{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T03:46:29Z","timestamp":1781063189719,"version":"3.54.1"},"publisher-location":"New York, NY, USA","reference-count":22,"publisher":"ACM","funder":[{"name":"KKS","award":["SESAM project"],"award-info":[{"award-number":["SESAM project"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,6,23]]},"DOI":"10.1145\/3696630.3728513","type":"proceedings-article","created":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T19:08:09Z","timestamp":1753729689000},"page":"631-635","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0679-4361","authenticated-orcid":false,"given":"Davide","family":"Fucci","sequence":"first","affiliation":[{"name":"Blekinge Tekniska H\u00f6gskola, Karlskrona, Sweden"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0340-9747","authenticated-orcid":false,"given":"Massimiliano","family":"Di Penta","sequence":"additional","affiliation":[{"name":"University of Sannio, Italy, Benevento, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4880-3622","authenticated-orcid":false,"given":"Simone","family":"Romano","sequence":"additional","affiliation":[{"name":"University of Salerno, Salerno, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0024-7508","authenticated-orcid":false,"given":"Giuseppe","family":"Scanniello","sequence":"additional","affiliation":[{"name":"Universit\u00e0 degli Studi di Salerno, Salerno, Italy"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2025,7,28]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"Grype: A vulnerability scanner for container images and filesystems.","year":"2020","unstructured":"Anchore. 2020. Grype: A vulnerability scanner for container images and filesystems. Available at https:\/\/github.com\/anchore\/grype (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_2_1","volume-title":"2023 IEEE International Symposium on Technology and Society (ISTAS). IEEE, 1\u20134. 10","author":"Chaora Anesu","year":"2023","unstructured":"Anesu Chaora, Nathan Ensmenger, and L Jean Camp. 2023. Discourse, Challenges, and Prospects Around the Adoption and Dissemination of Software Bills of Materials (SBOMs). In 2023 IEEE International Symposium on Technology and Society (ISTAS). IEEE, 1\u20134. 10.1109\/ISTAS57930.2023.10305922"},{"key":"e_1_3_2_1_3_1","volume-title":"2020 IEEE\/ACM 42nd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). ACM, 90\u201399","author":"Chen Yang","year":"2020","unstructured":"Yang Chen, Andrew E. Santosa, Asankhaya Sharma, and David Lo. 2020. Automated identification of libraries from vulnerability data. In 2020 IEEE\/ACM 42nd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). ACM, 90\u201399."},{"key":"e_1_3_2_1_4_1","first-page":"392","article-title":"Questionnaire design, interviewing and attitude measurement","volume":"35","author":"Chisnall Peter M","year":"1993","unstructured":"Peter M Chisnall. 1993. Questionnaire design, interviewing and attitude measurement. Journal of the Market Research Society 35, 4 (1993), 392\u2013393.","journal-title":"Journal of the Market Research Society"},{"key":"e_1_3_2_1_5_1","volume-title":"Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM)","author":"Cybersecurity and Infrastructure Security Agency (CISA). 2024.","unstructured":"Cybersecurity and Infrastructure Security Agency (CISA). 2024. Framing Software Component Transparency: Establishing a Common Software Bill of Materials (SBOM) (3rd ed.). Available at https:\/\/www.cisa.gov\/resources-tools\/resources\/framing-software-component-transparency-2024 (Last Accessed: January 16, 2025).","edition":"3"},{"key":"e_1_3_2_1_6_1","volume-title":"Simone Romano, and Giuseppe Scannielllo.","author":"Fucci Davide","year":"2025","unstructured":"Davide Fucci, Massimiliano Di Penta, Simone Romano, and Giuseppe Scannielllo. 2025. Replication package of the paper \"Augmenting Software Bills of Materials with Software Vulnerability Description: A Preliminary Study on GitHub\". https:\/\/github.com\/SESAM-project\/SBOM-VEX-acceptance"},{"key":"e_1_3_2_1_7_1","volume-title":"Dependabot: Automated dependency updates built into GitHub.","author":"GitHub Inc.","year":"2019","unstructured":"GitHub Inc. 2019. Dependabot: Automated dependency updates built into GitHub. Available at https:\/\/github.com\/dependabot (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_8_1","volume-title":"OSV Scanner: Vulnerability scanner written in Go which uses the data provided by OSV.","author":"Google Inc. 2022.","year":"2025","unstructured":"Google Inc. 2022. OSV Scanner: Vulnerability scanner written in Go which uses the data provided by OSV. Available at https:\/\/github.com\/google\/osv-scanner (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_9_1","volume-title":"Executive Order on Improving the Nation's Cybersecurity | The White House.","author":"The United States Federal Governmen. 2021.","year":"2025","unstructured":"The United States Federal Governmen. 2021. Executive Order on Improving the Nation's Cybersecurity | The White House. Available at https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/ (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_10_1","volume-title":"ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. ACM, 1770\u20131783","author":"Kloeg Berend","year":"2024","unstructured":"Berend Kloeg, Aaron Yi Ding, Sjoerd Pellegrom, and Yury Zhauniarovich. 2024. Charting the Path to SBOM Adoption: A Business Stakeholder-Centric Approach. In ASIA CCS '24: Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. ACM, 1770\u20131783. 10.1145\/3634737.3637659"},{"key":"e_1_3_2_1_11_1","volume-title":"How Italian Practitioners Manage the Software Supply Chain. In 2024 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 730\u2013740","author":"Nocera Sabato","year":"2024","unstructured":"Sabato Nocera, Massimiliano Di Penta, Rita Francese, Simone Romano, and Giuseppe Scanniello. 2024. If it's not SBOM, then what? How Italian Practitioners Manage the Software Supply Chain. In 2024 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 730\u2013740. 10.1109\/ICSME58944.2024.00077"},{"key":"e_1_3_2_1_12_1","volume-title":"2023 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 39\u201349","author":"Nocera Sabato","year":"2023","unstructured":"Sabato Nocera, Simone Romano, Massimiliano Di Penta, Rita Francese, and Giuseppe Scanniello. 2023. Software Bill of Materials Adoption: A Mining Study from GitHub. In 2023 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 39\u201349. 10.1109\/ICSME58846.2023.00016"},{"key":"e_1_3_2_1_13_1","volume-title":"vexctl: A tool to make VEX work.","year":"2025","unstructured":"openvex. 2023. vexctl: A tool to make VEX work. Available at https:\/\/github.com\/openvex\/vexctl (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_14_1","volume-title":"Cyber Resilience Act.","author":"The European Parliament and The Council of the European Union. 2024.","year":"2025","unstructured":"The European Parliament and The Council of the European Union. 2024. Cyber Resilience Act. Available at https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX%3A32024R2847 (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_15_1","volume-title":"Messy Databases.","author":"Sourcegraph Inc. 2013.","year":"2025","unstructured":"Sourcegraph Inc. 2013. Code Intelligence for Untangling Big, Messy Databases. Available at https:\/\/sourcegraph.com (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_16_1","volume-title":"2024 IEEE\/ACM 46th International Conference on Software Engineering (ICSE). ACM, 44:1\u201344:13","author":"Stalnaker Trevor","year":"2024","unstructured":"Trevor Stalnaker, Nathan Wintersgill, Oscar Chaparro, Massimiliano Di Penta, DanielMGerman, and Denys Poshyvanyk. 2024. BOMs Away! Inside the Minds of Stakeholders: A Comprehensive Study of Bills of Materials for Software Systems. In 2024 IEEE\/ACM 46th International Conference on Software Engineering (ICSE). ACM, 44:1\u201344:13. 10.1145\/3597503.3623347"},{"key":"e_1_3_2_1_17_1","volume-title":"Guide to Software Composition Analysis.","author":"Tal Liran","year":"2025","unstructured":"Liran Tal. 2023. Guide to Software Composition Analysis. Available at https:\/\/snyk.io\/series\/open-source-security\/software-composition-analysis-sca\/ (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_18_1","volume-title":"Software Package Data eXchange (SPDX).","author":"Foundation The Linux","year":"2025","unstructured":"The Linux Foundation. 2011. Software Package Data eXchange (SPDX). Available at https:\/\/spdx.dev\/use\/specifications\/ (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_19_1","volume-title":"The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness.","author":"Foundation The Linux","year":"2025","unstructured":"The Linux Foundation. 2022. The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness. Available at https:\/\/www.linuxfoundation.org\/research\/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness (Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_20_1","volume-title":"https:\/\/cyclonedx.org","author":"Foundation The OWASP","year":"2025","unstructured":"The OWASP Foundation. 2018. CycloneDX. https:\/\/cyclonedx.org Available at https:\/\/cyclonedx.org(Last Accessed: January 16, 2025)."},{"key":"e_1_3_2_1_21_1","volume-title":"Experimentation in Software Engineering","author":"Wohlin Claes","unstructured":"Claes Wohlin, Per Runeson, Martin H\u00f6st, Magnus C Ohlsson, Bj\u00f6rn Regnell, and Anders Wessl\u00e9n. 2012. Experimentation in Software Engineering. Springer."},{"key":"e_1_3_2_1_22_1","volume-title":"An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 2630\u20132642","author":"Xia Boming","year":"2023","unstructured":"Boming Xia, Tingting Bi, Zhenchang Xing, Qinghua Lu, and Liming Zhu. 2023. An Empirical Study on Software Bill of Materials: Where We Stand and the Road Ahead. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 2630\u20132642. 10.1109\/ICSE48619.2023.00219"}],"event":{"name":"FSE Companion '25: 33rd ACM International Conference on the Foundations of Software Engineering","location":"Clarion Hotel Trondheim Trondheim Norway","acronym":"FSE Companion '25","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696630.3728513","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T19:11:25Z","timestamp":1753729885000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696630.3728513"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,23]]},"references-count":22,"alternative-id":["10.1145\/3696630.3728513","10.1145\/3696630"],"URL":"https:\/\/doi.org\/10.1145\/3696630.3728513","relation":{},"subject":[],"published":{"date-parts":[[2025,6,23]]},"assertion":[{"value":"2025-07-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}