Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party Libraries

Developers usually use third-party libraries (TPLs) to facilitate the development of their projects to avoid reinventing the wheels, however, the vulnerable TPLs indeed cause severe security threats. The majority of existing research only considered whether projects used vulnerable TPLs but neglecte...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:IEEE transactions on software engineering Ročník 50; číslo 11; s. 2906 - 2920
Hlavní autori: Zhang, Fangyuan, Fan, Lingling, Chen, Sen, Cai, Miaoying, Xu, Sihan, Zhao, Lida
Médium: Journal Article
Jazyk:English
Vydavateľské údaje: New York IEEE 01.11.2024
IEEE Computer Society
Predmet:
Accuracy
Application programming interface
Codes
Impact analysis
Java
Libraries
Maintenance costs
Security
Software
software composition analysis
static analysis
Third party
Vulnerability detection
ISSN:0098-5589, 1939-3520
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Abstract Developers usually use third-party libraries (TPLs) to facilitate the development of their projects to avoid reinventing the wheels, however, the vulnerable TPLs indeed cause severe security threats. The majority of existing research only considered whether projects used vulnerable TPLs but neglected whether the vulnerable code of the TPLs was indeed used by the projects, which inevitably results in false positives and further requires additional patching efforts and maintenance costs (e.g., dependency conflict issues after version upgrades). To mitigate such a problem, we propose VAScanner , which can effectively identify vulnerable root methods causing vulnerabilities in TPLs and further identify all vulnerable APIs of TPLs used by Java projects. Specifically, we first collect the initial patch methods from the patch commits and extract accurate patch methods by employing a patch-unrelated sifting mechanism, then we further identify the vulnerable root methods for each vulnerability by employing an augmentation mechanism. Based on them, we leverage backward call graph analysis to identify all vulnerable APIs for each vulnerable TPL version and construct a database consisting of 90,749 (2,410,779 with library versions) vulnerable APIswith 1.45% false positive proportion with a 95% confidence interval (CI) of [1.31%, 1.59%] from 362 TPLs with 14,775 versions. The database serves as a reference database to help developers detect vulnerable APIs of TPLs used by projects. Our experiments show VAScanner eliminates 5.78% false positives and 2.16% false negatives owing to the proposed sifting and augmentation mechanisms. Besides, it outperforms the state-of-the-art method-level vulnerability detection tool in analyzing direct dependencies, Eclipse Steady, achieving more effective detection of vulnerable APIs. Furthermore, to investigate the real impact of vulnerabilities on real open-source projects, we exploit VAScanner to conduct a large-scale analysis on 3,147 projects that depend on vulnerable TPLs, and find only 21.51% of projects (with 1.83% false positive proportion and a 95% CI of [0.71%, 4.61%]) were threatened through vulnerable APIs, demonstrating that VAScanner can potentially reduce false positives significantly.
AbstractList Developers usually use third-party libraries (TPLs) to facilitate the development of their projects to avoid reinventing the wheels, however, the vulnerable TPLs indeed cause severe security threats. The majority of existing research only considered whether projects used vulnerable TPLs but neglected whether the vulnerable code of the TPLs was indeed used by the projects, which inevitably results in false positives and further requires additional patching efforts and maintenance costs (e.g., dependency conflict issues after version upgrades). To mitigate such a problem, we propose VAScanner , which can effectively identify vulnerable root methods causing vulnerabilities in TPLs and further identify all vulnerable APIs of TPLs used by Java projects. Specifically, we first collect the initial patch methods from the patch commits and extract accurate patch methods by employing a patch-unrelated sifting mechanism, then we further identify the vulnerable root methods for each vulnerability by employing an augmentation mechanism. Based on them, we leverage backward call graph analysis to identify all vulnerable APIs for each vulnerable TPL version and construct a database consisting of 90,749 (2,410,779 with library versions) vulnerable APIswith 1.45% false positive proportion with a 95% confidence interval (CI) of [1.31%, 1.59%] from 362 TPLs with 14,775 versions. The database serves as a reference database to help developers detect vulnerable APIs of TPLs used by projects. Our experiments show VAScanner eliminates 5.78% false positives and 2.16% false negatives owing to the proposed sifting and augmentation mechanisms. Besides, it outperforms the state-of-the-art method-level vulnerability detection tool in analyzing direct dependencies, Eclipse Steady, achieving more effective detection of vulnerable APIs. Furthermore, to investigate the real impact of vulnerabilities on real open-source projects, we exploit VAScanner to conduct a large-scale analysis on 3,147 projects that depend on vulnerable TPLs, and find only 21.51% of projects (with 1.83% false positive proportion and a 95% CI of [0.71%, 4.61%]) were threatened through vulnerable APIs, demonstrating that VAScanner can potentially reduce false positives significantly.
Author Xu, Sihan
Cai, Miaoying
Zhao, Lida
Fan, Lingling
Chen, Sen
Zhang, Fangyuan
Author_xml – sequence: 1
  givenname: Fangyuan
  orcidid: 0009-0000-9599-1369
  surname: Zhang
  fullname: Zhang, Fangyuan
  email: fangyuanzhang@mail.nankai.edu.cn
  organization: DISSec, NDST, College of Computer Science, Nankai University, Tianjin, China
– sequence: 2
  givenname: Lingling
  orcidid: 0000-0002-2428-9297
  surname: Fan
  fullname: Fan, Lingling
  email: linglingfan@nankai.edu.cn
  organization: DISSec, NDST, College of Cyber Science, Nankai University, Tianjin, China
– sequence: 3
  givenname: Sen
  orcidid: 0000-0001-9477-4100
  surname: Chen
  fullname: Chen, Sen
  email: senchen@tju.edu.cn
  organization: College of Intelligence and Computing, Tianjin University, Tianjin, China
– sequence: 4
  givenname: Miaoying
  orcidid: 0009-0002-2747-3169
  surname: Cai
  fullname: Cai, Miaoying
  email: miaoyingcai@mail.nankai.edu.cn
  organization: DISSec, NDST, College of Computer Science, Nankai University, Tianjin, China
– sequence: 5
  givenname: Sihan
  orcidid: 0000-0002-6887-6231
  surname: Xu
  fullname: Xu, Sihan
  email: xusihan@nankai.edu.cn
  organization: DISSec, NDST, College of Cyber Science, Nankai University, Tianjin, China
– sequence: 6
  givenname: Lida
  orcidid: 0009-0005-9832-8948
  surname: Zhao
  fullname: Zhao, Lida
  email: LIDA001@e.ntu.edu.sg
  organization: School of Computer Science and Engineering, Nanyang Technological University, Singapore
BookMark eNp9kE1LAzEQhoMoWD_uHjwEPG-dJJtkc5LiNxQsWL0uaXYWU9aNJtlD_71bKiIePA0M7_MO8xyR_T70SMgZgyljYC6Xz7dTDrycilKWRsEemTAjTCEkh30yATBVIWVlDslRSmsAkFrLCVnfBEw0vyF9Hboeo135zucNXb5FtBl7-jREuohhjS6nKzobcngf981PvEM6WzzSG8xjwoeetiGOtI9NsbBxbJr7VbTRYzohB63tEp5-z2Pycne7vH4o5k_3j9ezeeG44bmoeCV4g45by5EZbRTq0lnthAKuVoZXrS5b10LjhAUU6Gy5Mm0FslFSNVock4td70cMnwOmXK_DEPvxZC0Y1xqYrGBMwS7lYkgpYlt_RP9u46ZmUG-N1qPRemu0_jY6IuoP4ny226dztL77DzzfgR4Rf91RSmnDxBeuEoXy
CODEN IESEDJ
CitedBy_id crossref_primary_10_1016_j_cose_2025_104546
Cites_doi 10.1145/3377811.3380426
10.1145/3293882.3330563
10.1109/ICSE.2019.00068
10.1109/ICSE43902.2021.00150
10.1145/3611643.3616299
10.2307/2685469
10.1145/2976749.2978333
10.1109/TSE.2018.2816033
10.1145/2642937.2642982
10.1109/ICSME.2018.00054
10.1109/ICSE48619.2023.00033
10.1109/ICSE.2017.38
10.1145/3597926.3598120
10.1109/ICSME55016.2022.00037
10.1109/ICSE48619.2023.00095
10.1145/3292006.3300020
10.1109/TSE.2020.3025443
10.1145/3239235.3268920
10.1109/TSE.2021.3114381
10.1109/SANER.2018.8330204
10.1145/3524842.3528482
10.1007/s10664-020-09830-x
10.1109/SANER.2016.52
10.1109/TSE.2021.3057767
10.1109/ICSE48619.2023.00212
10.1145/3133956.3134048
10.1145/3510003.3510142
10.1109/ASE56229.2023.00058
10.1145/3197231.3197248
10.1007/s10664-015-9408-2
10.1145/3551349.3556921
10.1145/3236024.3236056
10.1109/ICSM.2015.7332492
10.1145/3650212.3680305
10.1109/ICSME46990.2020.00014
10.1145/3551349.3556956
ContentType Journal Article
Copyright Copyright IEEE Computer Society 2024
Copyright_xml – notice: Copyright IEEE Computer Society 2024
DBID 97E
RIA
RIE
AAYXX
CITATION
JQ2
K9.
DOI 10.1109/TSE.2024.3454960
DatabaseName IEEE All-Society Periodicals Package (ASPP) 2005–Present
IEEE All-Society Periodicals Package (ASPP) 1998–Present
IEEE Xplore
CrossRef
ProQuest Computer Science Collection
ProQuest Health & Medical Complete (Alumni)
DatabaseTitle CrossRef
ProQuest Health & Medical Complete (Alumni)
ProQuest Computer Science Collection
DatabaseTitleList ProQuest Health & Medical Complete (Alumni)
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Xplore
  url: https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 1939-3520
EndPage 2920
ExternalDocumentID 10_1109_TSE_2024_3454960
10666791
Genre orig-research
GrantInformation_xml – fundername: Natural Science Foundation of Tianjin
  grantid: 22JCYBJC01010
  funderid: 10.13039/501100006606
– fundername: National Natural Science Foundation of China
  grantid: 62102197; 62202245
  funderid: 10.13039/501100001809
GroupedDBID --Z
-DZ
-~X
.4S
.DC
0R~
29I
3EH
4.4
5GY
5VS
6IK
7WY
7X7
85S
88E
88I
8FE
8FG
8FI
8FJ
8FL
8G5
8R4
8R5
97E
9M8
AAJGR
AARMG
AASAJ
AAWTH
ABAZT
ABFSI
ABJCF
ABPPZ
ABQJQ
ABUWG
ABVLG
ACGFO
ACGOD
ACIWK
ACNCT
ADBBV
AENEX
AETIX
AFKRA
AGQYO
AGSQL
AHBIQ
AI.
AIBXA
AKJIK
AKQYR
ALLEH
ALMA_UNASSIGNED_HOLDINGS
ARAPS
ARCSS
ASUFR
ATWAV
AZQEC
BEFXN
BENPR
BEZIV
BFFAM
BGLVJ
BGNUA
BKEBE
BKOMP
BPEOZ
BPHCQ
BVXVI
CCPQU
CS3
DU5
DWQXO
E.L
EBS
EDO
EJD
FRNLG
FYUFA
GNUQQ
GROUPED_ABI_INFORM_RESEARCH
GUQSH
HCIFZ
HMCUK
HZ~
H~9
I-F
IBMZZ
ICLAB
IEDLZ
IFIPE
IFJZH
IPLJI
ITG
ITH
JAVBF
K60
K6V
K6~
K7-
L6V
LAI
M0C
M1P
M1Q
M2O
M2P
M43
M7S
MS~
O9-
OCL
OHT
P2P
P62
PHGZM
PHGZT
PJZUB
PPXIY
PQBIZ
PQBZA
PQGLB
PQQKQ
PROAC
PSQYO
PTHSS
PUEGO
Q2X
RIA
RIE
RNI
RNS
RXW
RZB
S10
TAE
TN5
TWZ
UHB
UKHRP
UPT
UQL
VH1
WH7
XOL
YYP
YZZ
ZCG
AAYXX
AFFHD
CITATION
JQ2
K9.
ID FETCH-LOGICAL-c292t-82832dec2aa2e19796e74ca7c36026b928f74fcf0dc3a0e3eca4b9f805d656d73
IEDL.DBID RIE
ISICitedReferencesCount 1
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001369099900005&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN 0098-5589
IngestDate Fri Oct 03 03:30:37 EDT 2025
Sat Nov 29 03:10:28 EST 2025
Tue Nov 18 20:58:10 EST 2025
Wed Aug 27 03:06:46 EDT 2025
IsPeerReviewed true
IsScholarly true
Issue 11
Language English
License https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html
https://doi.org/10.15223/policy-029
https://doi.org/10.15223/policy-037
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c292t-82832dec2aa2e19796e74ca7c36026b928f74fcf0dc3a0e3eca4b9f805d656d73
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0009-0000-9599-1369
0000-0002-6887-6231
0009-0005-9832-8948
0000-0002-2428-9297
0000-0001-9477-4100
0009-0002-2747-3169
PQID 3127701580
PQPubID 21418
PageCount 15
ParticipantIDs crossref_citationtrail_10_1109_TSE_2024_3454960
crossref_primary_10_1109_TSE_2024_3454960
ieee_primary_10666791
proquest_journals_3127701580
PublicationCentury 2000
PublicationDate 2024-11-01
PublicationDateYYYYMMDD 2024-11-01
PublicationDate_xml – month: 11
  year: 2024
  text: 2024-11-01
  day: 01
PublicationDecade 2020
PublicationPlace New York
PublicationPlace_xml – name: New York
PublicationTitle IEEE transactions on software engineering
PublicationTitleAbbrev TSE
PublicationYear 2024
Publisher IEEE
IEEE Computer Society
Publisher_xml – name: IEEE
– name: IEEE Computer Society
References ref13
ref57
ref56
ref15
ref59
(ref33) 2023
(ref43) 2023
ref58
ref55
ref17
(ref10) 2023
ref16
ref19
ref18
(ref37) 2023
(ref39) 2023
ref46
(ref42) 2023
ref48
ref47
(ref44) 2023
(ref7) 2023
(ref50) 2023
(ref36) 2023
(ref30) 2023
ref6
Chen (ref69) 2015
(ref53) 2023
ref35
(ref4) 2023
(ref51) 2023
(ref28) 2023
Wang (ref67) 2018
(ref41) 2023
ref2
(ref31) 2023
ref1
ref38
(ref45) 2023
(ref8) 2023
Zhan (ref62) 2020
ref71
ref70
(ref12) 2023
(ref32) 2023
ref24
(ref52) 2023
ref68
ref23
(ref14) 2023
ref26
(ref5) 2023
ref25
ref20
ref64
ref63
ref22
ref66
ref21
(ref3) 2023
(ref34) 2023
(ref54) 2023
Ma (ref65) 2016
ref27
(ref40) 2023
(ref29) 2023
(ref49) 2023
(ref11) 2023
(ref9) 2023
ref60
ref61
References_xml – year: 2023
  ident: ref31
  article-title: National Vulnerability Database
– ident: ref16
  doi: 10.1145/3377811.3380426
– year: 2023
  ident: ref4
  article-title: Component analysis OWASP foundation
– ident: ref63
  doi: 10.1145/3293882.3330563
– year: 2023
  ident: ref12
  article-title: WhiteSource
– ident: ref17
  doi: 10.1109/ICSE.2019.00068
– ident: ref1
  doi: 10.1109/ICSE43902.2021.00150
– year: 2023
  ident: ref41
  article-title: Patch commit of CVE-2022-40955
– ident: ref13
  doi: 10.1145/3611643.3616299
– ident: ref46
  doi: 10.2307/2685469
– start-page: 659
  volume-title: Proc. 24th USENIX Security Symp. (USENIX Security 15)
  year: 2015
  ident: ref69
  article-title: Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-Play scale
– year: 2023
  ident: ref34
  article-title: GitHub
– ident: ref66
  doi: 10.1145/2976749.2978333
– year: 2023
  ident: ref29
  article-title: What is Log4Shell?
– ident: ref55
  doi: 10.1109/TSE.2018.2816033
– year: 2023
  ident: ref51
  article-title: Wala
– year: 2023
  ident: ref9
  article-title: Snyk
– year: 2023
  ident: ref14
  article-title: Eclipse steady
– ident: ref35
  doi: 10.1145/2642937.2642982
– ident: ref6
  doi: 10.1109/ICSME.2018.00054
– year: 2023
  ident: ref54
  article-title: Patch commit of CVE-2021-30640
– ident: ref23
  doi: 10.1109/ICSE48619.2023.00033
– year: 2023
  ident: ref36
  article-title: Patch commit of CVE-2011-2730
– year: 2023
  ident: ref42
  article-title: Spring-framework
– year: 2023
  ident: ref3
  article-title: The 2022 “Open source security and risk analysis
– year: 2023
  ident: ref28
  article-title: Maven central repository
– ident: ref61
  doi: 10.1109/ICSE.2017.38
– year: 2023
  ident: ref45
  article-title: Patch commit of CVE-2014-0193
– year: 2023
  ident: ref10
  article-title: blackduck
– ident: ref38
  doi: 10.1145/3597926.3598120
– ident: ref48
  doi: 10.1109/ICSME55016.2022.00037
– year: 2023
  ident: ref44
  article-title: Patch commit of CVE-2020-36319
– year: 2023
  ident: ref40
  article-title: CVE-2022-40955
– year: 2023
  ident: ref52
  article-title: CVE-2020-10683
– ident: ref59
  doi: 10.1109/ICSE48619.2023.00095
– year: 2023
  ident: ref5
  article-title: OWASP
– year: 2023
  ident: ref39
  article-title: Patch commit of CVE-2022-26884
– ident: ref71
  doi: 10.1145/3292006.3300020
– ident: ref60
  doi: 10.1109/TSE.2020.3025443
– ident: ref24
  doi: 10.1145/3239235.3268920
– ident: ref2
  doi: 10.1109/TSE.2021.3114381
– year: 2023
  ident: ref7
  article-title: Dependabot
– ident: ref64
  doi: 10.1109/SANER.2018.8330204
– year: 2023
  ident: ref49
  article-title: Home page of project ‘KB’
– year: 2023
  ident: ref30
  article-title: Software composition analysis (SCA): What is it and does your company need it?
– year: 2023
  ident: ref50
  article-title: Soot
– ident: ref56
  doi: 10.1145/3524842.3528482
– ident: ref26
  doi: 10.1007/s10664-020-09830-x
– ident: ref70
  doi: 10.1109/SANER.2016.52
– ident: ref18
  doi: 10.1109/TSE.2021.3057767
– ident: ref20
  doi: 10.1109/ICSE48619.2023.00212
– ident: ref68
  doi: 10.1145/3133956.3134048
– ident: ref19
  doi: 10.1145/3510003.3510142
– year: 2023
  ident: ref8
  article-title: OSS Index
– year: 2023
  ident: ref11
  article-title: Software composition analysis for devSecOps
– ident: ref22
  doi: 10.1109/ASE56229.2023.00058
– start-page: 13
  volume-title: Proc. 5th Int. Conf. Mobile Softw. Eng. Syst. (MOBILESoft)
  year: 2018
  ident: ref67
  article-title: ORLIS: Obfuscation-resilient library detection for Android
  doi: 10.1145/3197231.3197248
– year: 2023
  ident: ref43
  article-title: Patch commit of CVE-2021-29480
– ident: ref47
  doi: 10.1007/s10664-015-9408-2
– year: 2023
  ident: ref53
  article-title: Patch commit of CVE-2020-10683
– year: 2023
  ident: ref32
  article-title: Snyk Vulnerability DB
– year: 2023
  ident: ref37
  article-title: CVE-2011-2730
– year: 2023
  ident: ref33
  article-title: GitHub Advisory Database
– ident: ref58
  doi: 10.1145/3551349.3556921
– ident: ref15
  doi: 10.1145/3236024.3236056
– ident: ref25
  doi: 10.1109/ICSM.2015.7332492
– ident: ref27
  doi: 10.1145/3650212.3680305
– ident: ref57
  doi: 10.1109/ICSME46990.2020.00014
– ident: ref21
  doi: 10.1145/3551349.3556956
– start-page: 919
  volume-title: Proc. 35th IEEE/ACM Int. Conf. Autom. Softw. Eng. (ASE)
  year: 2020
  ident: ref62
  article-title: Automated third-party library detection for android applications: Are we there yet?
– start-page: 653
  volume-title: Proc. 38th Int. Conf. Softw. Eng. Companion (ICSE-C)
  year: 2016
  ident: ref65
  article-title: LibRadar: Fast and accurate detection of third-party libraries in Android apps
SSID ssj0005775
ssib053395008
Score 2.4719398
Snippet Developers usually use third-party libraries (TPLs) to facilitate the development of their projects to avoid reinventing the wheels, however, the vulnerable...
SourceID proquest
crossref
ieee
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 2906
SubjectTerms Accuracy
Application programming interface
Codes
Impact analysis
Java
Libraries
Maintenance costs
Security
Software
software composition analysis
static analysis
Third party
Vulnerability detection
Title Does the Vulnerability Threaten Our Projects? Automated Vulnerable API Detection for Third-Party Libraries
URI https://ieeexplore.ieee.org/document/10666791
https://www.proquest.com/docview/3127701580
Volume 50
WOSCitedRecordID wos001369099900005&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVIEE
  databaseName: IEEE Xplore
  customDbUrl:
  eissn: 1939-3520
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0005775
  issn: 0098-5589
  databaseCode: RIE
  dateStart: 19750101
  isFulltext: true
  titleUrlDefault: https://ieeexplore.ieee.org/
  providerName: IEEE
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3NS8MwFA86PHhxfkycTsnBi4duXZo0zUmG21AYc-CU3UqbvKIyOtlaYf-9Sdpugih46-G9UPrL6_u95H0gdE2YB11QkSOplOboBhztFogT-yxSfsJiEdsmriM-HgezmZiUxeq2FgYAbPIZtM2jvctXC5mbozJt4Zpsc1Orvsu5XxRrbfM5OGdVg0zGAlHdSbqiM30a6EiQ0LZHdThku1FufZAdqvLjT2zdy7D-zxc7RAclj8S9AvgjtAPpMapXMxpwabIn6L2_gBXWLA-_5HPTYdomw67x9NWwRUjxY77Ek-I4ZnWLe3m20BwW1EZ8Drg3ecB9yGzSVoo1y9Xab0vlTPS2W-NRFXA30PNwML27d8r5Co4kgmSmgtwjCiSJIgJdwYUPnMqIS8_MpYoFCRJOE5m4SnqRCx7IiMYiCVymNAtU3DtFtXSRwhnCNKExEEHdWHY16IlgDHypuRE1BA54E3WqLx7Ksvm4mYExD20Q4opQYxQajMISoya62Wh8FI03_pBtGEy-yRVwNFGrQjUsTXMVel3CuSZBgXv-i9oF2jerFxWHLVTLljlcoj35mb2tlld2130BfFbVXA
linkProvider IEEE
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3NS8MwFA-igl6cHxOnU3Pw4qGzS5OlOclwisM5B07ZrbTJK05GJ1sr7L83SdtNEAVvPbxHSn95fb-XvA-ELgjzoAkqdCSV0hzdgKPdAnGiFgtVK2aRiGwT1x7v9_3RSAyKYnVbCwMANvkMGubR3uWrqczMUZm2cE22ualV32CUEjcv11pldHDOyhaZjPmivJV0xdXw-VbHgoQ2PKoDItuPcuWF7FiVH_9i62DuKv98tV20UzBJ3M6h30NrkOyjSjmlARdGe4DeO1OYY83z8Gs2MT2mbTrsAg_fDF-EBD9lMzzID2Tm17idpVPNYkEtxSeA24Mu7kBq07YSrHmu1h7PlDPQG2-Be2XIXUUvd7fDm3unmLDgSCJIamrIPaJAkjAk0BRctIBTGXLpmclUkSB-zGksY1dJL3TBAxnSSMS-y5TmgYp7h2g9mSZwhDCNaQREUDeSTQ17LBiDltTsiBoKB7yGrsovHsii_biZgjEJbBjiikBjFBiMggKjGrpcanzkrTf-kK0aTL7J5XDUUL1ENSiMcx54TcK5pkG-e_yL2jnauh8-9oJet_9wgrbNSnn9YR2tp7MMTtGm_EzH89mZ3YFfvbPYow
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Does+the+Vulnerability+Threaten+Our+Projects%3F+Automated+Vulnerable+API+Detection+for+Third-Party+Libraries&rft.jtitle=IEEE+transactions+on+software+engineering&rft.au=Zhang%2C+Fangyuan&rft.au=Fan%2C+Lingling&rft.au=Chen%2C+Sen&rft.au=Cai%2C+Miaoying&rft.date=2024-11-01&rft.pub=IEEE+Computer+Society&rft.issn=0098-5589&rft.eissn=1939-3520&rft.volume=50&rft.issue=11&rft.spage=2906&rft_id=info:doi/10.1109%2FTSE.2024.3454960&rft.externalDBID=NO_FULL_TEXT
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0098-5589&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0098-5589&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0098-5589&client=summon