{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,11]],"date-time":"2026-04-11T02:13:17Z","timestamp":1775873597627,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":68,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T00:00:00Z","timestamp":1701302400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Academic Research Fund Tier 3","award":["MOET32020-0004"],"award-info":[{"award-number":["MOET32020-0004"]}]},{"name":"National Cybersecurity R&D Programme","award":["NCRP25-P04-TAICeN"],"award-info":[{"award-number":["NCRP25-P04-TAICeN"]}]},{"name":"National Research Foundation, Singapore","award":[""],"award-info":[{"award-number":[""]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,11,30]]},"DOI":"10.1145\/3611643.3616299","type":"proceedings-article","created":{"date-parts":[[2023,11,30]],"date-time":"2023-11-30T23:14:38Z","timestamp":1701386078000},"page":"960-972","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":24,"title":["Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-9832-8948","authenticated-orcid":false,"given":"Lida","family":"Zhao","sequence":"first","affiliation":[{"name":"Singapore Management University, Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9477-4100","authenticated-orcid":false,"given":"Sen","family":"Chen","sequence":"additional","affiliation":[{"name":"Tianjin University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8390-7518","authenticated-orcid":false,"given":"Zhengzi","family":"Xu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1175-2753","authenticated-orcid":false,"given":"Chengwei","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3087-9645","authenticated-orcid":false,"given":"Lyuye","family":"Zhang","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6758-4635","authenticated-orcid":false,"given":"Jiahui","family":"Wu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3545-1392","authenticated-orcid":false,"given":"Jun","family":"Sun","sequence":"additional","affiliation":[{"name":"Singapore Management University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7300-9215","authenticated-orcid":false,"given":"Yang","family":"Liu","sequence":"additional","affiliation":[{"name":"Nanyang Technological University, Singapore, Singapore"}]}],"member":"320","published-online":{"date-parts":[[2023,11,30]]},"reference":[{"key":"e_1_3_2_2_1_1","unstructured":"2021. Google Online Security Blog: Understanding the Impact of Apache Log4j Vulnerability. https:\/\/security.googleblog.com\/2021\/12\/understanding-impact-of-apache-log4j.html"},{"key":"e_1_3_2_2_2_1","unstructured":"2021. Maven Pom Descriptor Reference documentation. https:\/\/maven.apache.org\/ref\/3.8.5\/maven-model\/maven.html"},{"key":"e_1_3_2_2_3_1","unstructured":"2021. OWASP Dependency-Check Project - OWASP. https:\/\/owasp.org\/www-project-dependency-check\/"},{"key":"e_1_3_2_2_4_1","unstructured":"2021. Software dependencies: How to manage dependencies at scale | Why you should manage open source dependencies. https:\/\/snyk.io\/series\/open-source-security\/software-dependencies\/#managing-open-source-dependencies"},{"key":"e_1_3_2_2_5_1","unstructured":"2022. Component Analysis OWASP Foundation. https:\/\/owasp.org\/www-community\/Component_Analysis"},{"key":"e_1_3_2_2_6_1","unstructured":"2022. Eclipse Steady. https:\/\/github.com\/eclipse\/steady"},{"key":"e_1_3_2_2_7_1","unstructured":"2022. Java build tools comparison. https:\/\/www.jrebel.com\/blog\/java-build-tools-comparison"},{"key":"e_1_3_2_2_8_1","unstructured":"2022. Sonatype OSS Index. https:\/\/ossindex.sonatype.org\/"},{"key":"e_1_3_2_2_9_1","unstructured":"2022. WhiteSource - Open Source Security and License Management. https:\/\/www.whitesourcesoftware.com\/"},{"key":"e_1_3_2_2_10_1","unstructured":"2023. About alerts for vulnerable dependencies - GitHub Docs. https:\/\/docs.github.com\/en\/code-security\/supply-chain-security\/managing-vulnerabilities-in-your-projects-dependencies\/about-alerts-for-vulnerable-dependencies"},{"key":"e_1_3_2_2_11_1","unstructured":"2023. About code scanning - GitHub Docs. https:\/\/docs.github.com\/en\/code-security\/code-scanning\/automatically-scanning-your-code-for-vulnerabilities-and-errors\/about-code-scanning#about-code-scanning"},{"key":"e_1_3_2_2_12_1","unstructured":"2023. Apache Maven Assembly Plugin. https:\/\/maven.apache.org\/plugins\/maven-assembly-plugin\/examples\/multimodule\/module-binary-inclusion-simple.html"},{"key":"e_1_3_2_2_13_1","unstructured":"2023. Apache Maven Shade Plugin. https:\/\/maven.apache.org\/plugins\/maven-shade-plugin\/examples\/attached-artifact.html"},{"key":"e_1_3_2_2_14_1","unstructured":"2023. Assembly Descriptor. https:\/\/maven.apache.org\/plugins\/ maven-assembly-plugin\/assembly.html"},{"key":"e_1_3_2_2_15_1","unstructured":"2023. Black Duck Software Composition Analysis (SCA) - Synopsys. https:\/\/www.synopsys.com\/software-integrity\/security-testing\/software-composition-analysis.html"},{"key":"e_1_3_2_2_16_1","unstructured":"2023. Cargo. https:\/\/cargo.site\/"},{"key":"e_1_3_2_2_17_1","first-page":"2022","volume-title":"CVE 2022 25647","unstructured":"2023. CVE 2022 25647. https:\/\/www.cve.org\/CVERecord?id= CVE-2022-25647"},{"key":"e_1_3_2_2_18_1","unstructured":"2023. CycloneDX Use Cases. https:\/\/cyclonedx.org\/use-cases\/#external-references"},{"key":"e_1_3_2_2_19_1","unstructured":"2023. Data Website. https:\/\/sites.google.com\/view\/fse2023scastudy"},{"key":"e_1_3_2_2_20_1","unstructured":"2023. eclipse IDE for Java Developers. https:\/\/www.eclipse.org\/downloads\/packages\/release\/kepler \/sr1\/eclipse-ide-java-developers"},{"key":"e_1_3_2_2_21_1","unstructured":"2023. Gitee. https:\/\/gitee.com\/"},{"key":"e_1_3_2_2_22_1","unstructured":"2023. GitHub. https:\/\/github.com\/"},{"key":"e_1_3_2_2_23_1","unstructured":"2023. github\/advisory-database - GitHub. https:\/\/github.com\/github\/advisory-database"},{"key":"e_1_3_2_2_24_1","unstructured":"2023. IDEA Jetbrain. https:\/\/www.jetbrains.com\/idea\/"},{"key":"e_1_3_2_2_25_1","unstructured":"2023. Incomplete fix for Apache Log4j vulnerability. https:\/\/deps.dev\/advisory\/GHSA\/GHSA-7rjr-3q55-vv33"},{"key":"e_1_3_2_2_26_1","unstructured":"2023. Introducing open source security runtime monitoring. https:\/\/snyk.io\/blog\/introducing-open-source-security-runtime-monitoring\/"},{"key":"e_1_3_2_2_27_1","unstructured":"2023. Log4j \u2013 Apache Log4j 2. https:\/\/logging.apache.org\/log4j\/2.x\/"},{"key":"e_1_3_2_2_28_1","unstructured":"2023. Maven Dependency Tree Plugin. https:\/\/maven.apache.org\/plugins\/maven-dependency-plugin\/tree-mojo.html"},{"key":"e_1_3_2_2_29_1","unstructured":"2023. Maven Repository: Search\/Browse\/Explore. https:\/\/mvnrepository.com\/"},{"key":"e_1_3_2_2_30_1","unstructured":"2023. Maven \u2013 Introduction to the Dependency Mechanism. https:\/\/maven.apache.org\/guides\/introduction\/introduction-to-dependency-mechanism.html"},{"key":"e_1_3_2_2_31_1","unstructured":"2023. Maven \u2013 Introduction to the Dependency Mechanism. https:\/\/maven.apache.org\/guides\/introduction\/introduction-to-dependency-mechanism.html"},{"key":"e_1_3_2_2_32_1","unstructured":"2023. NPM - Peer Dependencies. https:\/\/nodejs.org\/es\/blog\/npm\/peer-dependencies\/"},{"key":"e_1_3_2_2_33_1","unstructured":"2023. NVD - Vulnerabilities. https:\/\/nvd.nist.gov\/vuln"},{"key":"e_1_3_2_2_34_1","unstructured":"2023. OSV - A distributed vulnerability database for Open Source. https:\/\/osv.dev\/"},{"key":"e_1_3_2_2_35_1","unstructured":"2023. OSV-Scanner. https:\/\/github.com\/google\/osv-scanner"},{"key":"e_1_3_2_2_36_1","unstructured":"2023. Overview | Software composition analysis. https:\/\/en.wikipedia.org\/wiki\/Software_composition_analysis"},{"key":"e_1_3_2_2_37_1","unstructured":"2023. Plugins Supported By The Maven Project. https:\/\/maven.apache.org\/plugins\/index.html"},{"key":"e_1_3_2_2_38_1","unstructured":"2023. Registry for Node Package Manager. https:\/\/www.npmjs.com\/"},{"key":"e_1_3_2_2_39_1","unstructured":"2023. Remote code injection in Log4j. https:\/\/deps.dev\/advisory\/GHSA\/GHSA-jfh8-c2jp-5v3q"},{"key":"e_1_3_2_2_40_1","unstructured":"2023. REST API - The Central Repository Documentation. https:\/\/central.sonatype.org\/search\/rest-api-guide\/"},{"key":"e_1_3_2_2_41_1","unstructured":"2023. Snippet Information - specification v2.2.2. https:\/\/spdx.github.io\/spdx-spec\/v2.2.2\/snippet-information\/"},{"key":"e_1_3_2_2_42_1","unstructured":"2023. Snyk - Developer security - Develop fast. Stay secure.. https:\/\/snyk.io\/"},{"key":"e_1_3_2_2_43_1","unstructured":"2023. Software composition analysis for vulnerability detection: An empirical study on Java projects. https:\/\/sites.google.com\/view\/fse2023scastudy"},{"key":"e_1_3_2_2_44_1","unstructured":"2023. What Is a Test Environment? A Guide to Managing Your Testing. https:\/\/www.testim.io\/blog\/test-environment-guide\/"},{"key":"e_1_3_2_2_45_1","unstructured":"2023. Your Partner in Open Source - Debricked. https:\/\/debricked.com\/"},{"key":"e_1_3_2_2_46_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2017.15"},{"key":"e_1_3_2_2_47_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3125270"},{"key":"e_1_3_2_2_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3101739"},{"key":"e_1_3_2_2_49_1","unstructured":"Steven J Hutchison. 2013. Shift Left!-Test Earlier in the Life Cycle. Defense AT&L Magazine 35\u201339. http:\/\/www.gao.gov\/"},{"key":"e_1_3_2_2_50_1","doi-asserted-by":"publisher","DOI":"10.1145\/3475716.3475769"},{"key":"e_1_3_2_2_51_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510142"},{"key":"e_1_3_2_2_52_1","doi-asserted-by":"publisher","DOI":"10.1145\/3133908"},{"key":"e_1_3_2_2_53_1","unstructured":"Department of Defense (DoD) Chief Information Officer. 2019. DoD Enterprise DevSecOps Reference Design."},{"key":"e_1_3_2_2_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3025443"},{"key":"e_1_3_2_2_55_1","unstructured":"Christina Paule Thomas D\u00fcllmann and Andreas Falk. 2018. Securing DevOps-Detection of vulnerabilities in CD pipelines. 77\u201378."},{"key":"e_1_3_2_2_56_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2015.7332492"},{"key":"e_1_3_2_2_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2018.00054"},{"key":"e_1_3_2_2_58_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-020-09830-x"},{"key":"e_1_3_2_2_59_1","doi-asserted-by":"crossref","unstructured":"Serena E Ponta Henrik Plate Antonino Sabetta Michele Bezzi and C\u00e9dric Dangremont. 2019. A manually-curated dataset of fixes to vulnerabilities of open-source softwareCCF CMining Software Repositories (MSR): CCF C. ieeexplore.ieee.org https:\/\/ieeexplore.ieee.org\/abstract\/document\/8816802\/","DOI":"10.1109\/MSR.2019.00064"},{"key":"e_1_3_2_2_60_1","doi-asserted-by":"publisher","unstructured":"G. Shobha Ajay Rana Vineet Kansal and Sarvesh Tanwar. 2021. Code Clone Detection\u2014A Systematic Review. 645\u2013655. https:\/\/doi.org\/10.1007\/978-981-33-4367-2_61 10.1007\/978-981-33-4367-2_61","DOI":"10.1007\/978-981-33-4367-2_61"},{"key":"e_1_3_2_2_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/3236024.3236056"},{"key":"e_1_3_2_2_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3057767"},{"key":"e_1_3_2_2_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00083"},{"key":"e_1_3_2_2_64_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00150"},{"key":"e_1_3_2_2_65_1","doi-asserted-by":"publisher","unstructured":"Xian Zhan Lingling Fan Tianming Liu Sen Chen Li Li Haoyu Wang Yifei Xu Xiapu Luo Yang Liu and Yang 2020 Liu. 2020. Automated Third-Party Library Detection for Android Applications: Are We There Yet? isbn:9781450367684 https:\/\/doi.org\/10.1145\/3324884.3416582 10.1145\/3324884.3416582","DOI":"10.1145\/3324884.3416582"},{"key":"e_1_3_2_2_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2021.3114381"},{"key":"e_1_3_2_2_67_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE56229.2023.00058"},{"key":"e_1_3_2_2_68_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00212"}],"event":{"name":"ESEC\/FSE '23: 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","location":"San Francisco CA USA","acronym":"ESEC\/FSE '23","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3616299","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3611643.3616299","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:04Z","timestamp":1750178164000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3611643.3616299"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,30]]},"references-count":68,"alternative-id":["10.1145\/3611643.3616299","10.1145\/3611643"],"URL":"https:\/\/doi.org\/10.1145\/3611643.3616299","relation":{},"subject":[],"published":{"date-parts":[[2023,11,30]]},"assertion":[{"value":"2023-11-30","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}