{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,8]],"date-time":"2026-05-08T02:15:27Z","timestamp":1778206527146,"version":"3.51.4"},"reference-count":282,"publisher":"Association for Computing Machinery (ACM)","issue":"5","license":[{"start":{"date-parts":[[2025,5,26]],"date-time":"2025-05-26T00:00:00Z","timestamp":1748217600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation","award":["2207008, 2206859, 2206865, and 2206921"],"award-info":[{"award-number":["2207008, 2206859, 2206865, and 2206921"]}]},{"name":"European Union\u2019s Horizon 2020 research and innovation program","award":["101120393 (Sec4AI4Sec"],"award-info":[{"award-number":["101120393 (Sec4AI4Sec"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2025,6,30]]},"abstract":"<jats:p>\n            Reusable software libraries, frameworks, and components, such as those provided by open source ecosystems and third-party suppliers, accelerate digital innovation. However, recent years have shown almost exponential growth in attackers leveraging these software artifacts to launch software supply chain attacks. Past well-known software supply chain attacks include the SolarWinds, log4j, and xz utils incidents. Supply chain attacks are considered to have three major attack vectors: through vulnerabilities and malware accidentally or intentionally injected into open source and third-party\n            <jats:italic>dependencies\/components\/containers<\/jats:italic>\n            ; by infiltrating the\n            <jats:italic>build infrastructure<\/jats:italic>\n            during the build and deployment processes; and through targeted techniques aimed at the\n            <jats:italic>humans<\/jats:italic>\n            involved in software development, such as through social engineering. Plummeting trust in the software supply chain could decelerate digital innovation if the software industry reduces its use of open source and third-party artifacts to reduce risks. This article contains perspectives and knowledge obtained from intentional outreach with practitioners to understand their practical challenges and from extensive research efforts. We then provide an overview of current research efforts to secure the software supply chain. Finally, we propose a future research agenda to close software supply chain attack vectors and support the software industry.\n          <\/jats:p>","DOI":"10.1145\/3714464","type":"journal-article","created":{"date-parts":[[2025,1,27]],"date-time":"2025-01-27T15:53:31Z","timestamp":1737993211000},"page":"1-38","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":34,"title":["Research Directions in Software Supply Chain Security"],"prefix":"10.1145","volume":"34","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3300-6540","authenticated-orcid":false,"given":"Laurie","family":"Williams","sequence":"first","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2609-6787","authenticated-orcid":false,"given":"Giacomo","family":"Benedetti","sequence":"additional","affiliation":[{"name":"University of Genoa, Genoa, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-8381-1436","authenticated-orcid":false,"given":"Sivana","family":"Hamer","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6682-4243","authenticated-orcid":false,"given":"Ranindya","family":"Paramitha","sequence":"additional","affiliation":[{"name":"University of Trento, Trento, Italy"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9414-8756","authenticated-orcid":false,"given":"Imranur","family":"Rahman","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-3162-7580","authenticated-orcid":false,"given":"Mahzabin","family":"Tamanna","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-1785-2455","authenticated-orcid":false,"given":"Greg","family":"Tystahl","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2738-4118","authenticated-orcid":false,"given":"Nusrat","family":"Zahan","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0773-7817","authenticated-orcid":false,"given":"Patrick","family":"Morrison","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7167-7383","authenticated-orcid":false,"given":"Yasemin","family":"Acar","sequence":"additional","affiliation":[{"name":"Paderborn University, Paderborn, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6250-4632","authenticated-orcid":false,"given":"Michel","family":"Cukier","sequence":"additional","affiliation":[{"name":"University of Maryland, College Park, Maryland, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4450-4572","authenticated-orcid":false,"given":"Christian","family":"K\u00e4stner","sequence":"additional","affiliation":[{"name":"Carnegie Mellon University, Pittsburgh, Pennsylvania, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8839-8521","authenticated-orcid":false,"given":"Alexandros","family":"Kapravelos","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-2921-1254","authenticated-orcid":false,"given":"Dominik","family":"Wermke","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3043-8092","authenticated-orcid":false,"given":"William","family":"Enck","sequence":"additional","affiliation":[{"name":"North Carolina State University, Raleigh, North Carolina, USA"}]}],"member":"320","published-online":{"date-parts":[[2025,5,26]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"GitHub. 2022. Embedded Malicious Code in node-ipc. Retrieved March 16 2022 from https:\/\/github.com\/advisories\/GHSA-97m3-w2cp-4xx6"},{"key":"e_1_3_2_3_2","unstructured":"Codeium. 2018. Retrieved from https:\/\/codeium.com\/blog\/code-security-chatgpt-issues"},{"key":"e_1_3_2_4_2","unstructured":"TabNine. 2018. AI Code Completions. Retrieved from https:\/\/github.com\/codota\/TabNine"},{"key":"e_1_3_2_5_2","unstructured":"Socket Inc. 2022. Retrieved December 2 2023 from https:\/\/socket.dev\/"},{"key":"e_1_3_2_6_2","unstructured":"Federal Register. Executive Order 14028: Improving the Nation\u2019s Cybersecurity. Retrieved May 12 2021 from https:\/\/www.federalregister.gov\/documents\/2021\/05\/17\/2021-10460\/improving-the-nations-cybersecurity"},{"key":"e_1_3_2_7_2","unstructured":"William Enck Yasemin Acar Michel Cucker Alexandros Kapravelos Christian Kastner and Laurie Williams. June 2023. S3C2 summit 2023-06: Government secure supply chain summit. arXiv: 2308.06850. Retrieved from https:\/\/arxiv.org\/abs\/2308.06850"},{"key":"e_1_3_2_8_2","unstructured":"Cybersecurity & Infrastructure Security Agency. 2022. Apache Log4j Vulnerability Guidance. Retrieved April 08 2022 from https:\/\/www.cisa.gov\/news-events\/news\/apache-log4j-vulnerability-guidance"},{"issue":"4","key":"e_1_3_2_9_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3571848","article-title":"On the discoverability of npm vulnerabilities in node. js projects","volume":"32","author":"Alfadel Mahmoud","year":"2023","unstructured":"Mahmoud Alfadel, Diego Elias Costa, Emad Shihab, and Bram Adams. 2023. On the discoverability of npm vulnerabilities in node. js projects. ACM Transactions on Software Engineering and Methodology 32, 4 (2023), 1\u201327.","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"key":"e_1_3_2_10_2","unstructured":"Cloud Security Alliance. 2024. Global Security Database (GSD). Retrieved from https:\/\/github.com\/cloudsecurityalliance\/gsd-database"},{"issue":"6","key":"e_1_3_2_11_2","doi-asserted-by":"crossref","first-page":"129","DOI":"10.1007\/s10664-023-10380-1","article-title":"Is GitHub\u2019s copilot as bad as humans at introducing vulnerabilities in code?","volume":"28","author":"Asare Owura","year":"2023","unstructured":"Owura Asare, Meiyappan Nagappan, and N. Asokan. 2023. Is GitHub\u2019s copilot as bad as humans at introducing vulnerabilities in code? Empirical Software Engineering 28, 6 (2023), 129.","journal-title":"Empirical Software Engineering"},{"key":"e_1_3_2_12_2","doi-asserted-by":"crossref","first-page":"634","DOI":"10.1109\/EuroSPW61312.2024.00077","volume-title":"2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","author":"Ashiwal Virendra","year":"2024","unstructured":"Virendra Ashiwal, Soeren Finster, and Abdallah Dawoud. 2024. LLM-based vulnerability sourcing from unstructured data. In 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 634\u2013641."},{"key":"e_1_3_2_13_2","unstructured":"Agathe Balayn Lorenzo Corti Fanny Rancourt Fabio Casati and Ujwal Gadiraju. 2024. Understanding stakeholders\u2019 perceptions and needs across the LLM supply chain. arXiv preprint arXiv:2405.16311. Retrieved from https:\/\/arxiv.org\/abs\/2405.16311"},{"issue":"6","key":"e_1_3_2_14_2","doi-asserted-by":"crossref","first-page":"12","DOI":"10.1109\/MSEC.2023.3302956","article-title":"Challenges of producing software bill of materials for Java","volume":"21","author":"Balliu Musard","year":"2023","unstructured":"Musard Balliu, Benoit Baudry, Sofia Bobadilla, Mathias Ekstedt, Martin Monperrus, Javier Ron, Aman Sharma, Gabriel Skoglund, C\u00e9sar Soto-Valero, and Martin Wittlinger. 2023. Challenges of producing software bill of materials for Java. IEEE Security & Privacy 21, 6 (Nov. 2023), 12\u201323.","journal-title":"IEEE Security & Privacy"},{"key":"e_1_3_2_15_2","doi-asserted-by":"crossref","first-page":"51","DOI":"10.1145\/3560835.3564550","volume-title":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","author":"Barr-Smith Frederick","year":"2022","unstructured":"Frederick Barr-Smith, Tim Blazytko, Richard Baker, and Ivan Martinovic. 2022. Exorcist: Automated differential analysis to detect compromises in closed-source software supply chains. In Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, 51\u201361."},{"key":"e_1_3_2_16_2","doi-asserted-by":"crossref","first-page":"280","DOI":"10.1109\/ICSM.2013.39","volume-title":"2013 IEEE International Conference on Software Maintenance","author":"Bavota Gabriele","year":"2013","unstructured":"Gabriele Bavota, Gerardo Canfora, Massimiliano Di Penta, Rocco Oliveto, and Sebastiano Panichella. 2013. The evolution of project inter-dependencies in a software ecosystem: The case of Apache. In 2013 IEEE International Conference on Software Maintenance. IEEE, 280\u2013289."},{"key":"e_1_3_2_17_2","doi-asserted-by":"crossref","first-page":"1275","DOI":"10.1007\/s10664-014-9325-9","article-title":"How the Apache community upgrades dependencies: An evolutionary study","volume":"20","author":"Bavota Gabriele","year":"2015","unstructured":"Gabriele Bavota, Gerardo Canfora, Massimiliano Di Penta, Rocco Oliveto, and Sebastiano Panichella. 2015. How the Apache community upgrades dependencies: An evolutionary study. Empirical Software Engineering 20 (2015), 1275\u20131317.","journal-title":"Empirical Software Engineering"},{"key":"e_1_3_2_18_2","unstructured":"Giacomo Benedetti Serena Cofano Alessandro Brighente and Mauro Conti. 2024. The impact of SBOM generators on vulnerability assessment in Python: A comparison and a novel approach. arXiv:2409.06390. Retrieved from https:\/\/arxiv.org\/abs\/2409.06390"},{"key":"e_1_3_2_19_2","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1145\/3560835.3564554","volume-title":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED \u201922)","author":"Benedetti Giacomo","year":"2022","unstructured":"Giacomo Benedetti, Luca Verderame, and Alessio Merlo. 2022. Automatic security assessment of GitHub actions workflows. In Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED \u201922). ACM, New York, NY, 37\u201345. DOI: 10.1145\/3560835.3564554"},{"key":"e_1_3_2_20_2","first-page":"1","volume-title":"2017 IEEE 28th Annual Software Technology Conference (STC)","author":"Benthall Sebastian","year":"2017","unstructured":"Sebastian Benthall. 2017. Assessing software supply chain risk using public data. In 2017 IEEE 28th Annual Software Technology Conference (STC). IEEE, 1\u20135."},{"issue":"6","key":"e_1_3_2_21_2","first-page":"1","article-title":"On the way to SBOMs: Investigating design issues and solutions in practice","volume":"33","author":"Bi Tingting","year":"2024","unstructured":"Tingting Bi, Boming Xia, Zhenchang Xing, Qinghua Lu, and Liming Zhu. 2024. On the way to SBOMs: Investigating design issues and solutions in practice. ACM Transactions on Software Engineering and Methodology 33, 6 (2024), 1\u201325.","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"issue":"1","key":"e_1_3_2_22_2","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1016\/j.pursup.2017.10.004","article-title":"Supply chain vulnerability assessment: A network based visualization and clustering analysis approach","volume":"24","author":"Blackhurst Jennifer","year":"2018","unstructured":"Jennifer Blackhurst, M. Johnny Rungtusanatham, Kevin Scheibe, and Saurabh Ambulkar. 2018. Supply chain vulnerability assessment: A network based visualization and clustering analysis approach. Journal of Purchasing and Supply Management 24, 1 (2018), 21\u201330.","journal-title":"Journal of Purchasing and Supply Management"},{"key":"e_1_3_2_23_2","doi-asserted-by":"crossref","first-page":"109","DOI":"10.1145\/2950290.2950325","volume-title":"Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering","author":"Bogart Christopher","year":"2016","unstructured":"Christopher Bogart, Christian K\u00e4stner, James Herbsleb, and Ferdian Thung. 2016. How to break an API: Cost negotiation and community values in three software ecosystems. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 109\u2013120."},{"issue":"2","key":"e_1_3_2_24_2","doi-asserted-by":"crossref","first-page":"19","DOI":"10.1145\/3687251.3687253","article-title":"Smart contract vulnerability detection: The role of large language model (LLM)","volume":"24","author":"Boi Biagio","year":"2024","unstructured":"Biagio Boi, Christian Esposito, and Sokjoon Lee. 2024. Smart contract vulnerability detection: The role of large language model (LLM). ACM SIGAPP Applied Computing Review 24, 2 (2024), 19\u201329.","journal-title":"ACM SIGAPP Applied Computing Review"},{"key":"e_1_3_2_25_2","volume-title":"Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering: New Ideas and Emerging Results (IEEE\/ACM ICSE-NIER \u201924)","author":"Boughton Lina","year":"2024","unstructured":"Lina Boughton, Courtney Miller, Yasemin Acar, Dominik Wermke, and Christian K\u00e4stner. 2024. Decomposing and measuring trust in open-source software supply chains. In Proceedings of the IEEE\/ACM 46th International Conference on Software Engineering: New Ideas and Emerging Results (IEEE\/ACM ICSE-NIER \u201924). IEEE\/ACM."},{"key":"e_1_3_2_26_2","unstructured":"Martin Briesch Dominik Sobania and Franz Rothlauf. 2023. Large language models suffer from their own output: An analysis of the self-consuming training loop. arXiv:2311.16822. Retrieved from https:\/\/arxiv.org\/abs\/2311.16822"},{"key":"e_1_3_2_27_2","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1109\/SANER.2018.8330214","volume-title":"2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER)","author":"Brito Aline","year":"2018","unstructured":"Aline Brito, Laerte Xavier, Andre Hora, and Marco Tulio Valente. 2018. Why and how Java developers break APIs. In 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 255\u2013265."},{"issue":"3","key":"e_1_3_2_28_2","doi-asserted-by":"crossref","first-page":"687","DOI":"10.1007\/s11219-022-09607-z","article-title":"On business adoption and use of reproducible builds for open and closed source software","volume":"31","author":"Butler Simon","year":"2023","unstructured":"Simon Butler, Jonas Gamalielsson, Bj\u00f6rn Lundell, Christoffer Brax, Anders Mattsson, Tomas Gustavsson, Jonas Feist, Bengt Kvarnstr\u00f6m, and Erik L\u00f6nroth. 2023. On business adoption and use of reproducible builds for open and closed source software. Software Quality Journal 31, 3 (2023), 687\u2013719.","journal-title":"Software Quality Journal"},{"issue":"4","key":"e_1_3_2_29_2","first-page":"1741","article-title":"Towards better dependency management: A first look at dependency smells in Python projects","volume":"49","author":"Cao Yulu","year":"2022","unstructured":"Yulu Cao, Lin Chen, Wanwangying Ma, Yanhui Li, Yuming Zhou, and Linzhang Wang. 2022. Towards better dependency management: A first look at dependency smells in Python projects. IEEE Transactions on Software Engineering 49, 4 (2022), 1741\u20131765.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_30_2","doi-asserted-by":"crossref","unstructured":"Ramaswamy Chandramouli Frederick Kautz and Santiago Torres-Arias. 2024. Strategies for the integration of software supply chain security in DevSecOps CI\/CD pipelines. NIST Special Publication 800-204D. Retrieved February 2024 from https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-204D.pdf","DOI":"10.6028\/NIST.SP.800-204D"},{"issue":"3","key":"e_1_3_2_31_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3641289","article-title":"A survey on evaluation of large language models","volume":"15","author":"Chang Yupeng","year":"2024","unstructured":"Yupeng Chang, Xu Wang, Jindong Wang, Yuan Wu, Linyi Yang, Kaijie Zhu, Hao Chen, Xiaoyuan Yi, Cunxiang Wang, Yidong Wang, et al. 2024. A survey on evaluation of large language models. ACM Transactions on Intelligent Systems and Technology 15, 3 (2024), 1\u201345.","journal-title":"ACM Transactions on Intelligent Systems and Technology"},{"key":"e_1_3_2_32_2","unstructured":"Mark Chen Jerry Tworek Heewoo Jun Qiming Yuan Henrique Ponde De Oliveira Pinto Jared Kaplan Harri Edwards Yuri Burda Nicholas Joseph Greg Brockman et al. 2021. Evaluating large language models trained on code. arXiv:2107.03374. Retrieved from https:\/\/arxiv.org\/abs\/2107.03374"},{"key":"e_1_3_2_33_2","doi-asserted-by":"crossref","first-page":"263","DOI":"10.1007\/978-3-319-11391-3_13","volume-title":"Cyber Defense and Situational Awareness","author":"Cheng Yi","year":"2014","unstructured":"Yi Cheng, Julia Deng, Jason Li, Scott A. DeLoach, Anoop Singhal, and Xinming Ou. 2014. Metrics of security. In Cyber Defense and Situational Awareness. Springer, 263\u2013295."},{"key":"e_1_3_2_34_2","unstructured":"Anton Cheshkov Pavel Zadorozhny and Rodion Levichev. 2023. Evaluation of ChatGPT model for vulnerability detection. arXiv:2304.07232. Retrieved from https:\/\/arxiv.org\/abs\/2304.07232"},{"issue":"240","key":"e_1_3_2_35_2","first-page":"1","article-title":"PaLM: Scaling language modeling with pathways","volume":"24","author":"Chowdhery Aakanksha","year":"2023","unstructured":"Aakanksha Chowdhery, Sharan Narang, Jacob Devlin, Maarten Bosma, Gaurav Mishra, Adam Roberts, Paul Barham, Hyung Won Chung, Charles Sutton, Sebastian Gehrmann, et al. 2023. PaLM: Scaling language modeling with pathways. Journal of Machine Learning Research 24, 240 (2023), 1\u2013113.","journal-title":"Journal of Machine Learning Research"},{"key":"e_1_3_2_36_2","unstructured":"CISA. 2022. Vulnerability Exploitability eXchange (VEX). Retrieved from https:\/\/www.cisa.gov\/sites\/default\/files\/publications\/VEX_Use_Cases_Document_508c.pdf"},{"key":"e_1_3_2_37_2","unstructured":"Cloud Native Computing Foundation. 2022. Software Supply Chain Best Practices (SSCP). Retrieved from https:\/\/project.linuxfoundation.org\/hubfs\/CNCF_SSCP_v1.pdf"},{"key":"e_1_3_2_38_2","unstructured":"CNCF. Cloud Native Computing Foundation (CNCF). Retrieved September 26 2024 from https:\/\/www.cncf.io\/"},{"key":"e_1_3_2_39_2","unstructured":"Serena Cofano Giacomo Benedetti and Matteo Dell\u2019Amico. 2024. SBOM generation tools in the Python ecosystem: An in-detail analysis. arXiv:2409.01214. Retrieved from https:\/\/arxiv.org\/abs\/2409.01214"},{"key":"e_1_3_2_40_2","first-page":"109","volume-title":"2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering","volume":"2","author":"Cox Joel","year":"2015","unstructured":"Joel Cox, Eric Bouwers, Marko van Eekelen, and Joost Visser. 2015. Measuring dependency freshness in software systems. In 2015 IEEE\/ACM 37th IEEE International Conference on Software Engineering, Vol. 2, 109\u2013118. DOI: 10.1109\/ICSE.2015.140"},{"key":"e_1_3_2_41_2","doi-asserted-by":"crossref","first-page":"121","DOI":"10.1109\/ICSE48619.2023.00022","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE)","author":"Croft Roland","year":"2023","unstructured":"Roland Croft, M. Ali Babar, and M. Mehdi Kholoosi. 2023. Data quality for software vulnerability datasets. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 121\u2013133."},{"key":"e_1_3_2_42_2","unstructured":"DataDog. 2022. GuardDog. Retrieved from https:\/\/github.com\/datadog\/guarddog"},{"key":"e_1_3_2_43_2","first-page":"404","volume-title":"2018 IEEE International Conference on Software Maintenance and Evolution (ICSME)","author":"Decan Alexandre","year":"2018","unstructured":"Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the evolution of technical lag in the npm package dependency network. In 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME), 404\u2013414. DOI: 10.1109\/ICSME.2018.00050"},{"key":"e_1_3_2_44_2","doi-asserted-by":"crossref","first-page":"181","DOI":"10.1145\/3196398.3196401","volume-title":"15th International Conference on Mining Software Repositories","author":"Decan Alexandre","year":"2018","unstructured":"Alexandre Decan, Tom Mens, and Eleni Constantinou. 2018. On the impact of security vulnerabilities in the npm package dependency network. In 15th International Conference on Mining Software Repositories, 181\u2013191."},{"key":"e_1_3_2_45_2","doi-asserted-by":"crossref","first-page":"111827","DOI":"10.1016\/j.jss.2023.111827","article-title":"On the outdatedness of workflows in the GitHub Actions ecosystem","volume":"206","author":"Decan Alexandre","year":"2023","unstructured":"Alexandre Decan, Tom Mens, and Hassan Onsori Delicheh. 2023. On the outdatedness of workflows in the GitHub Actions ecosystem. Journal of Systems and Software 206 (2023), 111827.","journal-title":"Journal of Systems and Software"},{"key":"e_1_3_2_46_2","first-page":"2187","volume-title":"2017 ACM SIGSAC Conference on Computer and Communications Security","author":"Derr Erik","year":"2017","unstructured":"Erik Derr, Sven Bugiel, Sascha Fahl, Yasemin Acar, and Michael Backes. 2017. Keep me updated: An empirical study of third-party library updatability on Android. In 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, 2187\u20132200. DOI: 10.1145\/3133956.3134059"},{"key":"e_1_3_2_47_2","doi-asserted-by":"crossref","first-page":"349","DOI":"10.1109\/MSR.2019.00061","volume-title":"2019 IEEE\/ACM 16th International Conference on Mining Software Repositories (MSR)","author":"Dietrich Jens","year":"2019","unstructured":"Jens Dietrich, David Pearce, Jacob Stringer, Amjed Tahir, and Kelly Blincoe. 2019. Dependency versioning in the wild. In 2019 IEEE\/ACM 16th International Conference on Mining Software Repositories (MSR). IEEE, 349\u2013359."},{"key":"e_1_3_2_48_2","unstructured":"Xueying Du Geng Zheng Kaixin Wang Jiayi Feng Wentai Deng Mingwei Liu Bihuan Chen Xin Peng Tao Ma and Yiling Lou. 2024. Vul-RAG: Enhancing LLM-based vulnerability detection via knowledge-level rag. arXiv:2406.11147. Retrieved from https:\/\/arxiv.org\/abs\/2406.11147"},{"key":"e_1_3_2_49_2","doi-asserted-by":"crossref","unstructured":"Ruian Duan Omar Alrawi Ranjita Pai Kasturi Ryan Elder Brendan Saltaformaggio and Wenke Lee. 2020. Towards measuring supply chain attacks on package managers for interpreted languages. arXiv:2002.01139. Retrieved from https:\/\/arxiv.org\/abs\/2002.01139","DOI":"10.14722\/ndss.2021.23055"},{"key":"e_1_3_2_50_2","unstructured":"Trevor Dunlap Yasemin Acar Michel Cucker William Enck Alexandros Kapravelos Christian Kastner and Laurie Williams. 2023. S3C2 summit 2023-02: Industry secure supply chain summit. arXiv:2307.16557. Retrieved from http:\/\/arxiv.org\/abs\/2307.16557"},{"key":"e_1_3_2_51_2","unstructured":"Trevor Dunlap Elizabeth Lin William Enck and Bradley Reaves. 2023. VFCFinder: Seamlessly pairing security advisories and patches. arXiv:2311.01532. Retrieved from https:\/\/arxiv.org\/abs\/2311.01532"},{"key":"e_1_3_2_52_2","first-page":"350","volume-title":"International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment","author":"Dunlap Trevor","year":"2024","unstructured":"Trevor Dunlap, John Speed Meyers, Bradley Reaves, and William Enck. 2024. Pairing security advisories with vulnerable functions using open-source LLMs. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 350\u2013369."},{"key":"e_1_3_2_53_2","doi-asserted-by":"crossref","first-page":"489","DOI":"10.1109\/EuroSP57164.2023.00036","volume-title":"2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)","author":"Dunlap Trevor","year":"2023","unstructured":"Trevor Dunlap, Seaver Thorn, William Enck, and Bradley Reaves. 2023. Finding fixed vulnerabilities with off-the-shelf static analysis. In 2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P). IEEE, 489\u2013505."},{"key":"e_1_3_2_54_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"e_1_3_2_55_2","unstructured":"Datadog Engineering. 2023. Secure publication of datadog agent integrations with TUF and in-toto. Datadog Engineering Blog. Retrieved September 26 2024 from https:\/\/www.datadoghq.com\/blog\/engineering\/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto\/"},{"key":"e_1_3_2_56_2","unstructured":"Equifax. 2017. Equifax releases details on cybersecurity incident announces personnel changes. Retrieved September 24 2024 from https:\/\/investor.equifax.com\/news-and-events\/news\/2017\/09-15-2017-224018832"},{"key":"e_1_3_2_57_2","unstructured":"EU 2022. EU Cyber Resilience Act. Retrieved from https:\/\/digital-strategy.ec.europa.eu\/en\/library\/cyber-resilience-act"},{"key":"e_1_3_2_58_2","first-page":"508","volume-title":"17th International Conference on Mining Software Repositories","author":"Fan Jiahao","year":"2020","unstructured":"Jiahao Fan, Yi Li, Shaohua Wang, and Tien N. Nguyen. 2020. AC\/C++ code vulnerability dataset with code changes and CVE summaries. In 17th International Conference on Mining Software Repositories, 508\u2013512."},{"key":"e_1_3_2_59_2","doi-asserted-by":"crossref","first-page":"610","DOI":"10.1109\/EuroSPW61312.2024.00074","volume-title":"2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)","author":"Feio Clarisse","year":"2024","unstructured":"Clarisse Feio, Nuno Santos, Nelson Escravana, and Bernardo Pacheco. 2024. An empirical study of DevSecOps focused on continuous security testing. In 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 610\u2013617."},{"key":"e_1_3_2_60_2","doi-asserted-by":"crossref","first-page":"1334","DOI":"10.1109\/ICSE43902.2021.00121","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE)","author":"Ferreira Gabriel","year":"2021","unstructured":"Gabriel Ferreira, Limin Jia, Joshua Sunshine, and Christian K\u00e4stner. 2021. Containing malicious package updates in npm with a lightweight permission system. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1334\u20131346."},{"key":"e_1_3_2_61_2","unstructured":"FireEye. December 13 2020. Highly evasive attacker leverages solarwinds supply chain to compromise multiple global victims with SUNBURST backdoor. Retrieved from https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor\/"},{"key":"e_1_3_2_62_2","doi-asserted-by":"crossref","first-page":"112135","DOI":"10.1016\/j.jss.2024.112135","article-title":"Time to separate from StackOverflow and match with ChatGPT for encryption","author":"Firouzi Ehsan","year":"2024","unstructured":"Ehsan Firouzi and Mohammad Ghafari. 2024. Time to separate from StackOverflow and match with ChatGPT for encryption. Journal of Systems and Software (2024), 112135.","journal-title":"Journal of Systems and Software"},{"key":"e_1_3_2_63_2","unstructured":"Darius Foo Jason Yeo Hao Xiao and Asankhaya Sharma. 2019. The dynamics of software composition analysis. arXiv:1909.00973 (2019). Retrieved from https:\/\/arxiv.org\/abs\/1909.00973"},{"key":"e_1_3_2_64_2","volume-title":"44th IEEE Symposium on Security and Privacy","author":"Fourn\u00e9 Marcel","year":"2023","unstructured":"Marcel Fourn\u00e9, Dominik Wermke, William Enck, Sascha Fahl, and Yasemin Acar. 2023. It\u2019s like flossing your teeth: On the importance and challenges of reproducible builds for software supply chain security. In 44th IEEE Symposium on Security and Privacy."},{"key":"e_1_3_2_65_2","unstructured":"Andres Freund. 2024. Backdoor in upstream xz\/liblzma leading to ssh server compromise. Retrieved March 29 2024 from https:\/\/www.openwall.com\/lists\/oss-security\/2024\/03\/29\/4"},{"key":"e_1_3_2_66_2","unstructured":"Daniel Fried Armen Aghajanyan Jessy Lin Sida Wang Eric Wallace Freda Shi Ruiqi Zhong Wen-tau Yih Luke Zettlemoyer and Mike Lewis. 2022. Incoder: A generative model for code infilling and synthesis. arXiv:2204.05999. Retrieved from https:\/\/arxiv.org\/abs\/2204.05999"},{"key":"e_1_3_2_67_2","doi-asserted-by":"crossref","first-page":"41","DOI":"10.1145\/3605770.3625211","volume-title":"Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","author":"Froh Fabian","year":"2023","unstructured":"Fabian Froh, Mat\u00edas Gobbi, and Johannes Kinder. 2023. Differential static analysis for detecting malicious updates to open source packages. In Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, 41\u201349."},{"key":"e_1_3_2_68_2","unstructured":"Gal Ofri. 2023. SLSA Provenance Blog Series Part 3: The Challenges of Adopting SLSA Provenance. Retrieved from https:\/\/www.legitsecurity.com\/blog\/slsa-provenance-blog-series-part3-challenges-of-adopting-slsa-provenance"},{"key":"e_1_3_2_69_2","unstructured":"Zeyu Gao Hao Wang Yuchen Zhou Wenyu Zhu and Chao Zhang. 2023. How far have we gone in vulnerability detection using large language models. arXiv:2311.12420. Retrieved from https:\/\/arxiv.org\/abs\/2311.12420"},{"key":"e_1_3_2_70_2","first-page":"13","volume-title":"2019 IEEE\/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER)","author":"Garrett Kalil","year":"2019","unstructured":"Kalil Garrett, Gabriel Ferreira, Limin Jia, Joshua Sunshine, and Christian K\u00e4stner. 2019. Detecting suspicious package updates. In 2019 IEEE\/ACM 41st International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER). IEEE, 13\u201316."},{"key":"e_1_3_2_71_2","unstructured":"GitHub. 2024. Dependabot: Security Updates for Your Dependencies. Retrieved September 25 2024 from https:\/\/github.com\/dependabot"},{"key":"e_1_3_2_72_2","unstructured":"GitHub. 2024. GitHub Advisory Database. Retrieved from https:\/\/github.com\/advisories"},{"issue":"110653","key":"e_1_3_2_73_2","doi-asserted-by":"crossref","first-page":"110653","DOI":"10.1016\/j.jss.2020.110653","article-title":"Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities","volume":"172","author":"Gkortzis Antonios","year":"2021","unstructured":"Antonios Gkortzis, Daniel Feitosa, and Diomidis Spinellis. 2021. Software reuse cuts both ways: An empirical analysis of its relationship with security vulnerabilities. Journal of Systems and Software 172, 110653 (Feb. 2021), 110653.","journal-title":"Journal of Systems and Software"},{"key":"e_1_3_2_74_2","unstructured":"Jos\u00e9 Gon\u00e7alves Tiago Dias Eva Maia and Isabel Pra\u00e7a. 2024. SCoPE: Evaluating LLMs for software vulnerability detection. arXiv:2407.14372. Retrieved from https:\/\/arxiv.org\/abs\/2407.14372"},{"key":"e_1_3_2_75_2","first-page":"258","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)","author":"Gonzalez Danielle","year":"2021","unstructured":"Danielle Gonzalez, Thomas Zimmermann, Patrice Godefroid, and Max Sch\u00e4fer. 2021. Anomalicious: Automated detection of anomalous and potentially malicious commits on GitHub. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). IEEE, 258\u2013267."},{"key":"e_1_3_2_76_2","unstructured":"Google. 2016. OSS-Fuzz: Continuous Fuzzing for Open Source Software. Retrieved from https:\/\/github.com\/google\/oss-fuzz"},{"key":"e_1_3_2_77_2","unstructured":"Google. 2024. Open Source Vulnerability Database. Retrieved from https:\/\/osv.dev\/"},{"issue":"6","key":"e_1_3_2_78_2","doi-asserted-by":"crossref","first-page":"685","DOI":"10.1145\/506315.506316","article-title":"A framework for call graph construction algorithms","volume":"23","author":"Grove David","year":"2001","unstructured":"David Grove and Craig Chambers. 2001. A framework for call graph construction algorithms. ACM Transactions on Programming Languages and Systems (TOPLAS) 23, 6 (2001), 685\u2013746.","journal-title":"ACM Transactions on Programming Languages and Systems (TOPLAS"},{"key":"e_1_3_2_79_2","first-page":"138","volume-title":"2024 IEEE Symposium on Security and Privacy (SP)","author":"Gu Yacong","year":"2024","unstructured":"Yacong Gu, Lingyun Ying, Huajun Chai, Yingyuan Pu, Haixin Duan, and Xing Gao. 2024. More haste, less speed: Cache related security threats in continuous integration services. In 2024 IEEE Symposium on Security and Privacy (SP). IEEE, 138\u2013138."},{"key":"e_1_3_2_80_2","first-page":"1561","volume-title":"2023 IEEE Symposium on Security and Privacy (SP)","author":"Gu Yacong","year":"2023","unstructured":"Yacong Gu, Lingyun Ying, Huajun Chai, Chu Qiao, Haixin Duan, and Xing Gao. 2023. Continuous intrusion: Characterizing the security of continuous integration services. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, 1561\u20131577."},{"key":"e_1_3_2_81_2","first-page":"12098","volume-title":"International Conference on Machine Learning","author":"Guo Daya","year":"2023","unstructured":"Daya Guo, Canwen Xu, Nan Duan, Jian Yin, and Julian McAuley. 2023. Longcoder: A long-range pre-trained language model for code completion. In International Conference on Machine Learning. PMLR, 12098\u201312107."},{"key":"e_1_3_2_82_2","unstructured":"Wenbo Guo Zhengzi Xu Chengwei Liu Cheng Huang Yong Fang and Yang Liu. 2023. An Empirical study of malicious code in PyPI ecosystem. arXiv:2309.11021. Retrieved from https:\/\/arxiv.org\/abs\/2309.11021"},{"key":"e_1_3_2_83_2","doi-asserted-by":"crossref","first-page":"87","DOI":"10.1109\/SPW63631.2024.00014","volume-title":"2024 IEEE Security and Privacy Workshops (SPW)","author":"Hamer Sivana","year":"2024","unstructured":"Sivana Hamer, Marcelo d\u2019Amorim, and Laurie Williams. 2024. Just another copy and paste? Comparing the security vulnerabilities of ChatGPT generated code and StackOverflow answers. In 2024 IEEE Security and Privacy Workshops (SPW). IEEE, 87\u201394."},{"key":"e_1_3_2_84_2","unstructured":"Sivana Hamer Nasif Imtiaz Mahzabin Tamanna Preya Shabrina and Laurie Williams. 2024. Trusting code in the wild: Exploring contributor reputation measures to review dependencies in the Rust ecosystem. arXiv:2406.10317. Retrieved from https:\/\/arxiv.org\/abs\/2406.10317"},{"key":"e_1_3_2_85_2","unstructured":"Red Hat. 2024. Urgent security alert for Fedora Linux 40 and Fedora Rawhide users. Retrieved March 29 2024 from https:\/\/www.redhat.com\/en\/blog\/urgent-security-alert-fedora-40-and-rawhide-users"},{"key":"e_1_3_2_86_2","first-page":"1865","volume-title":"2023 ACM SIGSAC Conference on Computer and Communications Security","author":"He Jingxuan","year":"2023","unstructured":"Jingxuan He and Martin Vechev. 2023. Large language models for code: Security hardening and adversarial testing. In 2023 ACM SIGSAC Conference on Computer and Communications Security, 1865\u20131879."},{"key":"e_1_3_2_87_2","unstructured":"Heartbleed. 2021. Heartbleed Bug. Retrieved July 17 2021 from https:\/\/heartbleed.com\/"},{"key":"e_1_3_2_88_2","unstructured":"John Heibel and Daniel Lowd. 2024. MaPPing your model: Assessing the impact of adversarial attacks on LLM-based programming assistants. arXiv:2407.11072. Retrieved from https:\/\/arxiv.org\/abs\/2407.11072"},{"issue":"5","key":"e_1_3_2_89_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3649590","article-title":"Automated mapping of vulnerability advisories onto their fix commits in open source repositories","volume":"33","author":"Hommersom Daan","year":"2024","unstructured":"Daan Hommersom, Antonino Sabetta, Bonaventura Coppola, Dario Di Nucci, and Damian A Tamburri. 2024. Automated mapping of vulnerability advisories onto their fix commits in open source repositories. ACM Transactions on Software Engineering and Methodology 33, 5 (2024), 1\u201328.","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"key":"e_1_3_2_90_2","unstructured":"Xinyi Hou Yanjie Zhao Yue Liu Zhou Yang Kailong Wang Li Li Xiapu Luo David Lo John Grundy and Haoyu Wang. 2024. Large language models for software engineering: A systematic literature review. arXiv:2308.10620. Retrieved from https:\/\/arxiv.org\/abs\/2308.10620"},{"key":"e_1_3_2_91_2","unstructured":"The White House. 2023. Federal Cybersecurity Research and Development Strategic Plan 2023. Retrieved from https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2024\/01\/Federal-Cybersecurity-RD-Strategic-Plan-2023.pdf"},{"key":"e_1_3_2_92_2","unstructured":"The White House. 2024. Back to the Building Blocks: A Path Toward Secure and Measurable Software. Retrieved from https:\/\/www.whitehouse.gov\/wp-content\/uploads\/2024\/02\/Final-ONCD-Technical-Report.pdf"},{"key":"e_1_3_2_93_2","unstructured":"US White House. 2021. Executive Order 14028 on Improving the Nation\u2019s Cybersecurity. Retrieved May 12 2021 from https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/"},{"key":"e_1_3_2_94_2","unstructured":"Jie Hu Qian Zhang and Heng Yin. 2023. Augmenting greybox fuzzing with generative AI. arXiv:2306.06782. Retrieved from https:\/\/arxiv.org\/abs\/2306.06782"},{"key":"e_1_3_2_95_2","unstructured":"Cheng Huang Nannan Wang Ziyan Wang Siqi Sun Lingzi Li Junren Chen Qianchong Zhao Jiaxuan Han Zhen Yang and Lei Shi. 2024. DONAPI: Malicious NPM packages detector using behavior sequence knowledge mapping. arXiv:2403.08334. Retrieved from https:\/\/arxiv.org\/abs\/2403.08334"},{"key":"e_1_3_2_96_2","unstructured":"Kaifeng Huang Bihuan Chen You Lu Susheng Wu Dingji Wang Yiheng Huang Haowen Jiang Zhuotong Zhou Junming Cao and Xin Peng. 2024. Lifting the veil on the large language model supply chain: Composition risks and mitigations. arXiv:2410.21218. Retrieved from https:\/\/arxiv.org\/abs\/2410.21218"},{"key":"e_1_3_2_97_2","first-page":"128","volume-title":"Proceedings of the 13th IFIP WG 2.13 International Conference on Open Source Systems: Towards Robust Practices (OSS \u201917)","author":"Ihara Akinori","year":"2017","unstructured":"Akinori Ihara, Daiki Fujibayashi, Hirohiko Suwa, Raula Gaikovina Kula, and Kenichi Matsumoto. 2017. Understanding when to adopt a library: A case study on ASF projects. In Proceedings of the 13th IFIP WG 2.13 International Conference on Open Source Systems: Towards Robust Practices (OSS \u201917). Springer International Publishing, 128\u2013138."},{"key":"e_1_3_2_98_2","first-page":"1","volume-title":"Proceedings of the 15th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)","author":"Imtiaz Nasif","year":"2021","unstructured":"Nasif Imtiaz, Seaver Thorn, and Laurie Williams. 2021. A comparative study of vulnerability reporting by software composition analysis tools. In Proceedings of the 15th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), 1\u201311."},{"key":"e_1_3_2_99_2","first-page":"1","volume-title":"Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering","author":"Jarukitpipat Vipawan","year":"2022","unstructured":"Vipawan Jarukitpipat, Klinton Chhun, Wachirayana Wanprasert, Chaiyong Ragkhitwetsagul, Morakot Choetkiertikul, Thanwadee Sunetnanta, Raula Gaikovina Kula, Bodin Chinthanet, Takashi Ishio, and Kenichi Matsumoto. 2022. V-Achilles: An interactive visualization of transitive security vulnerabilities. In Proceedings of the 37th IEEE\/ACM International Conference on Automated Software Engineering, 1\u20134."},{"issue":"6","key":"e_1_3_2_100_2","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3603110","article-title":"Dependency update strategies and package characteristics","volume":"32","author":"Javan Jafari Abbas","year":"2023","unstructured":"Abbas Javan Jafari, Diego Elias Costa, Emad Shihab, and Rabe Abdalkareem. 2023. Dependency update strategies and package characteristics. ACM Transactions on Software Engineering and Methodology 32, 6 (2023), 1\u201329.","journal-title":"ACM Transactions on Software Engineering and Methodology"},{"issue":"12","key":"e_1_3_2_101_2","first-page":"1","article-title":"Survey of hallucination in natural language generation","volume":"55","author":"Ji Ziwei","year":"2023","unstructured":"Ziwei Ji, Nayeon Lee, Rita Frieske, Tiezheng Yu, Dan Su, Yan Xu, Etsuko Ishii, Ye Jin Bang, Andrea Madotto, and Pascale Fung. 2023. Survey of hallucination in natural language generation. ACM Computing Surveys 55, 12 (2023), 1\u201338.","journal-title":"ACM Computing Surveys"},{"key":"e_1_3_2_102_2","unstructured":"Peiyang Jia Chengwei Liu Hongyu Sun Chengyi Sun Mianxue Gu Yang Liu and Yuqing Zhang. 2022. Cargo ecosystem dependency-vulnerability knowledge graph construction and vulnerability propagation study. arXiv:2210.07482. Retrieved from https:\/\/arxiv.org\/abs\/2210.07482"},{"key":"e_1_3_2_103_2","unstructured":"Juyong Jiang Fan Wang Jiasi Shen Sungju Kim and Sunghun Kim. 2024. A survey on large language models for code generation. arXiv:2406.00515. Retrieved from https:\/\/arxiv.org\/abs\/2406.00515"},{"key":"e_1_3_2_104_2","doi-asserted-by":"crossref","first-page":"1161","DOI":"10.1109\/ICSE43902.2021.00107","volume-title":"2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE)","author":"Jiang Nan","year":"2021","unstructured":"Nan Jiang, Thibaud Lutellier, and Lin Tan. 2021. CURE: Code-aware neural machine translation for automatic program repair. In 2021 IEEE\/ACM 43rd International Conference on Software Engineering (ICSE). IEEE, 1161\u20131173."},{"key":"e_1_3_2_105_2","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1145\/3533767.3534398","volume-title":"Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis","author":"Kang Hong Jin","year":"2022","unstructured":"Hong Jin Kang, Truong Giang Nguyen, Bach Le, Corina S P\u0103s\u0103reanu, and David Lo. 2022. Test mimicry to assess the exploitability of library vulnerabilities. In Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, 276\u2013288."},{"issue":"3","key":"e_1_3_2_106_2","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1109\/MITP.2023.3284628","article-title":"Can large language models better predict software vulnerability?","volume":"25","author":"Katsadouros Evangelos","year":"2023","unstructured":"Evangelos Katsadouros, Charalampos Z. Patrikakis, and George Hurlburt. 2023. Can large language models better predict software vulnerability? IT Professional 25, 3 (2023), 4\u20138.","journal-title":"IT Professional"},{"key":"e_1_3_2_107_2","unstructured":"Avishree Khare Saikat Dutta Ziyang Li Alaia Solko-Breslin Rajeev Alur and Mayur Naik. 2023. Understanding the effectiveness of large language models in detecting security vulnerabilities. arXiv:2311.16169. Retrieved from https:\/\/arxiv.org\/abs\/2311.16169"},{"key":"e_1_3_2_108_2","doi-asserted-by":"crossref","first-page":"1770","DOI":"10.1145\/3634737.3637659","volume-title":"Proceedings of the 19th ACM Asia Conference on Computer and Communications Security","author":"Kloeg Berend","year":"2024","unstructured":"Berend Kloeg, Aaron Yi Ding, Sjoerd Pellegrom, and Yury Zhauniarovich. 2024. Charting the path to SBOM adoption: A business stakeholder-centric approach. In Proceedings of the 19th ACM Asia Conference on Computer and Communications Security, 1770\u20131783."},{"key":"e_1_3_2_109_2","first-page":"5145","volume-title":"32nd USENIX Security Symposium (USENIX Security \u201923)","author":"Kohno Tadayoshi","year":"2023","unstructured":"Tadayoshi Kohno, Yasemin Acar, and Wulf Loh. 2023. Ethical frameworks and computer security trolley problems: Foundations for conversations. In 32nd USENIX Security Symposium (USENIX Security \u201923), 5145\u20135162."},{"key":"e_1_3_2_110_2","first-page":"2747","volume-title":"31st USENIX Security Symposium (USENIX Security \u201922)","author":"Koishybayev Igibek","year":"2022","unstructured":"Igibek Koishybayev, Aleksandr Nahapetyan, Raima Zachariah, Siddharth Muralee, Bradley Reaves, Alexandros Kapravelos, and Aravind Machiry. 2022. Characterizing the security of GitHub CI workflows. In 31st USENIX Security Symposium (USENIX Security \u201922). USENIX Association, 2747\u20132763. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/koishybayev"},{"key":"e_1_3_2_111_2","volume-title":"32nd USENIX Security Symposium (USENIX \u201923)","author":"Krause Alexander","year":"2023","unstructured":"Alexander Krause, Jan H. Klemmer, Nicolas Huaman, Dominik Wermke, Yasemin Acar, and Sascha Fahl. 2023. Pushed by accident: A mixed-methods study on strategies of handling secret information in source code repositories. In 32nd USENIX Security Symposium (USENIX \u201923). USENIX Association. Retrieved August 9, 2023 from https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/krause"},{"key":"e_1_3_2_112_2","unstructured":"Kubernetes and IBM. 2024. Building an Image Trust Service on Kubernetes with Notary and TUF. Retrieved September 26 2024 from https:\/\/kubernetes.io\/case-studies\/ibm\/"},{"key":"e_1_3_2_113_2","first-page":"1","volume-title":"16th International Conference on Availability, Reliability and Security","author":"Kuehn Philipp","year":"2021","unstructured":"Philipp Kuehn, Markus Bayer, Marc Wendelborn, and Christian Reuter. 2021. OVANA: An approach to analyze and improve the information quality of vulnerability databases. In 16th International Conference on Availability, Reliability and Security, 1\u201311."},{"key":"e_1_3_2_114_2","doi-asserted-by":"crossref","first-page":"384","DOI":"10.1007\/s10664-017-9521-5","article-title":"Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration","volume":"23","author":"Kula Raula Gaikovina","year":"2018","unstructured":"Raula Gaikovina Kula, Daniel M German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2018. Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration. Empirical Software Engineering 23 (2018), 384\u2013417.","journal-title":"Empirical Software Engineering"},{"key":"e_1_3_2_115_2","unstructured":"Varun Kumar. Aug 11 2024. Software Supply Chain Vulnerabilities in Large Language Models (LLMs). Retrieved from https:\/\/www.practical-devsecops.com\/software-supply-chain-vulnerabilities-llms"},{"key":"e_1_3_2_116_2","unstructured":"Datadog Security Labs. 2023. Open-Source Dataset of Malicious Software Packages. Retrieved December 2 2023 from https:\/\/github.com\/datadog\/malicious-software-packages-dataset"},{"key":"e_1_3_2_117_2","unstructured":"Marie-Anne Lachaux Baptiste Roziere Lowik Chanussot and Guillaume Lample. 2020. Unsupervised translation of programming languages. arXiv:2006.03511. Retrieved from https:\/\/arxiv.org\/abs\/2006.03511"},{"key":"e_1_3_2_118_2","doi-asserted-by":"crossref","first-page":"1509","DOI":"10.1109\/SP46215.2023.10179304","volume-title":"2023 IEEE Symposium on Security and Privacy (SP)","author":"Ladisa P.","year":"2023","unstructured":"P. Ladisa, H. Plate, M. Martinez, and O. Barais. 2023. SoK: Taxonomy of attacks on open-source software supply chains. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE, Los Alamitos, CA, 1509\u20131526. DOI: 10.1109\/SP46215.2023.10179304"},{"key":"e_1_3_2_119_2","doi-asserted-by":"crossref","first-page":"63","DOI":"10.1145\/3560835.3564548","volume-title":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","author":"Ladisa Piergiorgio","year":"2022","unstructured":"Piergiorgio Ladisa, Henrik Plate, Matias Martinez, Olivier Barais, and Serena Elisa Ponta. 2022. Towards the detection of malicious java packages. In Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, 63\u201372."},{"key":"e_1_3_2_120_2","doi-asserted-by":"crossref","first-page":"71","DOI":"10.1145\/3627106.3627138","volume-title":"Proceedings of the 39th Annual Computer Security Applications Conference","author":"Ladisa Piergiorgio","year":"2023","unstructured":"Piergiorgio Ladisa, Serena Elisa Ponta, Nicola Ronzoni, Matias Martinez, and Olivier Barais. 2023. On the feasibility of cross-language detection of malicious packages in npm and PyPi. In Proceedings of the 39th Annual Computer Security Applications Conference, 71\u201382."},{"key":"e_1_3_2_121_2","doi-asserted-by":"crossref","first-page":"65","DOI":"10.1145\/3605770.3625212","volume-title":"Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","author":"Ladisa Piergiorgio","year":"2023","unstructured":"Piergiorgio Ladisa, Merve Sahin, Serena Elisa Ponta, Marco Rosa, Matias Martinez, and Olivier Barais. 2023. The Hitchhiker\u2019s guide to malicious third-party dependencies. In Proceedings of the 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, 65\u201374."},{"key":"e_1_3_2_122_2","first-page":"245","volume-title":"28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering","author":"Larios Vargas Enrique","year":"2020","unstructured":"Enrique Larios Vargas, Maur\u00edcio Aniche, Christoph Treude, Magiel Bruntink, and Georgios Gousios. 2020. Selecting third-party libraries: The practitioners\u2019 perspective. In 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 245\u2013256."},{"key":"e_1_3_2_123_2","unstructured":"Junjie Li Fazle Rabbi Cheng Cheng Aseem Sangalay Yuan Tian and Jinqiu Yang. 2024. An exploratory study on fine-tuning large language models for secure code generation. arXiv:2408.09078. Retrieved from https:\/\/arxiv.org\/abs\/2408.09078"},{"key":"e_1_3_2_124_2","first-page":"590","volume-title":"33rd ACM SIGSOFT International Symposium on Software Testing and Analysis","author":"Li Kaixuan","year":"2024","unstructured":"Kaixuan Li, Jian Zhang, Sen Chen, Han Liu, Yang Liu, and Yixiang Chen. 2024. PatchFinder: A two-phase approach to security patch tracing for disclosed vulnerabilities in open-source software. In 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, 590\u2013602."},{"key":"e_1_3_2_125_2","unstructured":"Raymond Li Loubna Ben Allal Yangtian Zi Niklas Muennighoff Denis Kocetkov Chenghao Mou Marc Marone Christopher Akiki Jia Li Jenny Chim et al. 2023. StarCoder: May the source be with you! arXiv:2305.06161. Retrieved from https:\/\/arxiv.org\/abs\/2305.06161"},{"key":"e_1_3_2_126_2","unstructured":"Ziyang Li Saikat Dutta and Mayur Naik. 2024. LLM-assisted static analysis for detecting security vulnerabilities. arXiv:2405.17238. Retrieved from https:\/\/arxiv.org\/abs\/2405.17238"},{"key":"e_1_3_2_127_2","first-page":"2397","volume-title":"2022 IEEE Symposium on Security and Privacy (SP)","author":"Li Zhi","year":"2022","unstructured":"Zhi Li, Weijie Liu, Hongbo Chen, XiaoFeng Wang, Xiaojing Liao, Luyi Xing, Mingming Zha, Hai Jin, and Deqing Zou. 2022. Robbery on DevOps: Understanding and mitigating illicit cryptomining on continuous integration service platforms. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 2397\u20132412."},{"key":"e_1_3_2_128_2","unstructured":"Zhen Li Deqing Zou Shouhuai Xu Xinyu Ou Hai Jin Sujuan Wang Zhijun Deng and Yuyi Zhong. 2018. VulDeePecker: A deep learning-based system for vulnerability detection. arXiv:1801.01681. Retrieved from https:\/\/arxiv.org\/abs\/1801.01681"},{"key":"e_1_3_2_129_2","unstructured":"Linux Foundation. 2022. The State of Software Bill of Materials (SBOM) and Cybersecurity Readiness. Retrieved from https:\/\/www.linuxfoundation.org\/research\/the-state-of-software-bill-of-materials-sbom-and-cybersecurity-readiness"},{"key":"e_1_3_2_130_2","first-page":"672","volume-title":"44th International Conference on Software Engineering","author":"Liu Chengwei","year":"2022","unstructured":"Chengwei Liu, Sen Chen, Lingling Fan, Bihuan Chen, Yang Liu, and Xin Peng. 2022. Demystifying the vulnerability propagation and its evolution via dependency trees in the npm ecosystem. In 44th International Conference on Software Engineering, 672\u2013684."},{"key":"e_1_3_2_131_2","first-page":"205","volume-title":"16th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement","author":"Liu Xin","year":"2022","unstructured":"Xin Liu, Yixiong Wu, Qingchen Yu, Shangru Song, Yue Liu, Qingguo Zhou, and Jianwei Zhuge. 2022. PG-VulNet: Detect supply chain vulnerabilities in IoT devices using pseudo-code and graphs. In 16th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement, 205\u2013215."},{"key":"e_1_3_2_132_2","unstructured":"Yi Liu Gelei Deng Yuekang Li Kailong Wang Zihao Wang Xiaofeng Wang Tianwei Zhang Yepang Liu Haoyu Wang Yan Zheng et al. 2023. Prompt injection attack against LLM-integrated applications. arXiv:2306.05499. Retrieved from https:\/\/arxiv.org\/abs\/2306.05499"},{"key":"e_1_3_2_133_2","first-page":"229","volume-title":"2023 8th International Conference on Data Science in Cyberspace (DSC)","author":"Liu Zhihong","year":"2023","unstructured":"Zhihong Liu, Qing Liao, Wenchao Gu, and Cuiyun Gao. 2023. Software vulnerability detection with GPT and in-context learning. In 2023 8th International Conference on Data Science in Cyberspace (DSC). IEEE, 229\u2013236."},{"key":"e_1_3_2_134_2","doi-asserted-by":"crossref","first-page":"112031","DOI":"10.1016\/j.jss.2024.112031","article-title":"GRACE: Empowering LLM-based software vulnerability detection with graph structure and in-context learning","volume":"212","author":"Lu Guilong","year":"2024","unstructured":"Guilong Lu, Xiaolin Ju, Xiang Chen, Wenlong Pei, and Zhilong Cai. 2024. GRACE: Empowering LLM-based software vulnerability detection with graph structure and in-context learning. Journal of Systems and Software 212 (2024), 112031.","journal-title":"Journal of Systems and Software"},{"key":"e_1_3_2_135_2","unstructured":"Shuai Lu Nan Duan Hojae Han Daya Guo Seung-won Hwang and Alexey Svyatkovskiy. 2022. ReACC: A retrieval-augmented code completion framework. arXiv:2203.07722. Retrieved from https:\/\/arxiv.org\/abs\/2203.07722"},{"key":"e_1_3_2_136_2","first-page":"1","volume-title":"6th International Workshop on Security Measurements and Metrics","author":"Massacci Fabio","year":"2010","unstructured":"Fabio Massacci and Viet Hung Nguyen. 2010. Which is the right source for vulnerability studies? An empirical analysis on Mozilla Firefox. In 6th International Workshop on Security Measurements and Metrics, 1\u20138."},{"key":"e_1_3_2_137_2","volume-title":"Network and Distributed Systems Security (NDSS) Symposium","author":"Meli Michael","year":"2019","unstructured":"Michael Meli, Matthew R. McNiece, and Bradley Reaves. 2019. How bad can it Git? Characterizing secret leakage in public GitHub repositories. In Network and Distributed Systems Security (NDSS) Symposium."},{"key":"e_1_3_2_138_2","unstructured":"Microsoft. 2019. OSS Detect Backdoor. Retrieved September 25 2024 from https:\/\/github.com\/microsoft\/OSSGadget\/wiki\/OSS-Detect-Backdoor"},{"key":"e_1_3_2_139_2","volume-title":"International Conference on Software Engineering (ICSE)","author":"Miller Courtney","year":"2025","unstructured":"Courtney Miller, Mahmoud Jahanshahi, Audris Mockus, Bogdan Vasilescu, and Christian K\u00e4stner. 2025. Understanding the response to open-source dependency abandonment in the npm ecosystem. In International Conference on Software Engineering (ICSE)."},{"key":"e_1_3_2_140_2","volume-title":"Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC\/FSE)","author":"Miller Courtney","year":"2023","unstructured":"Courtney Miller, Christian K\u00e4stner, and Bogdan Vasilescu. 2023. \u201cWe feel like we\u2019re winging it:\u201d A study on navigating open-source dependency abandonment. In Proceedings of the European Software Engineering Conference and ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC\/FSE). ACM Press, New York, NY."},{"key":"e_1_3_2_141_2","doi-asserted-by":"crossref","first-page":"234","DOI":"10.1109\/MSR59073.2023.00042","volume-title":"2023 IEEE\/ACM 20th International Conference on Mining Software Repositories (MSR)","author":"Mohayeji Hamid","year":"2023","unstructured":"Hamid Mohayeji, Andrei Agaronian, Eleni Constantinou, Nicola Zannone, and Alexander Serebrenik. 2023. Investigating the resolution of vulnerable dependencies with dependabot security updates. In 2023 IEEE\/ACM 20th International Conference on Mining Software Repositories (MSR). IEEE, 234\u2013246."},{"key":"e_1_3_2_142_2","unstructured":"Ahmad Mohsin Helge Janicke Adrian Wood Iqbal H Sarker Leandros Maglaras and Naeem Janjua. 2024. Can we trust large language models generated code? A framework for in-context learning security patterns and code evaluations across diverse LLMs. arXiv:2406.12513. Retrieved from https:\/\/arxiv.org\/abs\/2406.12513"},{"key":"e_1_3_2_143_2","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1145\/3627106.3627129","volume-title":"39th Annual Computer Security Applications Conference (ACSAC \u201923)","author":"Moore Marina","year":"2023","unstructured":"Marina Moore, Trishank Karthik Kuppusamy, and Justin Cappos. 2023. Artemis: Defanging software supply chain attacks in multi-repository update systems. In 39th Annual Computer Security Applications Conference (ACSAC \u201923). ACM, New York, NY, 83\u201397. DOI: 10.1145\/3627106.3627129"},{"issue":"6","key":"e_1_3_2_144_2","doi-asserted-by":"crossref","first-page":"3618","DOI":"10.1109\/TEM.2021.3122012","article-title":"Toward using package centrality trend to identify packages in decline","volume":"69","author":"Mujahid Suhaib","year":"2021","unstructured":"Suhaib Mujahid, Diego Elias Costa, Rabe Abdalkareem, Emad Shihab, Mohamed Aymen Saied, and Bram Adams. 2021. Toward using package centrality trend to identify packages in decline. IEEE Transactions on Engineering Management 69, 6 (2021), 3618\u20133632.","journal-title":"IEEE Transactions on Engineering Management"},{"key":"e_1_3_2_145_2","volume-title":"USENIX Security Symposium","author":"Muralee Siddharth","year":"2023","unstructured":"Siddharth Muralee, Igibek Koishybayev, Aleksandr Nahapetyan, Greg Tystahl, Brad Reaves, Antonio Bianchi, William Enck, Alexandros Kapravelos, and Aravind Machiry. 2023. ARGUS: A framework for staged static taint analysis of GitHub workflows and actions. In USENIX Security Symposium."},{"key":"e_1_3_2_146_2","first-page":"2353","volume-title":"2022 ACM SIGSAC Conference on Computer and Communications Security","author":"Newman Zachary","year":"2022","unstructured":"Zachary Newman, John Speed Meyers, and Santiago Torres-Arias. 2022. Sigstore: Software signing for everybody. In 2022 ACM SIGSAC Conference on Computer and Communications Security, 2353\u20132367."},{"key":"e_1_3_2_147_2","first-page":"1","volume-title":"2023 15th International Conference on Knowledge and Systems Engineering (KSE)","author":"Nguyen Son","year":"2023","unstructured":"Son Nguyen, Thanh Trong Vu, and Hieu Dinh Vo. 2023. VFFINDER: A graph-based approach for automated silent vulnerability-fix identification. In 2023 15th International Conference on Knowledge and Systems Engineering (KSE). IEEE, 1\u20136."},{"key":"e_1_3_2_148_2","first-page":"1726","volume-title":"30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering","author":"Nguyen Truong Giang","year":"2022","unstructured":"Truong Giang Nguyen, Thanh Le-Cong, Hong Jin Kang, Xuan-Bach D Le, and David Lo. 2022. VulCurator: A vulnerability-fixing commit detector. In 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 1726\u20131730."},{"key":"e_1_3_2_149_2","unstructured":"Erik Nijkamp Bo Pang Hiroaki Hayashi Lifu Tu Huan Wang Yingbo Zhou Silvio Savarese and Caiming Xiong. 2022. CodeGen: An open large language model for code with multi-turn program synthesis. arXiv:2203.13474. Retrieved from https:\/\/arxiv.org\/abs\/2203.13474"},{"key":"e_1_3_2_150_2","doi-asserted-by":"crossref","first-page":"2284","DOI":"10.1145\/3637528.3671837","volume-title":"Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining","author":"Ning Liang-bo","year":"2024","unstructured":"Liang-bo Ning, Shijie Wang, Wenqi Fan, Qing Li, Xin Xu, Hao Chen, and Feiran Huang. 2024. CheatAgent: Attacking LLM-empowered recommender systems via LLM agent. In Proceedings of the 30th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, 2284\u20132295."},{"key":"e_1_3_2_151_2","unstructured":"NIST. 2022. NIST Special Publication 800-218 Secure Software Development Framework (SSDF). Retrieved from https:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-218.pdf"},{"key":"e_1_3_2_152_2","unstructured":"NIST. 2022. NIST Special Publication 800-161 Rev 1 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. Retrieved May 2022 from https:\/\/csrc.nist.gov\/pubs\/sp\/800\/161\/r1\/final"},{"key":"e_1_3_2_153_2","unstructured":"NTIA. 2021. The Minimal Elements of a Software Bill of Materials. Retrieved July 21 2021 from https:\/\/www.ntia.doc.gov\/files\/ntia\/publications\/sbom_minimum_elements_report.pdf"},{"key":"e_1_3_2_154_2","unstructured":"National Institute of Standards and Technology (NIST). 2024. National Vulnerability Database (NVD). Retrieved September 25 2024 from https:\/\/nvd.nist.gov\/"},{"key":"e_1_3_2_155_2","first-page":"1","volume-title":"17th International Conference on Availability, Reliability and Security","author":"Ohm Marc","year":"2022","unstructured":"Marc Ohm, Felix Boes, Christian Bungartz, and Michael Meier. 2022. On the feasibility of supervised machine learning for the detection of malicious software packages. In 17th International Conference on Availability, Reliability and Security, 1\u201310."},{"key":"e_1_3_2_156_2","volume-title":"Towards Detection of Malicious Software Packages Through Code Reuse by Malevolent Actors","author":"Ohm Marc","year":"2022","unstructured":"Marc Ohm, Lukas Kempf, Felix Boes, and Michael Meier. 2022. Towards Detection of Malicious Software Packages Through Code Reuse by Malevolent Actors. Gesellschaft f\u00fcr Informatik, Bonn."},{"key":"e_1_3_2_157_2","first-page":"23","volume-title":"17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA \u201920)","author":"Ohm Marc","year":"2020","unstructured":"Marc Ohm, Henrik Plate, Arnold Sykosch, and Michael Meier. 2020. Backstabber\u2019s knife collection: A review of open source software supply chain attacks. In 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA \u201920). Springer, 23\u201343."},{"key":"e_1_3_2_158_2","volume-title":"12th International Conference on Learning Representations","author":"Olausson Theo X","year":"2023","unstructured":"Theo X Olausson, Jeevana Priya Inala, Chenglong Wang, Jianfeng Gao, and Armando Solar-Lezama. 2023. Is self-repair a silver bullet for code generation? In 12th International Conference on Learning Representations."},{"key":"e_1_3_2_159_2","unstructured":"Marwan Omar. 2023. Detecting software vulnerabilities using language models. arXiv:2302.11773. Retrieved from https:\/\/arxiv.org\/abs\/2302.11773"},{"key":"e_1_3_2_160_2","doi-asserted-by":"crossref","first-page":"692","DOI":"10.1145\/3643991.3644899","volume-title":"21st International Conference on Mining Software Repositories","author":"Onsori Delicheh Hassan","year":"2024","unstructured":"Hassan Onsori Delicheh, Alexandre Decan, and Tom Mens. 2024. Quantifying security issues in reusable JavaScript actions in GitHub workflows. In 21st International Conference on Mining Software Repositories, 692\u2013703."},{"key":"e_1_3_2_161_2","unstructured":"OpenSSF. 2023. SLSA Tech Talk Highlights. Retrieved from https:\/\/openssf.org\/blog\/2023\/10\/20\/slsa-tech-talk-highlights\/"},{"key":"e_1_3_2_162_2","unstructured":"OpenSSF. 2023. Supply-chain Levels for Software Artifacts (SLSA). Retrieved from https:\/\/slsa.dev\/"},{"key":"e_1_3_2_163_2","unstructured":"OpenSSF. 2023. Secure Supply Chain Consumption Framework (S2C2F). Retrieved July 2023 from https:\/\/github.com\/ossf\/s2c2f"},{"key":"e_1_3_2_164_2","unstructured":"OpenSSF. 2024. Repository Service for TUF (RSTUF). Retrieved September 26 2024 from https:\/\/openssf.org\/projects\/repository-service-for-tuf\/"},{"key":"e_1_3_2_165_2","unstructured":"OWASP. 2024. Software Component Verification Standard. Retrieved from https:\/\/scvs.owasp.org\/"},{"key":"e_1_3_2_166_2","first-page":"1","volume-title":"12th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement","author":"Pashchenko Ivan","year":"2018","unstructured":"Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. 2018. Vulnerable open source dependencies: Counting those that matter. In 12th ACM\/IEEE International Symposium on Empirical Software Engineering and Measurement, 1\u201310."},{"issue":"5","key":"e_1_3_2_167_2","doi-asserted-by":"crossref","first-page":"1592","DOI":"10.1109\/TSE.2020.3025443","article-title":"Vuln4Real: A methodology for counting actually vulnerable dependencies","volume":"48","author":"Pashchenko Ivan","year":"2020","unstructured":"Ivan Pashchenko, Henrik Plate, Serena Elisa Ponta, Antonino Sabetta, and Fabio Massacci. 2020. Vuln4Real: A methodology for counting actually vulnerable dependencies. IEEE Transactions on Software Engineering 48, 5 (2020), 1592\u20131609.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_168_2","doi-asserted-by":"crossref","first-page":"754","DOI":"10.1109\/SP46214.2022.9833571","volume-title":"2022 IEEE Symposium on Security and Privacy (SP)","author":"Pearce Hammond","year":"2022","unstructured":"Hammond Pearce, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt, and Ramesh Karri. 2022. Asleep at the keyboard? Assessing the security of GitHub copilot\u2019s code contributions. In 2022 IEEE Symposium on Security and Privacy (SP). IEEE, 754\u2013768."},{"key":"e_1_3_2_169_2","unstructured":"Henrik Plate. 2023. SBOM vs. SBOM: Comparing SBOMs from different tools and lifecycle stages. Retrieved from https:\/\/www.endorlabs.com\/learn\/sbom-vs-sbom-comparing-sboms-from-different-tools-and-lifecycle-stages"},{"key":"e_1_3_2_170_2","first-page":"449","volume-title":"2018 IEEE International Conference on Software Maintenance and Evolution (ICSME)","author":"Ponta Serena Elisa","year":"2018","unstructured":"Serena Elisa Ponta, Henrik Plate, and Antonino Sabetta. 2018. Beyond metadata: Code-centric and usage-based analysis of known vulnerabilities in open-source software. In 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 449\u2013460."},{"issue":"5","key":"e_1_3_2_171_2","doi-asserted-by":"crossref","first-page":"3175","DOI":"10.1007\/s10664-020-09830-x","article-title":"Detection, assessment and mitigation of vulnerabilities in open source dependencies","volume":"25","author":"Ponta Serena Elisa","year":"2020","unstructured":"Serena Elisa Ponta, Henrik Plate, and Antonino Sabetta. 2020. Detection, assessment and mitigation of vulnerabilities in open source dependencies. Empirical Software Engineering 25, 5 (2020), 3175\u20133215.","journal-title":"Empirical Software Engineering"},{"key":"e_1_3_2_172_2","first-page":"1","article-title":"Out of sight, out of mind? How vulnerable dependencies affect open-source projects","volume":"26","author":"Prana Gede Artha Azriadi","year":"2021","unstructured":"Gede Artha Azriadi Prana, Abhishek Sharma, Lwin Khin Shar, Darius Foo, Andrew E. Santosa, Asankhaya Sharma, and David Lo. 2021. Out of sight, out of mind? How vulnerable dependencies affect open-source projects. Empirical Software Engineering 26 (2021), 1\u201334.","journal-title":"Empirical Software Engineering"},{"key":"e_1_3_2_173_2","doi-asserted-by":"crossref","first-page":"112","DOI":"10.1109\/ISSREW60843.2023.00058","volume-title":"2023 IEEE 34th International Symposium on Software Reliability Engineering Workshops (ISSREW)","author":"Purba Moumita Das","year":"2023","unstructured":"Moumita Das Purba, Arpita Ghosh, Benjamin J. Radford, and Bill Chu. 2023. Software vulnerability detection using large language models. In 2023 IEEE 34th International Symposium on Software Reliability Engineering Workshops (ISSREW). IEEE, 112\u2013119."},{"key":"e_1_3_2_174_2","unstructured":"PyPA. 2021. Python Packaging Advisory Database. Retrieved from https:\/\/github.com\/pypa\/advisory-database"},{"key":"e_1_3_2_175_2","unstructured":"pyup.io. 2024. Safety DB. Retrieved from https:\/\/github.com\/pyupio\/safety-db"},{"key":"e_1_3_2_176_2","doi-asserted-by":"crossref","first-page":"1233","DOI":"10.1145\/3605098.3635927","volume-title":"39th ACM\/SIGAPP Symposium on Applied Computing","author":"Rabbi Md Fazle","year":"2024","unstructured":"Md Fazle Rabbi, Arifa Islam Champa, Costain Nachuma, and Minhaz Fahim Zibran. 2024. Sbom generation tools under microscope: A focus on the npm ecosystem. In 39th ACM\/SIGAPP Symposium on Applied Computing, 1233\u20131241."},{"key":"e_1_3_2_177_2","volume-title":"39th ACM\/SIGAPP Symposium on Applied Computing","author":"Rabbi Md Fazle","year":"2024","unstructured":"Md Fazle Rabbi, Arifa Islam Champa, Costain Nachuma, and Minhaz Fahim Zibran. 2024. SBOM generation tools under microscope: A focus on the npm ecosystem. In 39th ACM\/SIGAPP Symposium on Applied Computing. ACM, New York, NY."},{"key":"e_1_3_2_178_2","unstructured":"Imranur Rahman Ranidya Paramitha Henrik Plate Dominik Wermke and Laurie Williams. 2024. Less is more: A mixed-methods study on security-sensitive API calls in Java for better dependency selection. arXiv:2408.02846. Retrieved from https:\/\/arxiv.org\/abs\/2408.02846"},{"key":"e_1_3_2_179_2","unstructured":"Imranur Rahman Nusrat Zahan Stephen Magill William Enck and Laurie Williams. 2024. Characterizing dependency update practice of NPM PyPI and Cargo packages. arXiv:2403.17382. Retrieved from https:\/\/arxiv.org\/abs\/2403.17382"},{"key":"e_1_3_2_180_2","volume-title":"Proceedings of the 33rd USENIX Security Symposium (USENIX Sec \u201924)","author":"Ramulu Harshini Sri","year":"2024","unstructured":"Harshini Sri Ramulu, Helen Schmitt, Dominik Wermke, and Yasemin Acar. 2024. Security and privacy software creators\u2019 perspectives on unintended consequences. In Proceedings of the 33rd USENIX Security Symposium (USENIX Sec \u201924). USENIX Association. Retrieved August 9, 2023 from https:\/\/www.usenix.org\/conference\/usenixsecurity23\/presentation\/krause"},{"key":"e_1_3_2_181_2","first-page":"22","volume-title":"19th International Conference on Predictive Models and Data Analytics in Software Engineering","author":"Reid David","year":"2023","unstructured":"David Reid, Kristiina Rahkema, and James Walden. 2023. Large scale study of orphan vulnerabilities in the software supply chain. In 19th International Conference on Predictive Models and Data Analytics in Software Engineering, 22\u201332."},{"key":"e_1_3_2_182_2","first-page":"71","volume-title":"40th International Conference on Software Engineering (ICSE \u201918)","author":"Ren Zhilei","year":"2018","unstructured":"Zhilei Ren, He Jiang, Jifeng Xuan, and Zijiang Yang. 2018. Automated localization for unreproducible builds. In 40th International Conference on Software Engineering (ICSE \u201918). ACM, New York, NY, 71\u201381. DOI: 10.1145\/3180155.3180224"},{"key":"e_1_3_2_183_2","first-page":"527","volume-title":"2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE \u201919)","author":"Ren Zhilei","year":"2019","unstructured":"Zhilei Ren, Changlin Liu, Xusheng Xiao, He Jiang, and Tao Xie. 2019. Root cause localization for unreproducible builds via causality analysis over system call tracing. In 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE \u201919), 527\u2013538. DOI: 10.1109\/ASE.2019.00056"},{"key":"e_1_3_2_184_2","first-page":"200","volume-title":"44th International Conference on Software Engineering (ICSE \u201922)","author":"Ren Zhilei","year":"2022","unstructured":"Zhilei Ren, Shiwei Sun, Jifeng Xuan, Xiaochen Li, Zhide Zhou, and He Jiang. 2022. Automated patching for unreproducible builds. In 44th International Conference on Software Engineering (ICSE \u201922). ACM, New York, NY, 200\u2013211. DOI: 10.1145\/3510003.3510102"},{"key":"e_1_3_2_185_2","unstructured":"Renovatebot. 2024. Renovatebot: Automating Dependency Updates. Retrieved September 25 2024 from https:\/\/github.com\/renovatebot\/renovate"},{"key":"e_1_3_2_186_2","first-page":"1","volume-title":"2004 ACM SIGSOFT International Symposium on Software Testing and Analysis","author":"Rountev Atanas","year":"2004","unstructured":"Atanas Rountev, Scott Kagan, and Michael Gibas. 2004. Static and dynamic analysis of call chains in Java. In 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis, 1\u201311."},{"key":"e_1_3_2_187_2","unstructured":"RustSec. 2018. RustSec Advisory Database. Retrieved from https:\/\/github.com\/rustsec\/advisory-db"},{"key":"e_1_3_2_188_2","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/MSEC.2023.3343836","article-title":"Known vulnerabilities of open source projects: Where are the fixes?","volume":"22","author":"Sabetta Antonino","year":"2024","unstructured":"Antonino Sabetta, Serena Elisa Ponta, Rocio Cabrera Lozoya, Michele Bezzi, Tommaso Sacchetti, Matteo Greco, Gerg\u0151 Balogh, P\u00e9ter Heged\u0171s, Rudolf Ferenc, Ranindya Paramitha, et al. 2024. Known vulnerabilities of open source projects: Where are the fixes? IEEE Security & Privacy 22 (2024), 49\u201359.","journal-title":"IEEE Security & Privacy"},{"key":"e_1_3_2_189_2","first-page":"61","volume-title":"17th ACM Conference on Computer and Communications Security","author":"Samuel Justin","year":"2010","unstructured":"Justin Samuel, Nick Mathewson, Justin Cappos, and Roger Dingledine. 2010. Survivable key compromise in software update systems. In 17th ACM Conference on Computer and Communications Security, 61\u201372."},{"issue":"10","key":"e_1_3_2_190_2","doi-asserted-by":"crossref","first-page":"2119","DOI":"10.1111\/risa.13309","article-title":"Risk and the five hard problems of cybersecurity","volume":"39","author":"Scala Natalie M.","year":"2019","unstructured":"Natalie M. Scala, Allison C. Reilly, Paul L. Goethals, and Michel Cukier. 2019. Risk and the five hard problems of cybersecurity. Risk Analysis 39, 10 (2019), 2119\u20132126.","journal-title":"Risk Analysis"},{"key":"e_1_3_2_191_2","first-page":"733","volume-title":"2024 IEEE\/ACM 21st International Conference on Mining Software Repositories (MSR)","author":"Scalco Simone","year":"2024","unstructured":"Simone Scalco and Ranindya Paramitha. 2024. Hash4Patch: A lightweight low false positive tool for finding vulnerability patch commits. In 2024 IEEE\/ACM 21st International Conference on Mining Software Repositories (MSR). IEEE, 733\u2013737."},{"key":"e_1_3_2_192_2","first-page":"1","volume-title":"Proceedings of the 17th International Conference on Availability, Reliability and Security","author":"Scalco Simone","year":"2022","unstructured":"Simone Scalco, Ranindya Paramitha, Duc-Ly Vu, and Fabio Massacci. 2022. On the feasibility of detecting injections in malicious npm packages. In Proceedings of the 17th International Conference on Availability, Reliability and Security, 1\u20138."},{"key":"e_1_3_2_193_2","unstructured":"Scorecard. 2021. Security Scorecards for Open Source Projects. Retrieved from https:\/\/github.com\/ossf\/scorecard"},{"key":"e_1_3_2_194_2","first-page":"1681","volume-title":"44th International Conference on Software Engineering","author":"Sejfia Adriana","year":"2022","unstructured":"Adriana Sejfia and Max Sch\u00e4fer. 2022. Practical automated detection of malicious npm packages. In 44th International Conference on Software Engineering, 1681\u20131692."},{"key":"e_1_3_2_195_2","unstructured":"Aman Sharma Martin Wittlinger Benoit Baudry and Martin Monperrus. 2024. SBOM.EXE: Countering dynamic code injection based on software bill of materials in Java. arXiv:2407.00246. Retrieved from https:\/\/arxiv.org\/abs\/2407.00246"},{"key":"e_1_3_2_196_2","unstructured":"Xinyue Shen Zeyuan Chen Michael Backes Yun Shen and Yang Zhang. 2023. \u201cDo anything now\u201d: Characterizing and evaluating in-the-wild jailbreak prompts on large language models. arXiv:2308.03825. Retrieved from https:\/\/arxiv.org\/abs\/arXiv:2308.03825"},{"key":"e_1_3_2_197_2","doi-asserted-by":"crossref","first-page":"842","DOI":"10.2197\/ipsjjip.31.842","article-title":"Proposal of vulnerability assessment tool for software supply chain security","volume":"31","author":"Shourya Rajulapati","year":"2023","unstructured":"Rajulapati Shourya, Yoko Kumagai, C. Ashokkumar, Hiroki Yamazaki, and Hirofumi Nakakoji. 2023. Proposal of vulnerability assessment tool for software supply chain security. Journal of Information Processing 31 (2023), 842\u2013850.","journal-title":"Journal of Information Processing"},{"key":"e_1_3_2_198_2","unstructured":"Ilia Shumailov Zakhar Shumaylov Yiren Zhao Yarin Gal Nicolas Papernot and Ross Anderson. 2023. The curse of recursion: Training on generated data makes models forget. arXiv:2305.17493. Retrieved from https:\/\/arxiv.org\/abs\/2305.17493"},{"key":"e_1_3_2_199_2","unstructured":"Sigstore Project. Fulcio Certificate Authority Overview. Sigstore Documentation. Retrieved September 26 2024 from https:\/\/docs.sigstore.dev\/certificate_authority\/overview\/"},{"key":"e_1_3_2_200_2","unstructured":"Sigstore Project. 2024. OIDC Usage in Fulcio. Sigstore Documentation. Retrieved September 26 2024 from https:\/\/docs.sigstore.dev\/certificate_authority\/oidc-in-fulcio\/"},{"key":"e_1_3_2_201_2","unstructured":"Sigstore Project. Rekor Logging Overview. Sigstore Documentation. Retrieved September 26 2024 from https:\/\/docs.sigstore.dev\/logging\/overview\/"},{"key":"e_1_3_2_202_2","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1145\/3605770.3625214","volume-title":"2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","author":"Singla Tanmay","year":"2023","unstructured":"Tanmay Singla, Dharun Anandayuvaraj, Kelechi G. Kalu, Taylor R. Schorlemmer, and James C. Davis. 2023. An empirical study on using large language models to analyze software supply chain security failures. In 2023 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, 5\u201315."},{"key":"e_1_3_2_203_2","unstructured":"SLSA. 2022. SBOM + SLSA: Accelerating SBOM success with the help of SLSA. Retrieved from https:\/\/slsa.dev\/blog\/2022\/05\/slsa-sbom"},{"key":"e_1_3_2_204_2","unstructured":"Snyk. 2024. Snyk vulnerability database. Retrieved from https:\/\/snyk.io\/vuln"},{"key":"e_1_3_2_205_2","unstructured":"SolarWinds. 2021. SolarWinds Security Advisory. Retrieved April 6 2021 from https:\/\/www.solarwinds.com\/sa-overview\/securityadvisory"},{"key":"e_1_3_2_206_2","unstructured":"Sonatype. 2021. 7th State of the Software Supply Chain. Retrieved from https:\/\/www.sonatype.com\/resources\/state-of-the-software-supply-chain-2021"},{"key":"e_1_3_2_207_2","unstructured":"Sonatype. 2024. State of the Software Supply Chain: A Decade of Data. Retrieved from https:\/\/www.sonatype.com\/en\/press-releases\/sonatypes-10th-annual-state-of-the-software-supply-chain-report"},{"key":"e_1_3_2_208_2","unstructured":"Joseph Spracklen Raveen Wijewickrama A. H. M. Sakib Anindya Maiti and Murtuza Jadliwala. 2024. We have a package for you! A comprehensive analysis of package hallucinations by code generating LLMs. arXiv:2406.10279. Retrieved from https:\/\/arxiv.org\/abs\/2406.10279"},{"key":"e_1_3_2_209_2","first-page":"1","volume-title":"46th IEEE\/ACM International Conference on Software Engineering","author":"Stalnaker Trevor","year":"2024","unstructured":"Trevor Stalnaker, Nathan Wintersgill, Oscar Chaparro, Massimiliano Di Penta, Daniel M. German, and Denys Poshyvanyk. 2024. Boms away! Inside the minds of stakeholders: A comprehensive study of bills of materials for software systems. In 46th IEEE\/ACM International Conference on Software Engineering, 1\u201313."},{"key":"e_1_3_2_210_2","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1016\/j.infsof.2014.11.001","article-title":"A systematic literature review on the barriers faced by newcomers to open source software projects","volume":"59","author":"Steinmacher Igor","year":"2015","unstructured":"Igor Steinmacher, Marco Aurelio Graciotto Silva, Marco Aurelio Gerosa, and David F. Redmiles. 2015. A systematic literature review on the barriers faced by newcomers to open source software projects. Information and Software Technology 59 (2015), 67\u201385.","journal-title":"Information and Software Technology"},{"key":"e_1_3_2_211_2","doi-asserted-by":"crossref","first-page":"228","DOI":"10.1109\/APSEC51365.2020.00031","volume-title":"2020 27th Asia-Pacific Software Engineering Conference (APSEC)","author":"Stringer Jacob","year":"2020","unstructured":"Jacob Stringer, Amjed Tahir, Kelly Blincoe, and Jens Dietrich. 2020. Technical lag of dependencies in major package managers. In 2020 27th Asia-Pacific Software Engineering Conference (APSEC), 228\u2013237. DOI: 10.1109\/APSEC51365.2020.00031"},{"key":"e_1_3_2_212_2","unstructured":"Donald Stufft Justin Cappos and Trishank Karthik Kuppusamy. 2014. PEP 458\u2014Secure PyPI Downloads with TUF. Retrieved September 26 2024 from https:\/\/peps.python.org\/pep-0458\/#pypi-and-tuf-metadata"},{"key":"e_1_3_2_213_2","first-page":"970","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE)","author":"Sun Jiamou","year":"2023","unstructured":"Jiamou Sun, Zhenchang Xing, Qinghua Lu, Xiwei Xu, Liming Zhu, Thong Hoang, and Dehai Zhao. 2023. Silent vulnerable dependency alert prediction with vulnerability key aspect explanation. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 970\u2013982."},{"key":"e_1_3_2_214_2","doi-asserted-by":"crossref","first-page":"267","DOI":"10.1145\/3640824.3640866","volume-title":"2024 8th International Conference on Control Engineering and Artificial Intelligence","author":"Sun Zhi","year":"2024","unstructured":"Zhi Sun, Zhaoheng Quan, Shangren Yu, Ling Zhang, and Dengming Mao. 2024. A knowledge-driven framework for software supply chain security analysis. In 2024 8th International Conference on Control Engineering and Artificial Intelligence, 267\u2013272."},{"key":"e_1_3_2_215_2","unstructured":"Synopsys. 2023. Open Source Security and Risk Analysis (OSSRA). Retrieved from https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html"},{"key":"e_1_3_2_216_2","unstructured":"Synopsys 2024. 2024 Open Source Security and Risk Analysis (OSSRA) Report. Technical Report CA USA. Retrieved from https:\/\/www.synopsys.com\/software-integrity\/resources\/analyst-reports\/open-source-security-risk-analysis.html"},{"key":"e_1_3_2_217_2","unstructured":"Marc Szafraniec Baptiste Roziere Hugh Leather Francois Charton Patrick Labatut and Gabriel Synnaeve. 2022. Code translation with compiler representations. arXiv:2207.03578. Retrieved from https:\/\/arxiv.org\/abs\/2207.03578"},{"key":"e_1_3_2_218_2","doi-asserted-by":"crossref","unstructured":"Mahzabin Tamanna Sivana Hamer Mindy Tran Sascha Fahl Yasemin Acar and Laurie Williams. 2024. Unraveling challenges with supply-chain levels for software artifacts (SLSA) for securing the software supply chain. arXiv:2409.05014. Retrieved from https:\/\/arxiv.org\/abs\/2409.05014","DOI":"10.2139\/ssrn.4979511"},{"key":"e_1_3_2_219_2","first-page":"3282","volume-title":"2021 ACM SIGSAC Conference on Computer and Communications Security","author":"Tan Xin","year":"2021","unstructured":"Xin Tan, Yuan Zhang, Chenyuan Mi, Jiajun Cao, Kun Sun, Yifan Lin, and Min Yang. 2021. Locating the security patches for disclosed OSS vulnerabilities with vulnerability-commit correlation ranking. In 2021 ACM SIGSAC Conference on Computer and Communications Security, 3282\u20133299."},{"key":"e_1_3_2_220_2","first-page":"1","volume-title":"2024 IEEE\/ACM 17th International Conference on Cooperative and Human Aspects of Software Engineering","author":"Tanzil Minaoar Hossain","year":"2024","unstructured":"Minaoar Hossain Tanzil, Gias Uddin, and Ann Barcomb. 2024. \u201cHow do people decide?\u201d: A model for software library selection. In 2024 IEEE\/ACM 17th International Conference on Cooperative and Human Aspects of Software Engineering, 1\u201312."},{"key":"e_1_3_2_221_2","doi-asserted-by":"crossref","unstructured":"Matthew Taylor Ruturaj K Vaidya Drew Davidson Lorenzo De Carli and Vaibhav Rastogi. 2020. SpellBound: Defending against package typosquatting. arXiv:2003.03471. Retrieved from https:\/\/arxiv.org\/abs\/2003.03471","DOI":"10.1007\/978-3-030-65745-1_7"},{"key":"e_1_3_2_222_2","doi-asserted-by":"crossref","first-page":"481","DOI":"10.1145\/3564625.3567985","volume-title":"38th Annual Computer Security Applications Conference","author":"Thapa Chandra","year":"2022","unstructured":"Chandra Thapa, Seung Ick Jang, Muhammad Ejaz Ahmed, Seyit Camtepe, Josef Pieprzyk, and Surya Nepal. 2022. Transformer-based language models for software vulnerability detection. In 38th Annual Computer Security Applications Conference, 481\u2013496."},{"key":"e_1_3_2_223_2","unstructured":"The White House. 2021. Executive Order on America\u2019s Supply Chains (EO14017). Retrieved from https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/"},{"key":"e_1_3_2_224_2","doi-asserted-by":"publisher","DOI":"10.1145\/358198.358210"},{"key":"e_1_3_2_225_2","unstructured":"Tidelift. 2024. The 2024 Tidelift State of the Open Source Maintainer Report. Retrieved from https:\/\/explore.tidelift.com\/2024-survey"},{"key":"e_1_3_2_226_2","first-page":"1393","volume-title":"28th USENIX Security Symposium (USENIX Security \u201919)","author":"Torres-Arias Santiago","year":"2019","unstructured":"Santiago Torres-Arias, Hammad Afzali, Trishank Karthik Kuppusamy, Reza Curtmola, and Justin Cappos. 2019. In-toto: Providing farm-to-table guarantees for bits and bytes. In 28th USENIX Security Symposium (USENIX Security \u201919), 1393\u20131410."},{"issue":"6","key":"e_1_3_2_227_2","doi-asserted-by":"crossref","first-page":"50","DOI":"10.1109\/MSEC.2023.3315887","article-title":"A viewpoint on knowing software: Bill of materials quality when you see it","volume":"21","author":"Torres-Arias Santiago","year":"2023","unstructured":"Santiago Torres-Arias, Dan Geer, and John Speed Meyers. 2023. A viewpoint on knowing software: Bill of materials quality when you see it. IEEE Security & Privacy 21, 6 (Nov. 2023), 50\u201354.","journal-title":"IEEE Security & Privacy"},{"key":"e_1_3_2_228_2","unstructured":"Mindy Tran Yasemin Acar Michel Cucker William Enck Alexandros Kapravelos Christian Kastner and Laurie Williams. 2022. S3C2 summit 2022-09: Industry secure supply chain summit. arXiv:2307.15642. Retrieved from http:\/\/arxiv.org\/abs\/2307.15642"},{"key":"e_1_3_2_229_2","unstructured":"Greg Tystahl Yasemin Acar Michel Cucker William Enck Alexandros Kapravelos Christian Kastner and Laurie Williams. 2024. S3C2 summit 2024-03: Industry secure supply chain summit. arXiv: 2405.08762. Retrieved from https:\/\/arxiv.org\/abs\/2405.08762"},{"key":"e_1_3_2_230_2","unstructured":"Greg Tystahl Yasemin Acar Michel Cukier William Enck Christian Kastner Alexandros Kapravelos Dominik Wermke and Laurie Williams. 2024. S3C2 summit 2024-03: Industry secure supply chain summit. arXiv:2405.08762. Retrieved from https:\/\/arxiv.org\/abs\/2405.08762"},{"key":"e_1_3_2_231_2","doi-asserted-by":"crossref","unstructured":"Bibek Upadhayay and Vahid Behzadan. 2024. Sandwich attack: Multi-language mixture adaptive attack on LLMs. arXiv:2404.07242. Retrieved from https:\/\/arxiv.org\/abs\/2404.07242","DOI":"10.18653\/v1\/2024.trustnlp-1.18"},{"key":"e_1_3_2_232_2","unstructured":"USENIX Security. 2024. USENIX Security Ethics Guidelines. Retrieved from https:\/\/www.usenix.org\/conference\/usenixsecurity25\/ethics-guidelines"},{"key":"e_1_3_2_233_2","doi-asserted-by":"crossref","first-page":"123","DOI":"10.1109\/SANER53432.2022.00026","volume-title":"2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","author":"Valenzuela-Toledo Pablo","year":"2022","unstructured":"Pablo Valenzuela-Toledo and Alexandre Bergel. 2022. Evolution of GitHub action workflows. In 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 123\u2013127."},{"key":"e_1_3_2_234_2","first-page":"644","volume-title":"2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering","author":"Valiev Marat","year":"2018","unstructured":"Marat Valiev, Bogdan Vasilescu, and James Herbsleb. 2018. Ecosystem-level determinants of sustained activity in open-source projects: A case study of the PyPI ecosystem. In 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 644\u2013655."},{"key":"e_1_3_2_235_2","first-page":"1755","volume-title":"2021 ACM SIGSAC Conference on Computer and Communications Security","author":"Vasilakis Nikos","year":"2021","unstructured":"Nikos Vasilakis, Achilles Benetopoulos, Shivam Handa, Alizee Schoen, Jiasi Shen, and Martin C. Rinard. 2021. Supply-chain vulnerability elimination via active learning and regeneration. In 2021 ACM SIGSAC Conference on Computer and Communications Security, 1755\u20131770."},{"key":"e_1_3_2_236_2","volume-title":"NDSS Network and Distributed Systems Security (NDSS) Symposium","author":"Vasilakis Nikos","year":"2018","unstructured":"Nikos Vasilakis, Ben Karel, Nick Roessler, Nathan Dautenhahn, Andr\u00e9 DeHon, and Jonathan M. Smith. 2018. BreakApp: Automated, flexible application compartmentalization. In NDSS Network and Distributed Systems Security (NDSS) Symposium."},{"key":"e_1_3_2_237_2","unstructured":"Duc-Ly Vu. 2020. A fork of bandit tool with patterns to identifying malicious Python code. Retrieved September 25 2024 from https:\/\/github.com\/lyvd\/bandit4mal"},{"key":"e_1_3_2_238_2","first-page":"780","volume-title":"29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering","author":"Vu Duc-Ly","year":"2021","unstructured":"Duc-Ly Vu, Fabio Massacci, Ivan Pashchenko, Henrik Plate, and Antonino Sabetta. 2021. LastPyMile: Identifying the discrepancy between sources and packages. In 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 780\u2013792."},{"key":"e_1_3_2_239_2","first-page":"499","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE)","author":"Vu Duc-Ly","year":"2023","unstructured":"Duc-Ly Vu, Zachary Newman, and John Speed Meyers. 2023. Bad snakes: Understanding and improving Python package index malware scanning. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 499\u2013511."},{"key":"e_1_3_2_240_2","first-page":"2093","volume-title":"2020 ACM SIGSAC Conference on Computer and Communications Security","author":"Vu Duc Ly","year":"2020","unstructured":"Duc Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, and Antonino Sabetta. 2020. Towards using source code repositories to identify software supply chain attacks. In 2020 ACM SIGSAC Conference on Computer and Communications Security, 2093\u20132095."},{"key":"e_1_3_2_241_2","unstructured":"VulnDB. 2018. The Go Vulnerability Database. Retrieved fromhttps:\/\/github.com\/golang\/vulndb"},{"key":"e_1_3_2_242_2","unstructured":"Shenao Wang Yanjie Zhao Xinyi Hou and Haoyu Wang. 2024. Large language model supply chain: A research agenda. arXiv:2404.12736. Retrieved from https:\/\/arxiv.org\/abs\/2404.12736"},{"issue":"5","key":"e_1_3_2_243_2","doi-asserted-by":"crossref","first-page":"3155","DOI":"10.1109\/TSE.2023.3243262","article-title":"Plumber: Boosting the propagation of vulnerability fixes in the npm ecosystem","volume":"49","author":"Wang Ying","year":"2023","unstructured":"Ying Wang, Peng Sun, Lin Pei, Yue Yu, Chang Xu, Shing-Chi Cheung, Hai Yu, and Zhiliang Zhu. 2023. Plumber: Boosting the propagation of vulnerability fixes in the npm ecosystem. IEEE Transactions on Software Engineering 49, 5 (2023), 3155\u20133181.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_244_2","doi-asserted-by":"crossref","unstructured":"Yue Wang Weishi Wang Shafiq Joty and Steven CH Hoi. 2021. Codet5: Identifier-aware unified pre-trained encoder-decoder models for code understanding and generation. arXiv:2109.00859. Retrieved from https:\/\/arxiv.org\/abs\/2109.00859","DOI":"10.18653\/v1\/2021.emnlp-main.685"},{"key":"e_1_3_2_245_2","volume-title":"44th IEEE Symposium on Security and Privacy (IEEE S&P \u201923)","author":"Wermke Dominik","year":"2023","unstructured":"Dominik Wermke, Jan H. Klemmer, Noah W\u00f6hler, Juliane Schm\u00fcser, Harshini Sri Ramulu, Yasemin Acar, and Sascha Fahl. 2023. \u201cAlways contribute back\u201d: A qualitative study on security challenges of the open source supply Chain. In 44th IEEE Symposium on Security and Privacy (IEEE S&P \u201923). IEEE. Retrieved May 22, 2023 fromhttps:\/\/www.ieee-security.org\/TC\/SP2023\/program-papers.html"},{"key":"e_1_3_2_246_2","volume-title":"43rd IEEE Symposium on Security and Privacy","author":"Wermke Dominik","year":"2022","unstructured":"Dominik Wermke, Noah W\u00f6hler, Jan H. Klemmer, Marcel Fourn\u00e9, Yasemin Acar, and Sascha Fahl. 2022. Committed to trust: A qualitative study on security & trust in open source software projects. In 43rd IEEE Symposium on Security and Privacy. Retrieved May 22, 2024 from https:\/\/www.ieee-security.org\/TC\/SP2022\/index.html"},{"key":"e_1_3_2_247_2","unstructured":"Laurie Williams Sammy Migues Jamie Boote and Ben Hutchison. 2024. Proactive software supply chain risk management framework (P-SSCRM) version 1. arXiv:2404.12300. Retrieved from https:\/\/arxiv.org\/abs\/2404.12300"},{"key":"e_1_3_2_248_2","first-page":"1","volume-title":"IEEE\/ACM 46th International Conference on Software Engineering","author":"Wu Susheng","year":"2024","unstructured":"Susheng Wu, Wenyan Song, Kaifeng Huang, Bihuan Chen, and Xin Peng. 2024. Identifying affected libraries and their ecosystems for open source software vulnerabilities. In IEEE\/ACM 46th International Conference on Software Engineering, 1\u201312."},{"key":"e_1_3_2_249_2","first-page":"1447","volume-title":"39th IEEE\/ACM International Conference on Automated Software Engineering","author":"Wu Susheng","year":"2024","unstructured":"Susheng Wu, Ruisi Wang, Kaifeng Huang, Yiheng Cao, Wenyan Song, Zhuotong Zhou, Yiheng Huang, Bihuan Chen, and Xin Peng. 2024. Vision: Identifying affected library versions for open source software vulnerabilities. In 39th IEEE\/ACM International Conference on Automated Software Engineering, 1447\u20131459."},{"key":"e_1_3_2_250_2","first-page":"12","volume-title":"2024 ACM\/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE\/ACM Second International Workshop on Software Vulnerability","author":"Xia Boming","year":"2024","unstructured":"Boming Xia, Dawen Zhang, Yue Liu, Qinghua Lu, Zhenchang Xing, and Liming Zhu. 2024. Trust in software supply chains: Blockchain-enabled SBOM and the AIBOM future. In 2024 ACM\/IEEE 4th International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS) and 2024 IEEE\/ACM Second International Workshop on Software Vulnerability. ACM, New York, NY, 12\u201319."},{"key":"e_1_3_2_251_2","unstructured":"Chunqiu Steven Xia Yuxiang Wei and Lingming Zhang. 2022. Practical program repair in the era of large pre-trained language models. arXiv:2210.14179. Retrieved from https:\/\/arxiv.org\/abs\/2210.14179"},{"key":"e_1_3_2_252_2","first-page":"860","volume-title":"30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE \u201922)","author":"Xu Congying","year":"2022","unstructured":"Congying Xu, Bihuan Chen, Chenhao Lu, Kaifeng Huang, Xin Peng, and Yang Liu. 2022. Tracking patches for open source software vulnerabilities. In 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC\/FSE \u201922). ACM, New York, NY, 860\u2013871. DOI: 10.1145\/3540250.3549125"},{"key":"e_1_3_2_253_2","unstructured":"Jiacen Xu Jack W. Stokes Geoff McDonald Xuesong Bai David Marshall Siyue Wang Adith Swaminathan and Zhou Li. 2024. AutoAttacker: A large language model guided system to implement automatic cyber-attacks. arXiv:2403.01038. Retrieved from https:\/\/arxiv.org\/abs\/2403.01038"},{"key":"e_1_3_2_254_2","unstructured":"Zhihao Xu Ruixuan Huang Xiting Wang Fangzhao Wu Jing Yao and Xing Xie. 2024. Uncovering safety risks in open-source LLMs through concept activation vector. arXiv:2404.12038. Retrieved from https:\/\/arxiv.org\/abs\/2404.12038"},{"key":"e_1_3_2_255_2","first-page":"493","volume-title":"2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS)","author":"Yan Dapeng","year":"2021","unstructured":"Dapeng Yan, Yuqing Niu, Kui Liu, Zhe Liu, Zhiming Liu, and Tegawend\u00e9 F. Bissyand\u00e9. 2021. Estimating the attack surface from residual vulnerabilities in open source software supply chain. In 2021 IEEE 21st International Conference on Software Quality, Reliability and Security (QRS). IEEE, 493\u2013502."},{"key":"e_1_3_2_256_2","doi-asserted-by":"crossref","unstructured":"Zhou Yang Zhensu Sun Terry Zhuo Yue Premkumar Devanbu and David Lo. 2024. Robustness security privacy explainability efficiency and usability of large language models for code. arXiv:2403.07506. Retrieved from https:\/\/arxiv.org\/abs\/2403.07506","DOI":"10.1145\/3731753"},{"key":"e_1_3_2_257_2","unstructured":"Aditya Sirish A. Yelgundhalli and Justin Cappos. 2024. Introducing gittuf: A security layer for Git repositories. Retrieved September 26 2024 from https:\/\/openssf.org\/blog\/2024\/01\/18\/introducing-gittuf-a-security-layer-for-git-repositories\/"},{"issue":"1","key":"e_1_3_2_258_2","doi-asserted-by":"crossref","first-page":"106","DOI":"10.4218\/etrij.2023-0357","article-title":"Framework for evaluating code generation ability of large language models","volume":"46","author":"Yeo Sangyeop","year":"2024","unstructured":"Sangyeop Yeo, Yu-Seung Ma, Sang Cheol Kim, Hyungkook Jun, and Taeho Kim. 2024. Framework for evaluating code generation ability of large language models. ETRI Journal 46, 1 (2024), 106\u2013117.","journal-title":"ETRI Journal"},{"key":"e_1_3_2_259_2","first-page":"1","volume-title":"2014 IEEE 15th International Symposium on High-Assurance Systems Engineering","author":"Younis Awad A.","year":"2014","unstructured":"Awad A. Younis, Yashwant K. Malaiya, and Indrajit Ray. 2014. Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability. In 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering. IEEE, 1\u20138."},{"key":"e_1_3_2_260_2","first-page":"29","volume-title":"2024 54th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN)","author":"Yu Sheng","year":"2024","unstructured":"Sheng Yu, Wei Song, Xunchao Hu, and Heng Yin. 2024. On the correctness of metadata-based SBOM generation: A differential analysis approach. In 2024 54th Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 29\u201336."},{"key":"e_1_3_2_261_2","first-page":"1759","volume-title":"33rd ACM SIGSOFT International Symposium on Software Testing and Analysis","author":"Yu Zeliang","year":"2024","unstructured":"Zeliang Yu, Ming Wen, Xiaochen Guo, and Hai Jin. 2024. Maltracker: A fine-grained NPM malware tracker copiloted by LLM-enhanced dataset. In 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, 1759\u20131771."},{"key":"e_1_3_2_262_2","unstructured":"Nusrat Zahan Yasemin Acar Michel Cucker William Enck Alexandros Kapravelos Christian Kastner and Laurie Williams. 2023. S3C2 summit 2023-11: Industry secure supply chain summit. arXiv:2408.16529. Retrieved from https:\/\/arxiv.org\/abs\/2408.16529"},{"key":"e_1_3_2_263_2","first-page":"728","volume-title":"2024 IEEE\/ACM 21st International Conference on Mining Software Repositories (MSR)","author":"Zahan Nusrat","year":"2024","unstructured":"Nusrat Zahan, Philipp Burckhardt, Mikola Lysenko, Feross Aboukhadijeh, and Laurie Williams. 2024. MalwareBench: Malware samples are not enough. In 2024 IEEE\/ACM 21st International Conference on Mining Software Repositories (MSR). IEEE, 728\u2013732."},{"key":"e_1_3_2_264_2","unstructured":"Nusrat Zahan Philipp Burckhardt Mikola Lysenko Feross Aboukhadijeh and Laurie Williams. 2024. Shifting the lens: Detecting malware in npm ecosystem with large language models. arXiv:2403.12196. Retrieved from https:\/\/arxiv.org\/abs\/2403.12196"},{"key":"e_1_3_2_265_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2023.3279773"},{"key":"e_1_3_2_266_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2023.3237100"},{"key":"e_1_3_2_267_2","first-page":"292","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP)","author":"Zahan Nusrat","year":"2023","unstructured":"Nusrat Zahan, Shohanuzzaman Shohan, Dan Harris, and Laurie Williams. 2023. Do software security practices yield fewer vulnerabilities? In 2023 IEEE\/ACM 45th International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). IEEE, 292\u2013303."},{"key":"e_1_3_2_268_2","first-page":"331","volume-title":"44th International Conference on Software Engineering: Software Engineering in Practice","author":"Zahan Nusrat","year":"2022","unstructured":"Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila, and Laurie Williams. 2022. What are weak links in the npm supply chain? In 44th International Conference on Software Engineering: Software Engineering in Practice, 331\u2013340."},{"key":"e_1_3_2_269_2","volume-title":"17th International Conference on Software and Software Reuse (ICSR)","author":"Zerouali Ahmed","year":"2018","unstructured":"Ahmed Zerouali, Eleni Constantinou, Tom Mens, Gregorio Robles, and Jesus Gonzalez-Barahona. 2018. An empirical analysis of technical lag in npm package dependencies. In 17th International Conference on Software and Software Reuse (ICSR). DOI: 10.1007\/978-3-319-90421-4_6"},{"issue":"5","key":"e_1_3_2_270_2","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1007\/s10664-022-10154-1","article-title":"On the impact of security vulnerabilities in the npm and RubyGems dependency networks","volume":"27","author":"Zerouali Ahmed","year":"2022","unstructured":"Ahmed Zerouali, Tom Mens, Alexandre Decan, and Coen De Roover. 2022. On the impact of security vulnerabilities in the npm and RubyGems dependency networks. Empirical Software Engineering 27, 5 (2022), 107.","journal-title":"Empirical Software Engineering"},{"key":"e_1_3_2_271_2","first-page":"276","volume-title":"2024 IEEE\/ACM 46th International Conference on Software Engineering: Companion Proceedings","author":"Zhang Chenyuan","year":"2024","unstructured":"Chenyuan Zhang, Hao Liu, Jiutian Zeng, Kejing Yang, Yuhong Li, and Hui Li. 2024. Prompt-enhanced software vulnerability detection using ChatGPT. In 2024 IEEE\/ACM 46th International Conference on Software Engineering: Companion Proceedings, 276\u2013277."},{"key":"e_1_3_2_272_2","article-title":"Does the vulnerability threaten our projects? Automated vulnerable API detection for third-party libraries","author":"Zhang Fangyuan","year":"2024","unstructured":"Fangyuan Zhang, Lingling Fan, Sen Chen, Miaoying Cai, Sihan Xu, and Lida Zhao. 2024. Does the vulnerability threaten our projects? Automated vulnerable API detection for third-party libraries. IEEE Transactions on Software Engineering (2024).","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_273_2","unstructured":"Junan Zhang Kaifeng Huang Bihuan Chen Chong Wang Zhenhao Tian and Xin Peng. 2023. Malicious package detection in NPM and PyPI using a single model of malicious behavior sequence. arXiv:2309.02637. Retrieved from https:\/\/arxiv.org\/abs\/2309.02637"},{"key":"e_1_3_2_274_2","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1109\/ASE56229.2023.00058","volume-title":"2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE)","author":"Zhang Lyuye","year":"2023","unstructured":"Lyuye Zhang, Chengwei Liu, Sen Chen, Zhengzi Xu, Lingling Fan, Lida Zhao, Yiran Zhang, and Yang Liu. 2023. Mitigating persistence of open-source vulnerabilities in maven ecosystem. In 2023 38th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, 191\u2013203."},{"key":"e_1_3_2_275_2","doi-asserted-by":"crossref","first-page":"2540","DOI":"10.1109\/ICSE48619.2023.00212","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE)","author":"Zhang Lyuye","year":"2023","unstructured":"Lyuye Zhang, Chengwei Liu, Zhengzi Xu, Sen Chen, Lingling Fan, Lida Zhao, Jiahui Wu, and Yang Liu. 2023. Compatible remediation on vulnerabilities from third-party libraries for Java projects. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 2540\u20132552."},{"key":"e_1_3_2_276_2","unstructured":"Yue Zhang Yafu Li Leyang Cui Deng Cai Lemao Liu Tingchen Fu Xinting Huang Enbo Zhao Yu Zhang Yulong Chen et al. 2023. Siren\u2019s song in the AI ocean: A survey on hallucination in large language models. arXiv:2309.01219. Retrieved from https:\/\/arxiv.org\/abs\/2309.01219"},{"key":"e_1_3_2_277_2","unstructured":"Ying Zhang Wenjia Song Zhengjie Ji Danfeng (Daphne) Yao and Na Meng. 2023. How well does LLM generate security tests? arXiv:2310.00710. Retrieved from https:\/\/arxiv.org\/abs\/2310.00710"},{"key":"e_1_3_2_278_2","unstructured":"Ying Zhang Xiaoyan Zhou Hui Wen Wenjia Niu Jiqiang Liu Haining Wang and Qiang Li. 2024. Tactics techniques and procedures (TTPs) in interpreted malware: A zero-shot generation with large language models. arXiv:2407.08532. Retrieved from https:\/\/arxiv.org\/abs\/2407.08532"},{"key":"e_1_3_2_279_2","unstructured":"Wanru Zhao Vidit Khazanchi Haodi Xing Xuanli He Qiongkai Xu and Nicholas Donald Lane. 2024. Attacks on third-party APIs of large language models. arXiv:2404.16891. Retrieved from https:\/\/arxiv.org\/abs\/2404.16891"},{"key":"e_1_3_2_280_2","unstructured":"Zibin Zheng Kaiwen Ning Jiachi Chen Yanlin Wang Wenqing Chen Lianghong Guo and Weicheng Wang. 2023. Towards an understanding of large language models in software engineering tasks. arXiv:2308.11396. Retrieved from https:\/\/arxiv.org\/abs\/2308.11396"},{"key":"e_1_3_2_281_2","doi-asserted-by":"crossref","first-page":"2565","DOI":"10.1109\/ICSE48619.2023.00214","volume-title":"2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE)","author":"Zhou Jiayuan","year":"2023","unstructured":"Jiayuan Zhou, Michael Pacheco, Jinfu Chen, Xing Hu, Xin Xia, David Lo, and Ahmed E. Hassan. 2023. Colefunda: Explainable silent vulnerability fix identification. In 2023 IEEE\/ACM 45th International Conference on Software Engineering (ICSE). IEEE, 2565\u20132577."},{"key":"e_1_3_2_282_2","doi-asserted-by":"crossref","first-page":"705","DOI":"10.1109\/ASE51524.2021.9678720","volume-title":"2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE)","author":"Zhou Jiayuan","year":"2021","unstructured":"Jiayuan Zhou, Michael Pacheco, Zhiyuan Wan, Xin Xia, David Lo, Yuan Wang, and Ahmed E. Hassan. 2021. Finding a needle in a haystack: Automated mining of silent vulnerability fixes. In 2021 36th IEEE\/ACM International Conference on Automated Software Engineering (ASE). IEEE, 705\u2013716."},{"key":"e_1_3_2_283_2","first-page":"10197","volume-title":"33rd International Conference on Neural Information Processing Systems","author":"Zhou Yaqin","year":"2019","unstructured":"Yaqin Zhou, Shangqing Liu, Jingkai Siow, Xiaoning Du, and Yang Liu. 2019. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In 33rd International Conference on Neural Information Processing Systems, 10197\u201310207."}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3714464","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3714464","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:17:56Z","timestamp":1750295876000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3714464"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,5,26]]},"references-count":282,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2025,6,30]]}},"alternative-id":["10.1145\/3714464"],"URL":"https:\/\/doi.org\/10.1145\/3714464","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,5,26]]},"assertion":[{"value":"2024-03-29","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-12-18","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-05-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}