOM."},{"key":"e_1_3_2_1_54_1","unstructured":"CycloneDX. 2022. Software-as-a-Service BOM (SaaSBOM). https:\/\/github.com\/CycloneDX\/bom-examples\/tree\/master\/SaaSBOM."},{"key":"e_1_3_2_1_55_1","unstructured":"CycloneDX. 2022. Software Bill of Materials (SBOM). https:\/\/github.com\/CycloneDX\/bom-examples\/tree\/master\/SBOM."},{"key":"e_1_3_2_1_56_1","unstructured":"CycloneDX. [n.d.]. Capabilities. https:\/\/cyclonedx.org\/capabilities\/."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/1806799.1806824"},{"key":"e_1_3_2_1_58_1","volume-title":"Baleigh Rae Morgan, and Ethan S Bauer.","author":"Eggers Shannon Leigh","year":"2022","unstructured":"Shannon Leigh Eggers, Drew Christensen, Tori Brooke Simon, Baleigh Rae Morgan, and Ethan S Bauer. 2022. Towards Software Bill of Materials in the Nuclear Industry. Technical Report. Idaho National Lab.(INL), Idaho Falls, ID (United States)."},{"key":"e_1_3_2_1_59_1","unstructured":"Eliot Beer. 2022. Firmware security in the spotlight after novel ransomware attacks. https:\/\/thestack.technology\/firmware-attacks-focus\/."},{"key":"e_1_3_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"e_1_3_2_1_61_1","unstructured":"Hugging Face. [n.d.]. Dataset Cards. https:\/\/huggingface.co\/docs\/hub\/datasets-cards. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_62_1","unstructured":"FOSSA Inc. [n. d.]. A Practical Guide to CycloneDX. https:\/\/fossa.com\/learn\/cyclonedx."},{"key":"e_1_3_2_1_63_1","unstructured":"FOSSA Inc. 2023. CycloneDX vs SPDX. https:\/\/www.youtube.com\/watch?v=IQledp8WccU."},{"key":"e_1_3_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.5555\/2317016.2317056"},{"key":"e_1_3_2_1_65_1","unstructured":"GAO. 2016. Federal Agencies Need to Address Aging Legacy Systems. https:\/\/www.gao.gov\/assets\/files.gao.gov\/assets\/gao-16-696t.pdf."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3458723"},{"key":"e_1_3_2_1_67_1","unstructured":"Google. 2021. Understanding the Impact of Apache Log4j Vulnerability. https:\/\/security.googleblog.com\/2021\/12\/understanding-impact-of-apache-log4j.html."},{"key":"e_1_3_2_1_68_1","volume-title":"Survey Methodology","author":"Groves Robert M.","unstructured":"Robert M. Groves, Floyd J. Jr. Fowler, Mick P. Couyper, James M. Lepkowski, Eleanor Singer, and Roger Tourangeau. 2009. Survey Methodology, 2nd edition. Wiley.","edition":"2"},{"key":"e_1_3_2_1_69_1","unstructured":"GuardRails. 2023. What is a Software Bill of Materials and Why is it Important For Security? https:\/\/www.guardrails.io\/blog\/what-is-a-software-bill-of-materials-and-why-is-it-important-for-security\/. Accessed: 2023-29-03."},{"key":"e_1_3_2_1_70_1","unstructured":"Stephen Hendrick. 2022. Software Bill of Materials (SBOM) and Cybersecurity Readiness. https:\/\/tinyurl.com\/293v3xte."},{"key":"e_1_3_2_1_71_1","unstructured":"Henk Birkholz Jessica Fitzgerald-McKay Charles Schmidt David Waltermire. 2021. Concise Software Identification Tags. https:\/\/www.ietf.org\/archive\/id\/draft-ietf-sacm-coswid-19.html."},{"key":"e_1_3_2_1_72_1","volume-title":"The dataset nutrition label: A framework to drive higher data quality standards. arXiv preprint arXiv:1805.03677","author":"Holland Sarah","year":"2018","unstructured":"Sarah Holland, Ahmed Hosny, Sarah Newman, Joshua Joseph, and Kasia Chmielinski. 2018. The dataset nutrition label: A framework to drive higher data quality standards. arXiv preprint arXiv:1805.03677 (2018)."},{"key":"e_1_3_2_1_73_1","unstructured":"ISO. 2021. ISO\/IEC 5962:2021 Information technology --- SPDX Specification V2.2.1. https:\/\/www.iso.org\/standard\/81870.html."},{"key":"e_1_3_2_1_74_1","unstructured":"ISO. 2023. ISO\/IEC 19770-2:2015. https:\/\/www.iso.org\/standard\/65666.html."},{"key":"e_1_3_2_1_75_1","unstructured":"Laman Jalilova. 2021. Consolidation Of Cern Accelerator Build Infrastructure. https:\/\/cds.cern.ch\/record\/2778929\/files\/Laman_Jalilova_CERN_Report.pdf."},{"key":"e_1_3_2_1_76_1","volume-title":"Accessed","author":"Jamieson Andrew","year":"2020","unstructured":"Andrew Jamieson. 2020. Quantifying Complexity: The Challenges of Supply Chain Security. https:\/\/www.eetimes.com\/quantifying-complexity-the-challenges-of-supply-chain-security\/. Accessed: March 26, 2023."},{"key":"e_1_3_2_1_77_1","volume-title":"An empirical study of pre-trained model reuse in the hugging face deep learning model registry. arXiv preprint arXiv:2303.02552","author":"Jiang Wenxin","year":"2023","unstructured":"Wenxin Jiang, Nicholas Synovic, Matt Hyatt, Taylor R Schorlemmer, Rohan Sethi, Yung-Hsiang Lu, George K Thiruvathukal, and James C Davis. 2023. An empirical study of pre-trained model reuse in the hugging face deep learning model registry. arXiv preprint arXiv:2303.02552 (2023)."},{"key":"e_1_3_2_1_78_1","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564547"},{"key":"e_1_3_2_1_79_1","unstructured":"John P. Mello Jr. 2022. SBOMs in the SaaS era: 5 reasons why you should consider a SaaSBOM. https:\/\/tinyurl.com\/36pe3vvh."},{"key":"e_1_3_2_1_80_1","unstructured":"Josh Bressers. 2022. Fast and Furious: Doubling Down on SBOM Drift. https:\/\/thenewstack.io\/fast-and-furious-doubling-down-on-sbom-drift\/."},{"key":"e_1_3_2_1_81_1","doi-asserted-by":"publisher","DOI":"10.1145\/566493.566495"},{"key":"e_1_3_2_1_82_1","doi-asserted-by":"publisher","DOI":"10.1145\/638574.638580"},{"key":"e_1_3_2_1_83_1","doi-asserted-by":"publisher","DOI":"10.1145\/511152.511155"},{"key":"e_1_3_2_1_84_1","doi-asserted-by":"publisher","DOI":"10.1145\/571681.571686"},{"key":"e_1_3_2_1_85_1","doi-asserted-by":"publisher","DOI":"10.1145\/638750.638758"},{"key":"e_1_3_2_1_86_1","unstructured":"Ravie Lakshmanan. [n. d.]. Researchers Uncover 29 Malicious PyPI Packages Targeted Developers with W4SP Stealer. https:\/\/thehackernews.com\/2022\/11\/researchers-uncover-29-malicious-pypi.html. Accessed: 2023-27-03."},{"key":"e_1_3_2_1_87_1","unstructured":"Ravie Lakshmanan. 2021. Extremely Critical Log4J Vulnerability Leaves Much of the Internet at Risk. https:\/\/thehackernews.com\/2021\/12\/extremely-critical-log4j-vulnerability.html. Accessed: 2022-05-12."},{"key":"e_1_3_2_1_88_1","unstructured":"Ravie Lakshmanan. 2022. Malicious NPM Package Caught Mimicking Material Tailwind CSS Package. https:\/\/thehackernews.com\/2022\/09\/malicious-npm-package-caught-mimicking.html. Accessed: 2023-27-03."},{"key":"e_1_3_2_1_89_1","unstructured":"Ravie Lakshmanan. 2022. Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys. https:\/\/thehackernews.com\/2022\/06\/multiple-backdoored-python-libraries.html. Accessed: 2023-27-03."},{"key":"e_1_3_2_1_90_1","unstructured":"Ravie Lakshmanan. 2022. Researchers Uncover PyPI Package Hiding Malicious Code Behind Image File. https:\/\/thehackernews.com\/2022\/11\/researchers-uncover-pypi-package-hiding.html. Accessed: 2023-27-03."},{"key":"e_1_3_2_1_91_1","volume-title":"20th International TrustCom. IEEE, 606--613","author":"Liang Genpei","year":"2021","unstructured":"Genpei Liang, Xiangyu Zhou, Qingyu Wang, Yutong Du, and Cheng Huang. 2021. Malicious Packages Lurking in User-Friendly Python Package Index. In 2021 IEEE 20th International TrustCom. IEEE, 606--613."},{"key":"e_1_3_2_1_92_1","unstructured":"Everist Limaj Edward Bernroider and Maria Ivanova. 2020. Facing Legacy Information System Modernization in Scaling Agility in the Banking Industry: Preliminary Insights on Strategies and Non-technical Barriers. (2020)."},{"key":"e_1_3_2_1_93_1","unstructured":"Lu Lin et al. 2023. Generating Software Bill of Material for Vulnerability Management and License Compliance. (2023)."},{"key":"e_1_3_2_1_94_1","doi-asserted-by":"publisher","DOI":"10.1109\/SSS47320.2020.9174365"},{"key":"e_1_3_2_1_95_1","volume-title":"Sprague","author":"Miller Jeffrey G.","year":"1975","unstructured":"Jeffrey G. Miller and Linda G. Sprague. 1975. Behind the Growth in Materials Requirements Planning. https:\/\/hbr.org\/1975\/09\/behind-the-growth-in-materials-requirements-planning. Harvard Business Review (1975)."},{"key":"e_1_3_2_1_96_1","doi-asserted-by":"publisher","DOI":"10.1145\/3287560.3287596"},{"key":"e_1_3_2_1_97_1","unstructured":"NIST. 2021. CVE-2021-44228. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-44228."},{"key":"e_1_3_2_1_98_1","unstructured":"NTIA. 2019. Framing Software Component Transparency: Establishing a Common Software Bill of Material (SBOM). https:\/\/tinyurl.com\/ya978te4."},{"key":"e_1_3_2_1_99_1","unstructured":"NTIA. 2019. Roles and Benefits for SBOM Across the Supply Chain. https:\/\/ntia.gov\/files\/ntia\/publications\/ntia_sbom_use_cases_roles_benefits-nov2019.pdf."},{"key":"e_1_3_2_1_100_1","unstructured":"NTIA. 2021. SBOM at a Glance. https:\/\/tinyurl.com\/txyvbhfu."},{"key":"e_1_3_2_1_101_1","unstructured":"NTIA. 2021. SBOM Myths vs. Facts. https:\/\/tinyurl.com\/57rvensd"},{"key":"e_1_3_2_1_102_1","unstructured":"NTIA. 2021. SBOM Tool Classification Taxonomy. https:\/\/ntia.gov\/files\/ntia\/publications\/ntia_sbom_tooling_taxonomy-2021mar30.pdf."},{"key":"e_1_3_2_1_103_1","unstructured":"NTIA. 2021. Sharing and Exchanging SBOMs. https:\/\/www.ntia.gov\/files\/ntia\/publications\/ntia_sbom_sharing_exchanging_sboms-10feb2021.pdf."},{"key":"e_1_3_2_1_104_1","unstructured":"NTIA. 2021. Software Bill of Materials Elements and Considerations. https:\/\/ntia.gov\/sites\/default\/files\/publications\/uscc_-_2021.06.17_0.pdf."},{"key":"e_1_3_2_1_105_1","unstructured":"NTIA. 2021. Survey of Existing SBOM Formats and Standards. https:\/\/www.ntia.gov\/files\/ntia\/publications\/sbom_formats_survey-version-2021.pdf"},{"key":"e_1_3_2_1_106_1","unstructured":"Phil Odence. 2023. Why you should use SPDX for security. https:\/\/www.linux.com\/featured\/why-you-should-use-spdx-for-security\/."},{"key":"e_1_3_2_1_107_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_108_1","unstructured":"OpenAI. 2022. Introducing ChatGPT. https:\/\/openai.com\/blog\/chatgpt."},{"key":"e_1_3_2_1_109_1","unstructured":"OpenSSF. 2022. Securing Critical Projects Workgroup: List of Projects Identified as 'Critical'. https:\/\/tinyurl.com\/sxpeasey."},{"key":"e_1_3_2_1_110_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2021.3051235"},{"key":"e_1_3_2_1_111_1","doi-asserted-by":"publisher","DOI":"10.1145\/505532.505535"},{"key":"e_1_3_2_1_112_1","unstructured":"Martin Pratoussy. 2022. Estab of a new workflow to manage software vulns. https:\/\/cds.cern.ch\/record\/2826626\/files\/Report-PRATOUSSY_Martin.pdf."},{"key":"e_1_3_2_1_113_1","volume-title":"Robust speech recognition via large-scale weak supervision. arXiv preprint arXiv:2212.04356","author":"Radford Alec","year":"2022","unstructured":"Alec Radford, JongWook Kim, Tao Xu, Greg Brockman, Christine McLeavey, and Ilya Sutskever. 2022. Robust speech recognition via large-scale weak supervision. arXiv preprint arXiv:2212.04356 (2022)."},{"key":"e_1_3_2_1_114_1","unstructured":"Rezilion. 2022. Dynamic SBOM: A Comprehensive Guide. https:\/\/www.rezilion.com\/blog\/dynamic-sbom-a-comprehensive-guide\/."},{"key":"e_1_3_2_1_115_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-13-7099-1_5"},{"key":"e_1_3_2_1_116_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09828-5"},{"key":"e_1_3_2_1_117_1","doi-asserted-by":"publisher","DOI":"10.1016\/0167-188X(90)90044-I"},{"key":"e_1_3_2_1_118_1","unstructured":"Ryan Naraine. 2022. Big Tech Vendors Object to US Gov SBOM Mandate. https:\/\/www.securityweek.com\/big-tech-vendors-object-us-gov-sbom-mandate\/."},{"key":"e_1_3_2_1_119_1","volume-title":"Practical Automated Detection of Malicious npm Packages. arXiv preprint arXiv:2202.13953","author":"Sejfia Adriana","year":"2022","unstructured":"Adriana Sejfia and Max Sch\u00e4fer. 2022. Practical Automated Detection of Malicious npm Packages. arXiv preprint arXiv:2202.13953 (2022)."},{"key":"e_1_3_2_1_120_1","unstructured":"Neil Sheppard. 2023. SBOMs (Software Bill of Materials): Why Do They Matter? https:\/\/www.leanix.net\/en\/blog\/sboms-matter"},{"key":"e_1_3_2_1_121_1","unstructured":"Donna Spencer. 2009. Card sorting: Designing usable categories. Rosenfeld Media."},{"key":"e_1_3_2_1_122_1","unstructured":"Nathan Wintersgill Oscar Chaparro Massimilano Di Penta Daniel M German Denys Poshyvanyk Stalnaker Trevor. 2023. Online replication package. https:\/\/github.com\/TStalnaker44\/boms_away_study."},{"key":"e_1_3_2_1_123_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510199"},{"key":"e_1_3_2_1_124_1","doi-asserted-by":"publisher","DOI":"10.1145\/3551349.3560432"},{"key":"e_1_3_2_1_125_1","unstructured":"Ann R. Thryft. [n. d.]. The Challenges of Securing the Open Source Supply Chain. https:\/\/tinyurl.com\/yvsfdxd9"},{"key":"e_1_3_2_1_126_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180209"},{"key":"e_1_3_2_1_127_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-016-9438-4"},{"key":"e_1_3_2_1_128_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC.2015.32"},{"key":"e_1_3_2_1_129_1","volume-title":"An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. arXiv preprint arXiv:2301.05362","author":"Xia Boming","year":"2023","unstructured":"Boming Xia, Tingting Bi, Zhenchang Xing, Qinghua Lu, and Liming Zhu. 2023. An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. arXiv preprint arXiv:2301.05362 (2023)."},{"key":"e_1_3_2_1_130_1","unstructured":"Henry Young. [n. d.]. SBOMs: Considerable Progress But Not Yet Ready for Codification. https:\/\/tinyurl.com\/y2xzxs8m."},{"key":"e_1_3_2_1_131_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2023.3237100"},{"key":"e_1_3_2_1_132_1","volume-title":"What are Weak Links in the npm Supply Chain? arXiv preprint arXiv:2112.10165","author":"Zahan Nusrat","year":"2021","unstructured":"Nusrat Zahan, Laurie Williams, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, and Chandra Maddila. 2021. What are Weak Links in the npm Supply Chain? arXiv preprint arXiv:2112.10165 (2021)."}],"event":{"name":"ICSE '24: IEEE\/ACM 46th International Conference on Software Engineering","location":"Lisbon Portugal","acronym":"ICSE '24","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS","Faculty of Engineering of University of Porto"]},"container-title":["Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3597503.3623347","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3597503.3623347","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3597503.3623347","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T22:49:11Z","timestamp":1750286951000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3597503.3623347"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,2,6]]},"references-count":132,"alternative-id":["10.1145\/3597503.3623347","10.1145\/3597503"],"URL":"https:\/\/doi.org\/10.1145\/3597503.3623347","relation":{},"subject":[],"published":{"date-parts":[[2024,2,6]]},"assertion":[{"value":"2024-02-06","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}