{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:14:10Z","timestamp":1772039650335,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":19,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,6,23]]},"DOI":"10.1145\/3696630.3728578","type":"proceedings-article","created":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T19:09:27Z","timestamp":1753729767000},"page":"1045-1049","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Dirty-Waters: Detecting Software Supply Chain Smells"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0009-7681-3490","authenticated-orcid":false,"given":"Raphina","family":"Liu","sequence":"first","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3116-3278","authenticated-orcid":false,"given":"Sofia","family":"Bobadilla","sequence":"additional","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4015-4640","authenticated-orcid":false,"given":"Benoit","family":"Baudry","sequence":"additional","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3505-3383","authenticated-orcid":false,"given":"Martin","family":"Monperrus","sequence":"additional","affiliation":[{"name":"KTH Royal Institute of Technology, Stockholm, Sweden"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,7,28]]},"reference":[{"key":"e_1_3_2_1_1_1","first-page":"11","volume-title":"ARES '23","author":"Ohm M.","year":"2023","unstructured":"M. Ohm and C. Stuke, \"SoK: Practical Detection of Software Supply Chain Attacks,\" in Proceedings of the 18th International Conference on Availability, Reliability and Security, ser. ARES '23. New York, NY, USA: Association for Computing Machinery, Aug. 2023, pp. 1\u201311. [Online]. 10.1145\/3600160.3600162"},{"key":"e_1_3_2_1_2_1","first-page":"1010","volume-title":"SEC'19","author":"Zimmermann M.","year":"2019","unstructured":"M. Zimmermann, C.-A. Staicu, C. Tenny, and M. Pradel, \"Smallworld with high risks: a study of security threats in the npm ecosystem,\" in Proceedings of the 28th USENIX Conference on Security Symposium, ser. SEC'19. USA: USENIX Association, Aug. 2019, pp. 995\u20131010."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/3475716.3484195"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/3660821"},{"key":"e_1_3_2_1_5_1","volume-title":"On the Security Blind Spots of Software Composition Analysis","author":"Dietrich J.","year":"2023","unstructured":"J. Dietrich, S. Rasheed, A. Jordan, and T. White, \"On the Security Blind Spots of Software Composition Analysis,\" Oct. 2023, arXiv:2306.05534 [cs]. [Online]. Available: http:\/\/arxiv.org\/abs\/2306.05534"},{"issue":"06","key":"e_1_3_2_1_6_1","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/MSEC.2023.3302956","article-title":"Challenges of Producing Software Bill of Materials for Java","volume":"21","author":"Balliu M.","year":"2023","unstructured":"M. Balliu, B. Baudry, S. Bobadilla, M. Ekstedt, M. Monperrus, J. Ron, A. Sharma, G. Skoglund, C. Soto-Valero, and M. Wittlinger, \"Challenges of Producing Software Bill of Materials for Java,\" IEEE Security & Privacy, vol. 21, no. 06, pp. 12\u201323, Nov. 2023, publisher: IEEE Computer Society. [Online]. Available: https:\/\/www.computer.org\/csdl\/magazine\/sp\/2023\/06\/10235318\/1Q41lK4HmYU","journal-title":"IEEE Security & Privacy"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"crossref","first-page":"110610","DOI":"10.1016\/j.jss.2020.110610","article-title":"Code Smells and Refactoring: A Tertiary Systematic Review of Challenges and Observations","volume":"167","author":"Lacerda G.","year":"2020","unstructured":"G. Lacerda, F. Petrillo, M. Pimenta, and Y. G. Gueheneuc, \"Code Smells and Refactoring: A Tertiary Systematic Review of Challenges and Observations,\" Journal of Systems and Software, vol. 167, p. 110610, Sep. 2020, arXiv:2004.10777 [cs]. [Online]. Available: http:\/\/arxiv.org\/abs\/2004.10777","journal-title":"Journal of Systems and Software"},{"key":"e_1_3_2_1_8_1","first-page":"2095","volume-title":"CCS '20","author":"Vu D. L.","year":"2020","unstructured":"D. L. Vu, I. Pashchenko, F. Massacci, H. Plate, and A. Sabetta, \"Towards Using Source Code Repositories to Identify Software Supply Chain Attacks,\" in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS '20. New York, NY, USA: Association for Computing Machinery, Nov. 2020, pp. 2093\u20132095. [Online]. 10.1145\/3372297.3420015"},{"key":"e_1_3_2_1_9_1","first-page":"1526","volume-title":"May 2023","author":"Ladisa P.","unstructured":"P. Ladisa, H. Plate, M. Martinez, and O. Barais, \"SoK: Taxonomy of Attacks on Open-Source Software Supply Chains,\" in 2023 IEEE Symposium on Security and Privacy (SP), May 2023, pp. 1509\u20131526, iSSN: 2375-1207. [Online]. Available: https:\/\/ieeexplore.ieee.org\/abstract\/document\/10179304"},{"key":"e_1_3_2_1_10_1","unstructured":"\"Generating provenance statements | npm Docs.\" [Online]. Available: https:\/\/docs.npmjs.com\/generating-provenance-statements"},{"key":"e_1_3_2_1_11_1","first-page":"816","article-title":"SMEAGOL: A Static Code Smell Detector for MongoDB","author":"Cherry B.","year":"2024","unstructured":"B. Cherry, C. Nagy, M. Lanza, and A. Cleve, \"SMEAGOL: A Static Code Smell Detector for MongoDB.\" IEEE Computer Society, Mar. 2024, pp. 816\u2013820. [Online]. Available: https:\/\/www.computer.org\/csdl\/proceedings-article\/saner\/2024\/306600a816\/1YCRoPI4vQI","journal-title":"IEEE Computer Society"},{"issue":"2","key":"e_1_3_2_1_12_1","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1109\/MS.2022.3203716","article-title":"Recommendations for Developers Identifying Code Smells","volume":"40","author":"de Mello R.","year":"2023","unstructured":"R. de Mello, R. Oliveira, A. Uch\u00f4a, W. Oizumi, A. Garcia, B. Fonseca, and F. de Mello, \"Recommendations for Developers Identifying Code Smells,\" IEEE Software, vol. 40, no. 2, pp. 90\u201398, Mar. 2023, conference Name: IEEE Software. [Online]. Available: https:\/\/ieeexplore.ieee.org\/document\/9904005\/?arnumber=9904005","journal-title":"IEEE Software"},{"key":"e_1_3_2_1_13_1","volume-title":"Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries","author":"Tsakpinis A.","year":"2024","unstructured":"A. Tsakpinis and A. Pretschner, \"Analyzing the Accessibility of GitHub Repositories for PyPI and NPM Libraries,\" Apr. 2024, arXiv:2404.17403 [cs]. [Online]. Available: http:\/\/arxiv.org\/abs\/2404.17403"},{"key":"e_1_3_2_1_14_1","first-page":"207","volume-title":"Oct. 2022","author":"Hastings T.","unstructured":"T. Hastings and K. R. Walcott, \"Continuous Verification of Open Source Components in a World of Weak Links,\" in 2022 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), Oct. 2022, pp. 201\u2013207. [Online]. Available: https:\/\/ieeexplore.ieee.org\/abstract\/document\/9985184"},{"key":"e_1_3_2_1_15_1","first-page":"340","volume-title":"ICSE-SEIP '22","author":"Zahan N.","year":"2022","unstructured":"N. Zahan, T. Zimmermann, P. Godefroid, B. Murphy, C. Maddila, and L. Williams, \"What are weak links in the npm supply chain?\" in Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice, ser. ICSE-SEIP '22. New York, NY, USA: Association for Computing Machinery, Oct. 2022, pp. 331\u2013340. [Online]. 10.1145\/3510457.3513044"},{"key":"e_1_3_2_1_16_1","first-page":"344","volume-title":"Oct. 2016","author":"Borges H.","unstructured":"H. Borges, A. Hora, and M. T. Valente, \"Understanding the Factors That Impact the Popularity of GitHub Repositories,\" in 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME), Oct. 2016, pp. 334\u2013344. [Online]. Available: https:\/\/ieeexplore.ieee.org\/document\/7816479"},{"key":"e_1_3_2_1_17_1","volume-title":"USA: Internet Society, 2022","author":"Cao A.","year":"2022","unstructured":"A. Cao and B. Dolan-Gavitt, \"What the Fork? Finding and Analyzing Malware in GitHub Forks,\" in Proceedings 2022 Workshop on Measurements, Attacks, and Defenses for the Web. San Diego, CA, USA: Internet Society, 2022. [Online]. Available: https:\/\/www.ndss-symposium.org\/wp-content\/uploads\/madweb2022_23001_paper.pdf"},{"issue":"10","key":"e_1_3_2_1_18_1","doi-asserted-by":"crossref","first-page":"3790","DOI":"10.1109\/TSE.2021.3106247","article-title":"Dependency Smells in JavaScript Projects","volume":"48","author":"Jafari A. J.","year":"2022","unstructured":"A. J. Jafari, D. E. Costa, R. Abdalkareem, E. Shihab, and N. Tsantalis, \"Dependency Smells in JavaScript Projects,\" IEEE Transactions on Software Engineering, vol. 48, no. 10, pp. 3790\u20133807, Oct. 2022. [Online]. Available: https:\/\/ieeexplore.ieee.org\/document\/9519532\/","journal-title":"IEEE Transactions on Software Engineering"},{"issue":"4","key":"e_1_3_2_1_19_1","doi-asserted-by":"crossref","first-page":"1741","DOI":"10.1109\/TSE.2022.3191353","article-title":"Towards Better Dependency Management: A First Look at Dependency Smells in Python Projects","volume":"49","author":"Cao Y.","year":"2023","unstructured":"Y. Cao, L. Chen, W. Ma, Y. Li, Y. Zhou, and L. Wang, \"Towards Better Dependency Management: A First Look at Dependency Smells in Python Projects,\" IEEE Transactions on Software Engineering, vol. 49, no. 4, pp. 1741\u20131765, Apr. 2023, conference Name: IEEE Transactions on Software Engineering. [Online]. Available: https:\/\/ieeexplore.ieee.org\/document\/9832512\/?arnumber=9832512","journal-title":"IEEE Transactions on Software Engineering"}],"event":{"name":"FSE Companion '25: 33rd ACM International Conference on the Foundations of Software Engineering","location":"Clarion Hotel Trondheim Trondheim Norway","acronym":"FSE Companion '25","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3696630.3728578","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,28]],"date-time":"2025-07-28T19:14:32Z","timestamp":1753730072000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3696630.3728578"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,23]]},"references-count":19,"alternative-id":["10.1145\/3696630.3728578","10.1145\/3696630"],"URL":"https:\/\/doi.org\/10.1145\/3696630.3728578","relation":{},"subject":[],"published":{"date-parts":[[2025,6,23]]},"assertion":[{"value":"2025-07-28","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}