{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T19:01:29Z","timestamp":1754161289250,"version":"3.41.2"},"publisher-location":"New York, NY, USA","reference-count":30,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,6,23]]},"DOI":"10.1145\/3696630.3728525","type":"proceedings-article","created":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T19:08:09Z","timestamp":1753729689000},"page":"691-695","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Drop the Golden Apples: Identifying Third-Party Reuse by DB-Less Software Composition Analysis"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3087-9645","authenticated-orcid":false,"given":"Lyuye","family":"Zhang","sequence":"first","affiliation":[{"name":"College of Computing and Data Science, Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1175-2753","authenticated-orcid":false,"given":"Chengwei","family":"Liu","sequence":"additional","affiliation":[{"name":"College of Computing and Data Science, Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6758-4635","authenticated-orcid":false,"given":"Jiahui","family":"Wu","sequence":"additional","affiliation":[{"name":"College of Computing and Data Science, Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0009-0004-1128-3840","authenticated-orcid":false,"given":"Shiyang","family":"Zhang","sequence":"additional","affiliation":[{"name":"Tianjin University, Tianjin, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7034-1255","authenticated-orcid":false,"given":"Chengyue","family":"Liu","sequence":"additional","affiliation":[{"name":"College of Computing and Data Science, Nanyang Technological University, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8390-7518","authenticated-orcid":false,"given":"Zhengzi","family":"Xu","sequence":"additional","affiliation":[{"name":"Imperial Global Singapore, Singapore, Singapore"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9477-4100","authenticated-orcid":false,"given":"Sen","family":"Chen","sequence":"additional","affiliation":[{"name":"Nankai University, Tianjin, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7300-9215","authenticated-orcid":false,"given":"Yang","family":"Liu","sequence":"additional","affiliation":[{"name":"College of Computing and Data Science, Nanyang Technological University, Singapore, Singapore"}]}],"member":"320","published-online":{"date-parts":[[2025,7,28]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2022. BlackDuck. https:\/\/www.synopsys.com\/software-integrity\/security-testing\/software-composition-analysis.html."},{"key":"e_1_3_2_1_2_1","unstructured":"2022. OWASP. https:\/\/owasp.org\/www-project-dependency-track."},{"key":"e_1_3_2_1_3_1","unstructured":"2022. Sonatype. https:\/\/www.sonatype.com\/."},{"key":"e_1_3_2_1_4_1","unstructured":"2024. GPT-4o. https:\/\/openai.com\/index\/hello-gpt-4o\/."},{"key":"e_1_3_2_1_5_1","volume-title":"https:\/\/www.mend.io\/ [Online","author":"Application Risk Start Managing","year":"2025","unstructured":"2024. Mend.io (formerly WhiteSource) - Start Managing Application Risk. https:\/\/www.mend.io\/ [Online; accessed 2025-01-17]."},{"key":"e_1_3_2_1_6_1","unstructured":"2024. Snky CLI. https:\/\/snyk.io\/."},{"key":"e_1_3_2_1_7_1","unstructured":"2025. Dependabot. https:\/\/github.com\/dependabot."},{"key":"e_1_3_2_1_8_1","unstructured":"2025. Scrapy. https:\/\/scrapy.org\/."},{"key":"e_1_3_2_1_9_1","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1347\u20131359","author":"Almanee Sumaya","year":"2021","unstructured":"Sumaya Almanee, Arda \u00dcnal, Mathias Payer, and Joshua Garcia. 2021. Too quiet in the library: An empirical study of security updates in android apps' native code. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1347\u20131359."},{"key":"e_1_3_2_1_10_1","volume-title":"Application Fundamentals. Archived from the original. https:\/\/developer.android.com\/guide\/components\/fundamentals Retrieved on","author":"Developers Android","year":"2018","unstructured":"Android Developers. 2020. Application Fundamentals. Archived from the original. https:\/\/developer.android.com\/guide\/components\/fundamentals Retrieved on 3 December 2018 from Android Developers. Archived on 21 November 2020.."},{"key":"e_1_3_2_1_11_1","volume-title":"Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 356\u2013367","author":"Backes Michael","year":"2016","unstructured":"Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 356\u2013367."},{"key":"e_1_3_2_1_12_1","first-page":"3","article-title":"2024. A survey on evaluation of large language models","volume":"15","author":"Chang Yupeng","year":"2024","unstructured":"Yupeng Chang, Xu Wang, Jindong Wang, Yuan Wu, Linyi Yang, Kaijie Zhu, Hao Chen, Xiaoyuan Yi, Cunxiang Wang, Yidong Wang, et al. 2024. A survey on evaluation of large language models. ACM Transactions on Intelligent Systems and Technology 15, 3 (2024), 1\u201345.","journal-title":"ACM Transactions on Intelligent Systems and Technology"},{"key":"e_1_3_2_1_13_1","unstructured":"Dify. 2025. Dify. https:\/\/dify.ai\/."},{"key":"e_1_3_2_1_14_1","volume-title":"Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering. 1\u201313","author":"Hu Jinchang","year":"2024","unstructured":"Jinchang Hu, Lyuye Zhang, Chengwei Liu, Sen Yang, Song Huang, and Yang Liu. 2024. Empirical Analysis of Vulnerabilities Life Cycle in Golang Ecosystem. In Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering. 1\u201313."},{"key":"e_1_3_2_1_15_1","volume-title":"2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE). IEEE, 335\u2013346","author":"Li Menghao","year":"2017","unstructured":"Menghao Li, Wei Wang, Pei Wang, Shuai Wang, Dinghao Wu, Jian Liu, Rui Xue, and Wei Huo. 2017. Libd: Scalable and precise third-party library detection in android markets. In 2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE). IEEE, 335\u2013346."},{"key":"e_1_3_2_1_16_1","unstructured":"National Telecommunications and Information Administration. 2022. Software Bill of Materials. Archived from the original. https:\/\/www.ntia.gov\/SBOM Retrieved on 2021-01-25. Archived on 2022-11-30.."},{"key":"e_1_3_2_1_17_1","unstructured":"Pypi. 2025. Pypi. https:\/\/pypi.org\/."},{"key":"e_1_3_2_1_18_1","volume-title":"UNIX: The Complete Reference (2 ed.)","author":"Rosen Kenneth","year":"2007","unstructured":"Kenneth Rosen, Douglas Host, Rachel Klee, and Richard Rosinski. 2007. UNIX: The Complete Reference (2 ed.). McGraw Hill Professional. 707 pages. Dynamically linked libraries are also called shared objects (.so). Retrieved on 2017-06-08.."},{"key":"e_1_3_2_1_19_1","volume-title":"Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering. 1\u201312","author":"Tang Wei","year":"2022","unstructured":"Wei Tang, Zhengzi Xu, Chengwei Liu, Jiahui Wu, Shouguo Yang, Yi Li, Ping Luo, and Yang Liu. 2022. Towards understanding third-party library dependency in c\/c++ ecosystem. In Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering. 1\u201312."},{"key":"e_1_3_2_1_20_1","unstructured":"Tool Interface Standards Committee. 1995. Executable and Linkable Format (ELF) Specification. Specification. Tool Interface Standards Committee. Available from SCO 190 River Road Summit NJ 07901 USA."},{"key":"e_1_3_2_1_21_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Woo Seunghoon","year":"2023","unstructured":"Seunghoon Woo, Eunjin Choi, Heejo Lee, and Hakjoo Oh. 2023. {V1SCAN}: Discovering 1-day Vulnerabilities in Reused {C\/C++} Open-source Software Components Using Code Classification Techniques. In 32nd USENIX Security Symposium (USENIX Security 23). 6541\u20136556."},{"key":"e_1_3_2_1_22_1","volume-title":"CENTRIS: A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 860\u2013872","author":"Woo Seunghoon","year":"2021","unstructured":"Seunghoon Woo, Sunghan Park, Seulbae Kim, Heejo Lee, and Hakjoo Oh. 2021. CENTRIS: A Precise and Scalable Approach for Identifying Modified Open-Source Software Reuse. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 860\u2013872."},{"key":"e_1_3_2_1_23_1","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 270\u2013282","author":"Wu Jiahui","year":"2023","unstructured":"Jiahui Wu, Zhengzi Xu, Wei Tang, Lyuye Zhang, Yueming Wu, Chengyue Liu, Kairan Sun, Lida Zhao, and Yang Liu. 2023. Ossfp: Precise and scalable c\/c++ third-party library detection using fingerprinting functions. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 270\u2013282."},{"key":"e_1_3_2_1_24_1","volume-title":"45th International Conference on Software Engineering. 1\u201312","author":"Wu Yulun","year":"2023","unstructured":"Yulun Wu, Zeliang Yu, Ming Wen, Qiang Li, Deqing Zhou, and Hai Jin. 2023. Understanding the Threats of Upstream Vulnerabilities to Downstream Projects in the Maven Ecosystem. In 45th International Conference on Software Engineering. 1\u201312."},{"key":"e_1_3_2_1_25_1","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1695\u20131707","author":"Zhan Xian","year":"2021","unstructured":"Xian Zhan, Lingling Fan, Sen Chen, Feng We, Tianming Liu, Xiapu Luo, and Yang Liu. 2021. Atvhunter: Reliable version detection of third-party libraries for vulnerability identification in android applications. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1695\u20131707."},{"key":"e_1_3_2_1_26_1","volume-title":"2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, 191\u2013203","author":"Zhang Lyuye","year":"2023","unstructured":"Lyuye Zhang, Chengwei Liu, Sen Chen, Zhengzi Xu, Lingling Fan, Lida Zhao, Yiran Zhang, and Yang Liu. 2023. Mitigating persistence of open-source vulnerabilities in maven ecosystem. In 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, 191\u2013203."},{"key":"e_1_3_2_1_27_1","volume-title":"Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering","author":"Zhang Lyuye","year":"2023","unstructured":"Lyuye Zhang, Chengwei Liu, Zhengzi Xu, Sen Chen, Lingling Fan, Bihuan Chen, and Yang Liu. 2023. Has My Release Disobeyed Semantic Versioning? Static Detection Based on Semantic Differencing. In Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering (Rochester, MI, USA) (ASE '22). Association for Computing Machinery, New York, NY, USA, Article 51, 12 pages. 10.1145\/3551349.3556956"},{"key":"e_1_3_2_1_28_1","volume-title":"Proceedings of the 45th International Conference on Software Engineering","author":"Zhang Lyuye","year":"2023","unstructured":"Lyuye Zhang, Chengwei Liu, Zhengzi Xu, Sen Chen, Lingling Fan, Lida Zhao, Jiahui Wu, and Yang Liu. 2023. Compatible Remediation on Vulnerabilities from Third-Party Libraries for Java Projects, In Proceedings of the 45th International Conference on Software Engineering (Melbourne, Victoria, Australia). arXiv preprint arXiv:2301.08434, 2540\u20132552. 10.1109\/ICSE48619.2023.00212"},{"key":"e_1_3_2_1_29_1","volume-title":"2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 141\u2013152","author":"Zhang Yuan","year":"2018","unstructured":"Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, and Hao Chen. 2018. Detecting third-party libraries in android applications with high precision and recall. In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 141\u2013152."},{"key":"e_1_3_2_1_30_1","volume-title":"Proceedings of the 2023 31th acm sigsoft international symposium on foundations of software engineering.","author":"Zhao Lida","year":"2023","unstructured":"Lida Zhao, Sen Chen, Zhengzi Xu, Chengwei Liu, Lyuye Zhang, Jiahui Wu, Jun Sun, and Yang Liu. 2023. Software Composition Analysis for Vulnerability Detection: An Empirical Study on Java Projects. In Proceedings of the 2023 31th acm sigsoft international symposium on foundations of software engineering."}],"event":{"name":"FSE Companion '25: 33rd ACM International Conference on the Foundations of Software Engineering","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"],"location":"Clarion Hotel Trondheim Trondheim Norway","acronym":"FSE Companion '25"},"container-title":["Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696630.3728525","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T19:12:42Z","timestamp":1753729962000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696630.3728525"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,23]]},"references-count":30,"alternative-id":["10.1145\/3696630.3728525","10.1145\/3696630"],"URL":"https:\/\/doi.org\/10.1145\/3696630.3728525","relation":{},"subject":[],"published":{"date-parts":[[2025,6,23]]},"assertion":[{"value":"2025-07-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}