English
Related papers

Related papers: Cross-Ecosystem Vulnerability Analysis for Python …

200 papers

The development of machine learning techniques for discovering software vulnerabilities relies fundamentally on the availability of appropriate datasets. The ideal dataset consists of a large and diverse collection of real-world…

Cryptography and Security · Computer Science 2025-04-29 Sima Arasteh , Georgios Nikitopoulos , Wei-Cheng Wu , Nicolaas Weideman , Aaron Portnoy , Mukund Raghothaman , Christophe Hauser

This study investigates vulnerabilities in dependencies of sampled open-source software (OSS) projects, the relationship between these and overall project security, and how developers' behaviors and practices influence their mitigation.…

Cryptography and Security · Computer Science 2024-08-27 Janislley Oliveira de Sousa , Bruno Carvalho de Farias , Eddie Batista de Lima Filho , Lucas Carvalho Cordeiro

Vulnerabilities in open-source software can cause cascading effects in the modern digital ecosystem. It is especially worrying if these vulnerabilities repeat across many projects, as once the adversaries find one of them, they can scale up…

Cryptography and Security · Computer Science 2025-05-27 Jafar Akhoundali , Hamidreza Hamidi , Kristian Rietveld , Olga Gadyatskaya

Third-party libraries with rich functionalities facilitate the fast development of Node.js software, but also bring new security threats that vulnerabilities could be introduced through dependencies. In particular, the threats could be…

Software Engineering · Computer Science 2022-08-30 Chengwei Liu , Sen Chen , Lingling Fan , Bihuan Chen , Yang Liu , Xin Peng

Tracking vulnerabilities inherited from third-party open-source software is a well-known challenge, often addressed by tracing the threads of dependency information. However, vulnerabilities can also propagate through forking: a code…

Cryptography and Security · Computer Science 2026-01-29 Romain Lefeuvre , Charly Reux , Stefano Zacchiroli , Olivier Barais , Benoit Combemale

Background: Open Source Software (OSS) libraries form the backbone of modern software systems, yet their long-term sustainability often depends on maintainers being reachable for support, coordination, and security reporting. Aims: In this…

Software Engineering · Computer Science 2026-05-04 Alexandros Tsakpinis , Alexander Pretschner

Open source software ecosystems consist of thousands of interdependent libraries, which users can combine to great effect. Recent work has pointed out two kinds of risks in these systems: that technical problems like bugs and…

Software Engineering · Computer Science 2022-05-11 William Schueller , Johannes Wachs

Identifying the impact scope and scale is critical for software supply chain vulnerability assessment. However, existing studies face substantial limitations. First, prior studies either work at coarse package-level granularity, producing…

Software Engineering · Computer Science 2025-10-10 Bonan Ruan , Zhiwei Lin , Jiahao Liu , Chuqi Zhang , Kaihang Ji , Zhenkai Liang

Recent high-profile incidents in open-source software have greatly raised practitioner attention on software supply chain attacks. To guard against potential malicious package updates, security practitioners advocate pinning dependency to…

Software Engineering · Computer Science 2025-02-11 Hao He , Bogdan Vasilescu , Christian Kästner

The rise of supply chain attacks via malicious Python packages demands robust detection solutions. Current approaches, however, overlook two critical challenges: robustness against adversarial source code transformations and adaptability to…

Cryptography and Security · Computer Science 2025-12-05 Biagio Montaruli , Luca Compagna , Serena Elisa Ponta , Davide Balzarotti

In software development, developers extensively utilize third-party libraries to avoid implementing existing functionalities. When a new third-party library vulnerability is disclosed, project maintainers need to determine whether their…

Software Engineering · Computer Science 2023-12-18 Zirui Chen , Xing Hu , Xin Xia , Yi Gao , Tongtong Xu , David Lo , Xiaohu Yang

We consider the problem of identifying the provenance of free/open source software (FOSS) and specifically the need of identifying where reused source code has been copied from. We propose a lightweight approach to solve the problem based…

Software Engineering · Computer Science 2023-05-25 Yiming Sun , Daniel M. German , Stefano Zacchiroli

Currently, little is known about the structure of the Cargo ecosystem and the potential for vulnerability propagation. Many empirical studies generalize third-party dependency governance strategies from a single software ecosystem to other…

Cryptography and Security · Computer Science 2022-10-17 Peiyang Jia , Chengwei Liu , Hongyu Sun , Chengyi Sun , Mianxue Gu , Yang Liu , Yuqing Zhang

Industrial applications heavily integrate open-source software libraries nowadays. Beyond the benefits that libraries bring, they can also impose a real threat in case a library is affected by a vulnerability but its community is not active…

Software Engineering · Computer Science 2025-04-24 Alexandros Tsakpinis

Security practitioners maintain vulnerability reports (e.g., GitHub Advisory) to help developers mitigate security risks. An important task for these databases is automatically extracting structured information mentioned in the report,…

Cryptography and Security · Computer Science 2024-05-21 Tianyu Chen , Lin Li , Liuchuan Zhu , Zongyang Li , Xueqing Liu , Guangtai Liang , Qianxiang Wang , Tao Xie

Modern software systems rely on dependency networks of reusable libraries, where breaking changes propagate and cause downstream consumers to fail. Despite growing research across ecosystems, no comprehensive synthesis exists. We conduct a…

Software Engineering · Computer Science 2026-05-26 Juntao Chen , Tingting Bi , Yanlin Wang , Patanamon Thongtanunam

Security vulnerabilities introduced by applications using third-party dependencies are on the increase, caused by the emergence of large ecosystems of libraries such as the NPM packages for JavaScript. Nowadays, libraries depend on each…

Knowing what sensitive resources a dependency could potentially access would help developers assess the risk of a dependency before selection. One way to get an understanding of the potential sensitive resource usage by a dependency is…

Cryptography and Security · Computer Science 2025-03-19 Imranur Rahman , Ranidya Paramitha , Henrik Plate , Dominik Wermke , Laurie Williams

The increasing interest in open source software has led to the emergence of large language-specific package distributions of reusable software libraries, such as npm and RubyGems. These software packages can be subject to vulnerabilities…

Software Engineering · Computer Science 2022-03-29 Ahmed Zerouali , Tom Mens , Alexandre Decan , Coen De Roover

Industrial applications heavily rely on open-source software (OSS) libraries, which provide various benefits. But, they can also present a substantial risk if a vulnerability or attack arises and the community fails to promptly address the…

Software Engineering · Computer Science 2025-04-24 Alexandros Tsakpinis , Alexander Pretschner