{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,7]],"date-time":"2026-05-07T11:20:47Z","timestamp":1778152847880,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":38,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,26]],"date-time":"2023-11-26T00:00:00Z","timestamp":1700956800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3605770.3625213","type":"proceedings-article","created":{"date-parts":[[2023,11,23]],"date-time":"2023-11-23T11:46:12Z","timestamp":1700739972000},"page":"29-37","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":11,"title":["Macaron: A Logic-based Framework for Software Supply Chain Security Assurance"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0006-6639-3056","authenticated-orcid":false,"given":"Behnaz","family":"Hassanshahi","sequence":"first","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-0309-4909","authenticated-orcid":false,"given":"Trong Nhan","family":"Mai","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-7316-9112","authenticated-orcid":false,"given":"Alistair","family":"Michael","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2031-3023","authenticated-orcid":false,"given":"Benjamin","family":"Selwyn-Smith","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-3797-1390","authenticated-orcid":false,"given":"Sophie","family":"Bates","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5905-8499","authenticated-orcid":false,"given":"Padmanabhan","family":"Krishnan","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,11,26]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.5555\/1835408.1835411"},{"key":"e_1_3_2_1_2_1","unstructured":"Census II dataset 2022. https:\/\/project.linuxfoundation.org\/hubfs\/LFResearch\/ HarvardCensusIIofFreeandOpenSourceSoftware-Report.pdf"},{"key":"e_1_3_2_1_3_1","volume-title":"Retrieved","author":"ChainBench","year":"2023","unstructured":"ChainBench 2023. Retrieved June 2023 from https:\/\/github.com\/aquasecurity\/ chain-bench"},{"key":"e_1_3_2_1_4_1","volume-title":"Center for Internet Security (CIS). Retrieved","author":"CIS","year":"2023","unstructured":"CIS 2023. Center for Internet Security (CIS). Retrieved June 2023 from https: \/\/www.cisecurity.org\/benchmark\/Software-Supply-Chain-Security"},{"key":"e_1_3_2_1_5_1","volume-title":"Retrieved","author":"Conda","year":"2023","unstructured":"Conda package and environment management system 2023. Retrieved June 2023 from https:\/\/docs.conda.io"},{"key":"e_1_3_2_1_6_1","volume-title":"Retrieved","author":"Criticality Score","year":"2022","unstructured":"Criticality Score Project 2022. Retrieved November 2022 from https:\/\/github. com\/ossf\/criticality_score"},{"key":"e_1_3_2_1_7_1","volume-title":"Retrieved","author":"DX","year":"2023","unstructured":"CycloneDX 2023. Retrieved June 2023 from https:\/\/cyclonedx.org\/"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","unstructured":"J. DeTreville. 2002. Binder a logic-based security language. (2002) 105--113. https:\/\/doi.org\/10.1109\/SECPRI.2002.1004365","DOI":"10.1109\/SECPRI.2002.1004365"},{"key":"e_1_3_2_1_9_1","volume-title":"Retrieved","year":"2023","unstructured":"ecosyste.ms 2023. Retrieved June 2023 from https:\/\/ecosyste.ms\/"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3560835.3564549"},{"key":"e_1_3_2_1_11_1","volume-title":"a WSGI web application framework","author":"Flask","year":"2023","unstructured":"Flask: a WSGI web application framework 2023. Retrieved June 2023 from https:\/\/github.com\/pallets\/flask\/releases\/tag\/2.3.2"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME46990.2020.00071"},{"key":"e_1_3_2_1_13_1","volume-title":"Graph for Understanding Artifact Composition","author":"GUAC","year":"2023","unstructured":"GUAC: Graph for Understanding Artifact Composition 2023. Retrieved June 2023 from https:\/\/github.com\/guacsec\/guac"},{"key":"e_1_3_2_1_14_1","volume-title":"Retrieved","author":"Attestation Framework","year":"2023","unstructured":"in-toto Attestation Framework 2023. Retrieved June 2023 from https:\/\/in-toto.io\/"},{"key":"e_1_3_2_1_15_1","volume-title":"testing, and delivering or deploying software","author":"Jenkins","year":"2023","unstructured":"Jenkins automation server for building, testing, and delivering or deploying software 2023. Retrieved June 2023 from https:\/\/www.jenkins.io\/"},{"key":"e_1_3_2_1_16_1","volume-title":"Retrieved","author":"Legitify","year":"2023","unstructured":"Legitify 2023. Retrieved June 2023 from https:\/\/github.com\/Legit-Labs\/legitify"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1016\/0022-0000(87)90027-4"},{"key":"e_1_3_2_1_18_1","volume-title":"Retrieved","author":"MarkupSafe","year":"2023","unstructured":"MarkupSafe 2023. Retrieved June 2023 from https:\/\/github.com\/pallets\/ markupsafe\/releases\/tag\/2.1.3"},{"key":"e_1_3_2_1_19_1","volume-title":"Retrieved","author":"Package Provenance","year":"2023","unstructured":"npm Package Provenance 2023. Retrieved June 2023 from https:\/\/github.blog\/ 2023-04--19-introducing-npm-package-provenance\/"},{"key":"e_1_3_2_1_20_1","volume-title":"SBOM at a Glance","author":"NTIA","year":"2023","unstructured":"NTIA: SBOM at a Glance 2023. Retrieved June 2023 from https:\/\/www.ntia.doc. gov\/files\/ntia\/publications\/sbom_at_a_glance_apr2021.pdf"},{"key":"e_1_3_2_1_21_1","volume-title":"Retrieved","author":"OSS","year":"2023","unstructured":"OSS Gadget 2023. Retrieved June 2023 from https:\/\/github.com\/microsoft\/ OSSGadget"},{"key":"e_1_3_2_1_22_1","volume-title":"Retrieved","author":"Rego","year":"2023","unstructured":"Rego policy language 2023. Retrieved June 2023 from https:\/\/www. openpolicyagent.org\/docs\/latest\/policy-language\/"},{"key":"e_1_3_2_1_23_1","volume-title":"Retrieved","author":"Rekor","year":"2023","unstructured":"Rekor 2023. Retrieved June 2023 from https:\/\/github.com\/sigstore\/rekor"},{"key":"e_1_3_2_1_24_1","volume-title":"Retrieved","author":"Scorecard","year":"2023","unstructured":"Scorecard 2023. Retrieved June 2023 from https:\/\/github.com\/ossf\/scorecard"},{"key":"e_1_3_2_1_25_1","volume-title":"The semantic versioner for npm","author":"Semver","year":"2023","unstructured":"Semver: The semantic versioner for npm 2023. Retrieved June 2023 from https:\/\/www.npmjs.com\/package\/semver\/v\/7.5.3"},{"key":"e_1_3_2_1_26_1","volume-title":"Retrieved","author":"GitHub SLSA","year":"2023","unstructured":"SLSA GitHub Generator 2023. Retrieved June 2023 from https:\/\/github.com\/slsaframework\/slsa-github-generator"},{"key":"e_1_3_2_1_27_1","volume-title":"Retrieved","author":"SLSA","year":"2023","unstructured":"SLSA Verifier 2023. Retrieved June 2023 from https:\/\/github.com\/slsa-framework\/ slsa-verifier"},{"key":"e_1_3_2_1_28_1","volume-title":"Retrieved","year":"2023","unstructured":"Snyk. 2023. Retrieved June 2023 from https:\/\/github.com\/snyk\/parlay"},{"key":"e_1_3_2_1_29_1","volume-title":"a logic programming language inspired by Datalog","author":"Souffl\u00e9","year":"2023","unstructured":"Souffl\u00e9: a logic programming language inspired by Datalog 2023. Retrieved June 2023 from https:\/\/souffle-lang.github.io\/"},{"key":"e_1_3_2_1_30_1","volume-title":"The Software Package Data Exchange","author":"SPDX","year":"2023","unstructured":"SPDX: The Software Package Data Exchange 2023. Retrieved June 2023 from https:\/\/spdx.dev\/"},{"key":"e_1_3_2_1_31_1","volume-title":"Retrieved","author":"Alchemy","year":"2023","unstructured":"SQLAlchemy 2023. Retrieved June 2023 from https:\/\/docs.sqlalchemy.org"},{"key":"e_1_3_2_1_32_1","volume-title":"Retrieved","author":"Lite","year":"2023","unstructured":"SQLite 2023. Retrieved June 2023 from https:\/\/www.sqlite.org"},{"key":"e_1_3_2_1_33_1","volume-title":"Retrieved","author":"Software Levels","year":"2023","unstructured":"Supply-chain Levels for Software Artifacts (SLSA) 2023. Retrieved June 2023 from https:\/\/slsa.dev"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/73721.73736"},{"key":"e_1_3_2_1_35_1","volume-title":"Vulnerability Exploitability eXchange","author":"VEX","year":"2023","unstructured":"VEX: Vulnerability Exploitability eXchange 2023. Retrieved June 2023 from https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/VEX_Use_Cases_ Document_508c.pdf"},{"key":"e_1_3_2_1_36_1","unstructured":"Duc-Ly Vu Fabio Massacci Ivan Pashchenko Henrik Plate and Antonino Sabetta. 2021. LastPyMile: Identifying the Discrepancy between Sources and Packages. In ESEC\/FSE."},{"key":"e_1_3_2_1_37_1","volume-title":"Secure Your Supply Chain","author":"Witness","year":"2023","unstructured":"Witness: Secure Your Supply Chain 2023. Retrieved June 2023 from https:\/\/github.com\/testifysec\/witness"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"crossref","unstructured":"David Zhao Pavle Suboti? and Bernhard Scholz. 2020. Debugging Large-scale Datalog: A Scalable Provenance Evaluation Strategy. ACM Trans. Program. Lang. Syst. (2020).","DOI":"10.1145\/3379446"}],"event":{"name":"CCS '23: ACM SIGSAC Conference on Computer and Communications Security","location":"Copenhagen Denmark","acronym":"CCS '23","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605770.3625213","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605770.3625213","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:18Z","timestamp":1750178178000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605770.3625213"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,26]]},"references-count":38,"alternative-id":["10.1145\/3605770.3625213","10.1145\/3605770"],"URL":"https:\/\/doi.org\/10.1145\/3605770.3625213","relation":{},"subject":[],"published":{"date-parts":[[2023,11,26]]},"assertion":[{"value":"2023-11-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}