{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,27]],"date-time":"2025-10-27T12:59:36Z","timestamp":1761569976886,"version":"build-2065373602"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,6,20]]},"DOI":"10.1145\/3755881.3755923","type":"proceedings-article","created":{"date-parts":[[2025,10,27]],"date-time":"2025-10-27T11:46:17Z","timestamp":1761565577000},"page":"510-521","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Unraveling the Characterization and Propagation of Security Vulnerabilities in TensorFlow-based Deep Learning Software Supply Chain"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-8063-0773","authenticated-orcid":false,"given":"Yiren","family":"Zhou","sequence":"first","affiliation":[{"name":"Nanjing University of Aeronautics and Astronautics, Nanjing, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5272-6706","authenticated-orcid":false,"given":"Lina","family":"Gong","sequence":"additional","affiliation":[{"name":"Nanjing University of Aeronautics and Astronautics, Nanjing, China"}]},{"ORCID":"https:\/\/orcid.org\/0009-0009-8401-8382","authenticated-orcid":false,"given":"Tiantian","family":"Ma","sequence":"additional","affiliation":[{"name":"Nanjing University of Aeronautics and Astronautics, Nanjing, China"}]}],"member":"320","published-online":{"date-parts":[[2025,10,27]]},"reference":[{"key":"e_1_3_3_2_2_2","doi-asserted-by":"crossref","unstructured":"Mahmoud Alfadel Diego\u00a0Elias Costa and Emad Shihab. 2023. Empirical analysis of security vulnerabilities in python packages. Empirical Software Engineering 28 3 (2023) 59.","DOI":"10.1007\/s10664-022-10278-4"},{"key":"e_1_3_3_2_3_2","unstructured":"Apache. 2023. Apache TVM. https:\/\/github.com\/apache\/tvm"},{"key":"e_1_3_3_2_4_2","doi-asserted-by":"publisher","unstructured":"Lingfeng Bao Xin Xia Ahmed\u00a0E. Hassan and Xiaohu Yang. 2022. V-SZZ: Automatic Identification of Version Ranges Affected by CVE Vulnerabilities(ICSE \u201922). Association for Computing Machinery New York NY USA 2352\u20132364. 10.1145\/3510003.3510113","DOI":"10.1145\/3510003.3510113"},{"key":"e_1_3_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC54236.2022.00130"},{"key":"e_1_3_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1145\/3417113.3422154"},{"key":"e_1_3_3_2_7_2","doi-asserted-by":"publisher","unstructured":"Ethan Bommarito and Michael Bommarito. 2019. An empirical analysis of the python package index (pypi). arxiv (2019). 10.48550\/arXiv.1907.11073 arXiv:arXiv:1907.11073","DOI":"10.48550\/arXiv.1907.11073"},{"key":"e_1_3_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/ECAI52376.2021.9515098"},{"key":"e_1_3_3_2_9_2","unstructured":"GitHub Community. 2023. GitHub Dependency Graph. https:\/\/docs.github.com\/en\/code-security\/supply-chain-security\/understanding-your-software-supply-chain\/about-the-dependency-graph"},{"key":"e_1_3_3_2_10_2","unstructured":"Mitre Corporation. 2023. Common Vulnerabilities and Exposures. https:\/\/cve.mitre.org\/"},{"key":"e_1_3_3_2_11_2","unstructured":"Mitre Corporation. 2023. Common Weakness Enumeration. https:\/\/cwe.mitre.org\/"},{"key":"e_1_3_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1109\/ESEM.2011.36"},{"key":"e_1_3_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196401"},{"key":"e_1_3_3_2_14_2","unstructured":"Deezer. 2023. Spleeter. https:\/\/github.com\/deezer\/spleeter"},{"key":"e_1_3_3_2_15_2","doi-asserted-by":"publisher","unstructured":"Jiahao Fan Yi Li Shaohua Wang and Tien\u00a0N. Nguyen. 2020. A C\/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries(MSR \u201920). Association for Computing Machinery New York NY USA 508\u2013512. 10.1145\/3379597.3387501","DOI":"10.1145\/3379597.3387501"},{"key":"e_1_3_3_2_16_2","doi-asserted-by":"crossref","unstructured":"Katarzyna Filus and Joanna Doma\u0144ska. 2023. Software vulnerabilities in TensorFlow-based deep learning applications. Computers & Security 124 (2023) 102948.","DOI":"10.1016\/j.cose.2022.102948"},{"key":"e_1_3_3_2_17_2","doi-asserted-by":"publisher","unstructured":"Kai Gao Runzhi He Bing Xie and Minghui Zhou. 2023. Characterizing Deep Learning Package Supply Chains in PyPI: Domains Clusters and Disengagement. arxiv (2023). 10.48550\/arXiv.2306.16307 arXiv:arXiv:2306.16307","DOI":"10.48550\/arXiv.2306.16307"},{"key":"e_1_3_3_2_18_2","unstructured":"GitHub. 2023. GitHub Advisory Database. https:\/\/github.com\/advisories"},{"key":"e_1_3_3_2_19_2","doi-asserted-by":"publisher","unstructured":"Hao Guo Sen Chen Zhenchang Xing Xiaohong Li Yude Bai and Jiamou Sun. 2022. Detecting and Augmenting Missing Key Aspects in Vulnerability Descriptions. ACM Trans. Softw. Eng. Methodol. 31 3 Article 49 (apr 2022) 27\u00a0pages. 10.1145\/3498537","DOI":"10.1145\/3498537"},{"key":"e_1_3_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC51774.2021.00138"},{"key":"e_1_3_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSR59073.2023.00018"},{"key":"e_1_3_3_2_22_2","doi-asserted-by":"crossref","unstructured":"Andrew\u00a0F Hayes and Klaus Krippendorff. 2007. Answering the call for a standard reliability measure for coding data. Communication methods and measures 1 1 (2007) 77\u201389.","DOI":"10.1080\/19312450709336664"},{"key":"e_1_3_3_2_23_2","doi-asserted-by":"crossref","unstructured":"Lance\u00a0D Hentges Martin\u00a0J Sergeant Christopher\u00a0B Cole Damien\u00a0J Downes Jim\u00a0R Hughes and Stephen Taylor. 2022. LanceOtron: a deep learning peak caller for genome sequencing experiments. Bioinformatics 38 18 (2022) 4255\u20134263.","DOI":"10.1093\/bioinformatics\/btac525"},{"key":"e_1_3_3_2_24_2","unstructured":"huggingface. 2023. Transformers. https:\/\/github.com\/huggingface\/transformers"},{"key":"e_1_3_3_2_25_2","doi-asserted-by":"publisher","unstructured":"Kenta Kanakogi Hironori Washizaki Yoshiaki Fukazawa Shinpei Ogata Takao Okubo Takehisa Kato Hideyuki Kanuka Atsuo Hazeyama and Nobukazu Yoshioka. 2021. Tracing CVE Vulnerability Information to CAPEC Attack Patterns Using Natural Language Processing Techniques. Information 12 8 (2021). 10.3390\/info12080298","DOI":"10.3390\/info12080298"},{"key":"e_1_3_3_2_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3533767.3534398"},{"key":"e_1_3_3_2_27_2","doi-asserted-by":"publisher","unstructured":"Anish Khazane Julien Hoachuck Krzysztof\u00a0J Gorgolewski and Russell\u00a0A Poldrack. 2022. DeepDefacer: Automatic Removal of Facial Features via U-Net Image Segmentation. arxiv (2022). 10.48550\/arXiv.2205.15536 arXiv:arXiv:2205.15536","DOI":"10.48550\/arXiv.2205.15536"},{"key":"e_1_3_3_2_28_2","unstructured":"langchain ai. 2023. LangChain. https:\/\/github.com\/langchain-ai\/langchain"},{"key":"e_1_3_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380923"},{"key":"e_1_3_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510142"},{"key":"e_1_3_3_2_31_2","doi-asserted-by":"crossref","unstructured":"Viet\u00a0Hung Nguyen Stanislav Dashevskyi and Fabio Massacci. 2016. An automatic method for assessing the versions affected by a vulnerability. Empirical Software Engineering 21 (2016) 2268\u20132297.","DOI":"10.1007\/s10664-015-9408-2"},{"key":"e_1_3_3_2_32_2","unstructured":"NIST. 2023. National Vulnerability Database. https:\/\/nvd.nist.gov\/"},{"key":"e_1_3_3_2_33_2","unstructured":"NIST. 2023. Software Vulnerability. https:\/\/csrc.nist.gov\/glossary\/term\/software_vulnerability"},{"key":"e_1_3_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_3_2_35_2","unstructured":"OpenBB-finance. 2023. OpenBB Terminal. https:\/\/github.com\/OpenBB-finance\/OpenBBTerminal"},{"key":"e_1_3_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1109\/PRDC55274.2022.00029"},{"key":"e_1_3_3_2_37_2","doi-asserted-by":"crossref","unstructured":"Fernando P\u00e9rez-Garc\u00eda Rachel Sparks and S\u00e9bastien Ourselin. 2021. TorchIO: a Python library for efficient loading preprocessing augmentation and patch-based sampling of medical images in deep learning. Computer Methods and Programs in Biomedicine 208 (2021) 106236.","DOI":"10.1016\/j.cmpb.2021.106236"},{"key":"e_1_3_3_2_38_2","doi-asserted-by":"crossref","unstructured":"Gema Rodr\u00edguez-P\u00e9rez Gregorio Robles Alexander Serebrenik Andy Zaidman Daniel\u00a0M Germ\u00e1n and Jesus\u00a0M Gonzalez-Barahona. 2020. How bugs are born: a model to identify how bugs are introduced in software components. Empirical Software Engineering 25 (2020) 1294\u20131340.","DOI":"10.1007\/s10664-019-09781-y"},{"key":"e_1_3_3_2_39_2","doi-asserted-by":"crossref","unstructured":"Ruben Sanchez-Garcia Joan Segura David Maluenda COS Sorzano and Jos\u00e9\u00a0M Carazo. 2020. MicrographCleaner: A python package for cryo-EM micrograph cleaning using deep learning. Journal of structural biology 210 3 (2020) 107498.","DOI":"10.1016\/j.jsb.2020.107498"},{"key":"e_1_3_3_2_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510199"},{"key":"e_1_3_3_2_41_2","unstructured":"TensorFlow. 2023. API Documentation of TensorFlow. https:\/\/www.tensorflow.org\/api_docs\/python\/tf"},{"key":"e_1_3_3_2_42_2","unstructured":"UKPLab. 2023. Sentence Transformers. https:\/\/github.com\/UKPLab\/sentence-transformers"},{"key":"e_1_3_3_2_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM52596.2021.9652901"},{"key":"e_1_3_3_2_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE48619.2023.00095"},{"key":"e_1_3_3_2_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2018.00027"},{"key":"e_1_3_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/QRS54544.2021.00060"},{"key":"e_1_3_3_2_47_2","doi-asserted-by":"publisher","DOI":"10.1109\/ELECTRONICA52725.2021.9513723"}],"event":{"name":"Internetware 2025: the 16th International Conference on Internetware","sponsor":["SIGSOFT ACM Special Interest Group on Artificial Intelligence"],"location":"Trondheim Norway","acronym":"Internetware 2025"},"container-title":["Proceedings of the 16th International Conference on Internetware"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3755881.3755923","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,27]],"date-time":"2025-10-27T11:47:47Z","timestamp":1761565667000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3755881.3755923"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,20]]},"references-count":46,"alternative-id":["10.1145\/3755881.3755923","10.1145\/3755881"],"URL":"https:\/\/doi.org\/10.1145\/3755881.3755923","relation":{},"subject":[],"published":{"date-parts":[[2025,6,20]]},"assertion":[{"value":"2025-10-27","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}