{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,18]],"date-time":"2026-01-18T14:39:49Z","timestamp":1768747189812,"version":"3.49.0"},"reference-count":85,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2023,12,22]],"date-time":"2023-12-22T00:00:00Z","timestamp":1703203200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2024,2,29]]},"abstract":"Vulnerable third-party libraries pose significant threats to software applications that reuse these libraries. At an industry scale of reuse, manual analysis of third-party library vulnerabilities can be easily overwhelmed by the sheer number of vulnerabilities continually collected from diverse sources for thousands of reused libraries. Our study of four large-scale, actively maintained vulnerability databases (NVD, IBM X-Force, ExploitDB, and Openwall) reveals the wide presence of information discrepancies, in terms of seven vulnerability aspects, i.e., product, version, component, vulnerability type, root cause, attack vector, and impact, between the reports for the same vulnerability from heterogeneous sources. It would be beneficial to integrate and cross-validate multi-source vulnerability information, but it demands automatic aspect extraction and aspect discrepancy detection. In this work, we experimented with a wide range of NLP methods to extract named entities (e.g., product) and free-form phrases (e.g., root cause) from textual vulnerability reports and to detect semantically different aspect mentions between the reports. Our experiments confirm the feasibility of applying NLP methods to automate aspect-level vulnerability analysis and identify the need for domain customization of general NLP methods. Based on our findings, we propose a discrepancy-aware, aspect-level vulnerability knowledge graph and a KG-based web portal that integrates diversified vulnerability key aspect information from heterogeneous vulnerability databases. Our conducted user study proves the usefulness of our web portal. Our study opens the door to new types of vulnerability integration and management, such as vulnerability portraits of a product and explainable prediction of silent vulnerabilities.<\/jats:p>","DOI":"10.1145\/3624734","type":"journal-article","created":{"date-parts":[[2023,10,16]],"date-time":"2023-10-16T21:30:07Z","timestamp":1697491807000},"page":"1-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":9,"title":["Aspect-level Information Discrepancies across Heterogeneous Vulnerability Reports: Severity, Types and Detection Methods"],"prefix":"10.1145","volume":"33","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5212-7068","authenticated-orcid":false,"given":"Jiamou","family":"Sun","sequence":"first","affiliation":[{"name":"CSIRO, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7663-1421","authenticated-orcid":false,"given":"Zhenchang","family":"Xing","sequence":"additional","affiliation":[{"name":"CSIRO & Australian National University, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6302-3256","authenticated-orcid":false,"given":"Xin","family":"Xia","sequence":"additional","affiliation":[{"name":"Huawei, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7783-5183","authenticated-orcid":false,"given":"Qinghua","family":"Lu","sequence":"additional","affiliation":[{"name":"CSIRO, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2273-1862","authenticated-orcid":false,"given":"Xiwei","family":"Xu","sequence":"additional","affiliation":[{"name":"CSIRO, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5839-3765","authenticated-orcid":false,"given":"Liming","family":"Zhu","sequence":"additional","affiliation":[{"name":"CSIRO & University of New South Wales, Australia"}]}],"member":"320","published-online":{"date-parts":[[2023,12,22]]},"reference":[{"key":"e_1_3_2_2_2","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Abubakar Muhammad","year":"2021","unstructured":"Muhammad Abubakar, Adil Ahmad, Pedro Fonseca, and Dongyan Xu. 2021. SHARD: Fine-grained kernel specialization with context-aware hardening. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Vancouver, B.C."},{"key":"e_1_3_2_3_2","article-title":"Utilizing data from cvedetails.com, I created this graph to easily compare the amount of AMD and Intel vulnerabilities","year":"2020","unstructured":"Anonymous. 2020. Utilizing data from cvedetails.com, I created this graph to easily compare the amount of AMD and Intel vulnerabilities. https:\/\/www.reddit.com\/r\/Amd\/comments\/ek6m1q\/utilizing_data_from_cvedetailscom_i_created_this\/. Accessed: 2022-06-17.","journal-title":"https:\/\/www.reddit.com\/r\/Amd\/comments\/ek6m1q\/utilizing_data_from_cvedetailscom_i_created_this\/"},{"key":"e_1_3_2_4_2","doi-asserted-by":"crossref","unstructured":"Afsah Anwar Ahmed Abusnaina Songqing Chen Frank Li and David Mohaisen. 2021. Cleaning the NVD: Compre-hensive quality assessment improvements and analyses. In 19th Transactions on Dependable and Secure Computing .","DOI":"10.1109\/TDSC.2021.3125270"},{"key":"e_1_3_2_5_2","unstructured":"Apple Support. 2020. https:\/\/support.apple.com\/en-us\/HT209106. Accessed: 2020-12-31."},{"key":"e_1_3_2_6_2","first-page":"186","volume-title":"26th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 17)","author":"Biswas Priyam","year":"2017","unstructured":"Priyam Biswas, Alessandro Di Federico, Scott A. Carr, Prabhu Rajasekaran, Stijn Volckaert, Yeoul Na, Michael Franz, and Mathias Payer. 2017. Venerable variadic vulnerabilities vanquished. In 26th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 17). 186\u2013198."},{"key":"e_1_3_2_7_2","article-title":"CERT advisory CA-91:21","author":"Center CERT Coordination","year":"1991","unstructured":"CERT Coordination Center. 1991. CERT advisory CA-91:21. Published electronically athttp:\/\/www.cert.org\/advisories\/CA-1991-21.html","journal-title":"Published electronically athttp:\/\/www.cert.org\/advisories\/CA-1991-21.html"},{"key":"e_1_3_2_8_2","unstructured":"CERT Coordination Center Vulnerability Notes Database. 2020. https:\/\/www.kb.cert.org\/vuls\/. Accessed: 2020-12-31."},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/JCSSE.2019.8864166"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.1145\/3451471.3451508"},{"key":"e_1_3_2_11_2","unstructured":"Common Vulnerabilities and Exposures. 2020. https:\/\/cve.mitre.org\/index.html. Accessed: 2020-12-31."},{"key":"e_1_3_2_12_2","unstructured":"Common Weakness Enumeration. 2020. https:\/\/cwe.mitre.org\/. Accessed: 2020-12-31."},{"key":"e_1_3_2_13_2","unstructured":"Community Attestation Service. 2022. https:\/\/cas.codenotary.com\/#sbom. Accessed: 2022-03-31."},{"key":"e_1_3_2_14_2","unstructured":"CVE Details. 2023. https:\/\/www.cvedetails.com\/. Accessed: 2023-05-25."},{"key":"e_1_3_2_15_2","unstructured":"CVE Numbering Authorities. 2023. https:\/\/www.cve.org\/ProgramOrganization\/CNAs. Accessed: 2023-05-25."},{"key":"e_1_3_2_16_2","unstructured":"CVE Request Template. 2020. http:\/\/cveproject.github.io\/docs\/content\/key-details-phrasing.pdf. Accessed: 2020-12-31."},{"key":"e_1_3_2_17_2","article-title":"Industrial Control Systems","author":"Agency Cybersecurity and Infrastructure Security","year":"2021","unstructured":"Cybersecurity and Infrastructure Security Agency. 2021. Industrial Control Systems. https:\/\/us-cert.cisa.gov\/ics. Accessed: 2020-12-31.","journal-title":"https:\/\/us-cert.cisa.gov\/ics"},{"key":"e_1_3_2_18_2","unstructured":"Dependabot. 2022. https:\/\/github.com\/dependabot\/dependabot-core. Accessed: 2022-03-31."},{"key":"e_1_3_2_19_2","first-page":"4171","volume-title":"Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers)","author":"Devlin Jacob","year":"2019","unstructured":"Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. BERT: Pre-training of deep bidirectional transformers for language understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers). Association for Computational Linguistics, 4171\u20134186."},{"key":"e_1_3_2_20_2","first-page":"869","volume-title":"28th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 19)","author":"Dong Ying","year":"2019","unstructured":"Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the detection of inconsistencies in public security vulnerability reports. In 28th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 19). 869\u2013885."},{"key":"e_1_3_2_21_2","unstructured":"ElementTree. 2022. https:\/\/docs.python.org\/3\/library\/xml.etree.elementtree.html. Accessed: 2022-06-17."},{"key":"e_1_3_2_22_2","unstructured":"Exploit Database. 2020. https:\/\/www.exploit-db.com\/. Accessed: 2020-12-31."},{"key":"e_1_3_2_23_2","first-page":"887","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Feng Xuan","year":"2019","unstructured":"Xuan Feng, Xiaojing Liao, XiaoFeng Wang, Haining Wang, Qiang Li, Kai Yang, Hongsong Zhu, and Limin Sun. 2019. Understanding and securing device vulnerabilities through automated bug report analysis. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 887\u2013903."},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-021-00072-y"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2016.24"},{"key":"e_1_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICECCS.2019.00011"},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/3498537"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2017.52"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-C.2017.114"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3468264.3468571"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D15-1162"},{"key":"e_1_3_2_32_2","unstructured":"IBM X-Force. 2020. https:\/\/exchange.xforce.ibmcloud.com\/activity\/list?filter=Vulnerabilities. Accessed: 2020-12-31."},{"key":"e_1_3_2_33_2","article-title":"Online database x-force","author":"Services Internet Security","year":"1999","unstructured":"Internet Security Services. 1999. Online database x-force. Published electronically athttp:\/\/xforce.iss.net\/","journal-title":"Published electronically athttp:\/\/xforce.iss.net\/"},{"key":"e_1_3_2_34_2","unstructured":"Kaspersky. 2023. https:\/\/www.kaspersky.com.au\/. Accessed: 2023-05-25."},{"key":"e_1_3_2_35_2","article-title":"Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information","author":"Kulkarni Milind","year":"2020","unstructured":"Milind Kulkarni. 2020. Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information. https:\/\/cve.mitre.org\/blog\/December152020_Our_CVE_Story_Using_the_CVE_Program_to_Provide_Reliable_Vulnerability_Information.html. Accessed: 2020-12-31.","journal-title":"https:\/\/cve.mitre.org\/blog\/December152020_Our_CVE_Story_Using_the_CVE_Program_to_Provide_Reliable_Vulnerability_Information.html"},{"key":"e_1_3_2_36_2","first-page":"957","volume-title":"Proceedings of the 32nd International Conference on International Conference on Machine Learning - Volume 37 (ICML\u201915)","author":"Kusner Matt J.","year":"2015","unstructured":"Matt J. Kusner, Yu Sun, Nicholas I. Kolkin, and Kilian Q. Weinberger. 2015. From word embeddings to document distances. In Proceedings of the 32nd International Conference on International Conference on Machine Learning - Volume 37 (ICML\u201915). JMLR.org, 957\u2013966."},{"key":"e_1_3_2_37_2","first-page":"282","volume-title":"Proceedings of the Eighteenth International Conference on Machine Learning (ICML \u201901)","author":"Lafferty John D.","year":"2001","unstructured":"John D. Lafferty, Andrew McCallum, and Fernando C. N. Pereira. 2001. Conditional random fields: Probabilistic models for segmenting and labeling sequence data. In Proceedings of the Eighteenth International Conference on Machine Learning (ICML \u201901). Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 282\u2013289."},{"key":"e_1_3_2_38_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/N16-1030"},{"key":"e_1_3_2_39_2","first-page":"851","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Li Vector Guo","year":"2019","unstructured":"Vector Guo Li, Matthew Dunn, Paul Pearce, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. 2019. Reading the tea leaves: A comparative analysis of threat intelligence. In 28th USENIX Security Symposium (USENIX Security 19). 851\u2013867."},{"key":"e_1_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIT.1982.1056489"},{"key":"e_1_3_2_41_2","first-page":"1769","volume-title":"28th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 19)","author":"Lu Kangjie","year":"2019","unstructured":"Kangjie Lu, Aditya Pakki, and Qiushi Wu. 2019. Detecting missing-check bugs via semantic-and context-aware criticalness and constraints inferences. In 28th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 19). 1769\u20131786."},{"key":"e_1_3_2_42_2","first-page":"1","article-title":"Easy-to-deploy API extraction by multi-level feature embedding and transfer learning","author":"Ma S.","year":"2019","unstructured":"S. Ma, Z. Xing, C. Chen, C. Chen, L. Qu, and G. Li. 2019. Easy-to-deploy API extraction by multi-level feature embedding and transfer learning. IEEE Transactions on Software Engineering (2019), 1\u20131.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_43_2","volume-title":"2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana","author":"Mann David E.","year":"1999","unstructured":"David E. Mann and Steven M. Christey. 1999. Towards a common enumeration of vulnerabilities. In 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana."},{"key":"e_1_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSMC.2003.1244628"},{"key":"e_1_3_2_45_2","unstructured":"Microsoft Security. 2020. https:\/\/msrc.microsoft.com\/update-guide\/vulnerability. Accessed: 2020-12-31."},{"key":"e_1_3_2_46_2","article-title":"Efficient estimation of word representations in vector space","author":"Mikolov Tomas","year":"2013","unstructured":"Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013).","journal-title":"arXiv preprint arXiv:1301.3781 (2013)."},{"key":"e_1_3_2_47_2","first-page":"919","volume-title":"27th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 18)","author":"Mu Dongliang","year":"2018","unstructured":"Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the reproducibility of crowd-reported security vulnerabilities. In 27th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 18). 919\u2013936."},{"key":"e_1_3_2_48_2","unstructured":"National Vulnerability Database. 2020. https:\/\/nvd.nist.gov\/. Accessed: 2020-12-31."},{"key":"e_1_3_2_49_2","author":"Incorporated Network Associates","year":"1999","unstructured":"Network Associates Incorporated. 1999. Proprietary Vulnerability Database for CyberCop Scanner 2.4.","journal-title":"Proprietary Vulnerability Database for CyberCop Scanner 2.4"},{"key":"e_1_3_2_50_2","unstructured":"Norton. 2023. https:\/\/au.norton.com\/. Accessed: 2023-05-25."},{"key":"e_1_3_2_51_2","unstructured":"Openwall oss-security mailing list. 2020. https:\/\/www.openwall.com\/lists\/oss-security\/. Accessed: 2020-12-31."},{"key":"e_1_3_2_52_2","doi-asserted-by":"publisher","DOI":"10.3115\/v1\/D14-1162"},{"key":"e_1_3_2_53_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00018"},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1145\/3277592"},{"key":"e_1_3_2_55_2","first-page":"584","volume-title":"2020 IEEE Symposium on Security and Privacy (SP)","author":"Proskurin Sergej","year":"2020","unstructured":"Sergej Proskurin, Marius Momeu, Seyedhamed Ghavamnia, Vasileios P. Kemerlis, and Michalis Polychronakis. 2020. xMP: Selective memory protection for kernel and user space. In 2020 IEEE Symposium on Security and Privacy (SP). 584\u2013598."},{"key":"e_1_3_2_56_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2970119"},{"key":"e_1_3_2_57_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-00671-6_12"},{"key":"e_1_3_2_58_2","doi-asserted-by":"publisher","DOI":"10.1145\/3411495.3421360"},{"key":"e_1_3_2_59_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/D19-1410"},{"key":"e_1_3_2_60_2","doi-asserted-by":"publisher","DOI":"10.1145\/3397271.3401411"},{"key":"e_1_3_2_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2018.00058"},{"key":"e_1_3_2_62_2","unstructured":"Secureteam. 2022. https:\/\/secureteam.co.uk\/. Accessed: 2022-03-31."},{"key":"e_1_3_2_63_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2013.6623997"},{"key":"e_1_3_2_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/2994539.2994546"},{"key":"e_1_3_2_65_2","volume-title":"Elements of Practical Geography","year":"2013","unstructured":"Singh. 2013. Elements of Practical Geography. Kalyani Publishers."},{"key":"e_1_3_2_66_2","unstructured":"Snyk. 2022. https:\/\/snyk.io\/. Accessed: 2022-03-31."},{"key":"e_1_3_2_67_2","unstructured":"Sonatype. 2022. https:\/\/www.sonatype.com\/. Accessed: 2022-03-31."},{"key":"e_1_3_2_68_2","volume-title":"NDSS","author":"Staicu Cristian-Alexandru","year":"2018","unstructured":"Cristian-Alexandru Staicu, Michael Pradel, and Benjamin Livshits. 2018. SYNODE: Understanding and automatically preventing injection attacks on NODE. JS. In NDSS."},{"key":"e_1_3_2_69_2","unstructured":"Jiamou Sun Zhenchang Xing Hao Guo Deheng Ye Xiaohong Li Xiwei Xu and Liming Zhu. 2021. Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization. arxiv:cs.LG\/2101.01431"},{"key":"e_1_3_2_70_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME55016.2022.00024"},{"key":"e_1_3_2_71_2","unstructured":"Common Vulnerability Scoring System. (n.d.)."},{"key":"e_1_3_2_72_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.3044773"},{"key":"e_1_3_2_73_2","first-page":"427","volume-title":"23rd International Symposium on Research in Attacks, Intrusions and Defenses ( \\(\\lbrace\\) RAID \\(\\rbrace\\) 2020)","author":"Wang Xiaoguang","year":"2020","unstructured":"Xiaoguang Wang, SengMing Yeoh, Robert Lyerly, Pierre Olivier, Sang-Hoon Kim, and Binoy Ravindran. 2020. A framework for software diversification with \\(\\lbrace\\) ISA \\(\\rbrace\\) heterogeneity. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses ( \\(\\lbrace\\) RAID \\(\\rbrace\\) 2020). 427\u2013442."},{"key":"e_1_3_2_74_2","unstructured":"WebMind. 2023. https:\/\/web-mind.io\/cyber-security\/windows-vs-linux-which-is-safer\/. Accessed: 2023-05-25."},{"key":"e_1_3_2_75_2","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"Wu Qiushi","year":"2020","unstructured":"Qiushi Wu, Yang He, Stephen McCamant, and Kangjie Lu. 2020. Precisely characterizing security impact in a flood of patches via symbolic rule comparison. In Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_2_76_2","first-page":"1187","volume-title":"28th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 19)","author":"Wu Wei","year":"2019","unstructured":"Wei Wu, Yueqi Chen, Xinyu Xing, and Wei Zou. 2019. \\(\\lbrace\\) KEPLER \\(\\rbrace\\) : Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities. In 28th \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security Symposium ( \\(\\lbrace\\) USENIX \\(\\rbrace\\) Security 19). 1187\u20131204."},{"key":"e_1_3_2_77_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-36718-3_5"},{"key":"e_1_3_2_78_2","doi-asserted-by":"publisher","DOI":"10.1145\/2970276.2970357"},{"key":"e_1_3_2_79_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00017"},{"key":"e_1_3_2_80_2","first-page":"43","volume-title":"International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel\/Distributed Computing","author":"Yang Jeong","year":"2021","unstructured":"Jeong Yang, Young Lee, and Arlen P. McDonald. 2021. SolarWinds software supply chain security: Better protection with enforced policies and technologies. In International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel\/Distributed Computing. Springer, 43\u201358."},{"key":"e_1_3_2_81_2","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2016.10"},{"key":"e_1_3_2_82_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR52588.2021.00016"},{"key":"e_1_3_2_83_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00057"},{"key":"e_1_3_2_84_2","doi-asserted-by":"crossref","unstructured":"Wei You Peiyuan Zong Kai Chen Xiaofeng Wang Xiaojing Liao Pan Bian and Bin Liang. 2017. SemFuzz: Semantics-based automatic generation of proof-of-concept exploits. 2139\u20132154.","DOI":"10.1145\/3133956.3134085"},{"key":"e_1_3_2_85_2","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.2985126"},{"key":"e_1_3_2_86_2","doi-asserted-by":"publisher","DOI":"10.1145\/3368089.3409674"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3624734","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3624734","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:35:44Z","timestamp":1750178144000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3624734"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,22]]},"references-count":85,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2024,2,29]]}},"alternative-id":["10.1145\/3624734"],"URL":"https:\/\/doi.org\/10.1145\/3624734","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,12,22]]},"assertion":[{"value":"2022-04-02","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-08-22","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-12-22","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}