Detection, assessment and mitigation of vulnerabilities in open source dependencies
Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to an ever-increasing number of vulnerabilities that are publicly disclosed. It is thus crucial for application developers to detect dependencie...
Saved in:
| Published in: | Empirical software engineering : an international journal Vol. 25; no. 5; pp. 3175 - 3215 |
|---|---|
| Main Authors: | , , |
| Format: | Journal Article |
| Language: | English |
| Published: |
New York
Springer US
01.09.2020
Springer Nature B.V |
| Subjects: | |
| ISSN: | 1382-3256, 1573-7616 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to an ever-increasing number of vulnerabilities that are publicly disclosed. It is thus crucial for application developers to detect dependencies on vulnerable libraries in a timely manner, to precisely assess their impact, and to mitigate any potential risk. This paper presents a novel method to detect, assess and mitigate OSS vulnerabilities. Differently from state-of-the-art approaches that depend on metadata to identify vulnerable OSS dependencies, our solution is code-centric, and combines static and dynamic analyses to determine the reachability of the vulnerable portion of libraries, in the context of a given application. Our approach also supports developers in choosing among the existing non-vulnerable library versions, with the goal to determine and minimize incompatibilities. Eclipse Steady, the open source implementation of our
code-centric
and
usage-based
approach is the tool recommended to scan Java software products at SAP; it has been successfully used to perform more than one million scans of about 1500 applications. In this paper we report on the lessons learned when maturing the tool from a research prototype to an industrial-grade solution. To evaluate Eclipse Steady, we conducted an empirical study to compare its detection capabilities with those of OWASP Dependency Check (OWASP DC), scanning 300 large enterprise applications under development with a total of 78165 dependencies. Reviewing a sample of the findings
reported only by one of the two tools
revealed that all Steady findings are true positives, while 88.8% of the findings of OWASP DC for vulnerabilities covered by our code-centric approach are false positives. For vulnerabilities not caused by code but due, e.g., to erroneous configuration, 63.3% of OWASP DC findings are true positives. |
|---|---|
| AbstractList | Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to an ever-increasing number of vulnerabilities that are publicly disclosed. It is thus crucial for application developers to detect dependencies on vulnerable libraries in a timely manner, to precisely assess their impact, and to mitigate any potential risk. This paper presents a novel method to detect, assess and mitigate OSS vulnerabilities. Differently from state-of-the-art approaches that depend on metadata to identify vulnerable OSS dependencies, our solution is code-centric, and combines static and dynamic analyses to determine the reachability of the vulnerable portion of libraries, in the context of a given application. Our approach also supports developers in choosing among the existing non-vulnerable library versions, with the goal to determine and minimize incompatibilities. Eclipse Steady, the open source implementation of our
code-centric
and
usage-based
approach is the tool recommended to scan Java software products at SAP; it has been successfully used to perform more than one million scans of about 1500 applications. In this paper we report on the lessons learned when maturing the tool from a research prototype to an industrial-grade solution. To evaluate Eclipse Steady, we conducted an empirical study to compare its detection capabilities with those of OWASP Dependency Check (OWASP DC), scanning 300 large enterprise applications under development with a total of 78165 dependencies. Reviewing a sample of the findings
reported only by one of the two tools
revealed that all Steady findings are true positives, while 88.8% of the findings of OWASP DC for vulnerabilities covered by our code-centric approach are false positives. For vulnerabilities not caused by code but due, e.g., to erroneous configuration, 63.3% of OWASP DC findings are true positives. Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to an ever-increasing number of vulnerabilities that are publicly disclosed. It is thus crucial for application developers to detect dependencies on vulnerable libraries in a timely manner, to precisely assess their impact, and to mitigate any potential risk. This paper presents a novel method to detect, assess and mitigate OSS vulnerabilities. Differently from state-of-the-art approaches that depend on metadata to identify vulnerable OSS dependencies, our solution is code-centric, and combines static and dynamic analyses to determine the reachability of the vulnerable portion of libraries, in the context of a given application. Our approach also supports developers in choosing among the existing non-vulnerable library versions, with the goal to determine and minimize incompatibilities. , the open source implementation of our code-centric and usage-based approach is the tool recommended to scan Java software products at SAP; it has been successfully used to perform more than one million scans of about 1500 applications. In this paper we report on the lessons learned when maturing the tool from a research prototype to an industrial-grade solution. To evaluate , we conducted an empirical study to compare its detection capabilities with those of OWASP Dependency Check (), scanning 300 large enterprise applications under development with a total of 78165 dependencies. Reviewing a sample of the findings reported only by one of the two tools revealed that all findings are true positives, while 88.8% of the findings of for vulnerabilities covered by our code-centric approach are false positives. For vulnerabilities not caused by code but due, e.g., to erroneous configuration, 63.3% of findings are true positives. Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to an ever-increasing number of vulnerabilities that are publicly disclosed. It is thus crucial for application developers to detect dependencies on vulnerable libraries in a timely manner, to precisely assess their impact, and to mitigate any potential risk. This paper presents a novel method to detect, assess and mitigate OSS vulnerabilities. Differently from state-of-the-art approaches that depend on metadata to identify vulnerable OSS dependencies, our solution is code-centric, and combines static and dynamic analyses to determine the reachability of the vulnerable portion of libraries, in the context of a given application. Our approach also supports developers in choosing among the existing non-vulnerable library versions, with the goal to determine and minimize incompatibilities. Eclipse Steady, the open source implementation of our code-centric and usage-based approach is the tool recommended to scan Java software products at SAP; it has been successfully used to perform more than one million scans of about 1500 applications. In this paper we report on the lessons learned when maturing the tool from a research prototype to an industrial-grade solution. To evaluate Eclipse Steady, we conducted an empirical study to compare its detection capabilities with those of OWASP Dependency Check (OWASP DC), scanning 300 large enterprise applications under development with a total of 78165 dependencies. Reviewing a sample of the findings reported only by one of the two tools revealed that all Steady findings are true positives, while 88.8% of the findings of OWASP DC for vulnerabilities covered by our code-centric approach are false positives. For vulnerabilities not caused by code but due, e.g., to erroneous configuration, 63.3% of OWASP DC findings are true positives. |
| Author | Plate, Henrik Sabetta, Antonino Ponta, Serena Elisa |
| Author_xml | – sequence: 1 givenname: Serena Elisa orcidid: 0000-0002-6208-4743 surname: Ponta fullname: Ponta, Serena Elisa email: serena.ponta@sap.com organization: SAP Security Research – sequence: 2 givenname: Henrik surname: Plate fullname: Plate, Henrik organization: SAP Security Research – sequence: 3 givenname: Antonino surname: Sabetta fullname: Sabetta, Antonino organization: SAP Security Research |
| BookMark | eNp9kEtPAyEUhYmpiW31D7iaxK0ojwGGpanPpIkLdU3ozJ2GZspUoKb-e2nHxMRFV5d77vngciZo5HsPCF1SckMJUbeREilLTBjBRFec4N0JGlOhOFaSylE-84phzoQ8Q5MYV4QQrUoxRm_3kKBOrvfXhY0RYlyDT4X1TbF2yS3tflT0bfG17TwEu3BdliEWLqsb8EXst6GGooHcNODrPDtHp63tIlz81in6eHx4nz3j-evTy-xujutSqYQtKVtFFRcaag6Klm2pGgkEFq1k0BKlpbRUCUZ1Qy1ko5XAGyGUFpIA5VN0Ndy7Cf3nFmIyq7yMz08aVnKtRKWYzq5qcNWhjzFAa2qXDt9KwbrOUGL2EZohQpMjNIcIzS6j7B-6CW5tw_dxiA9QzGa_hPC31RHqB71RhwI |
| CitedBy_id | crossref_primary_10_1002_smr_2508 crossref_primary_10_1016_j_cose_2025_104546 crossref_primary_10_1016_j_procs_2023_08_176 crossref_primary_10_1109_TSE_2023_3281275 crossref_primary_10_1007_s10664_022_10154_1 crossref_primary_10_1587_transinf_2021MPL0001 crossref_primary_10_1145_3472811 crossref_primary_10_1109_ACCESS_2025_3547932 crossref_primary_10_3390_s22062126 crossref_primary_10_70239_arsu_2025_t80_n2_07 crossref_primary_10_1007_s10515_025_00540_6 crossref_primary_10_1145_3649590 crossref_primary_10_1007_s10270_024_01186_w crossref_primary_10_1109_TSE_2025_3537102 crossref_primary_10_1109_TSE_2021_3101739 crossref_primary_10_1145_3571848 crossref_primary_10_1145_3648610 crossref_primary_10_1007_s10664_022_10278_4 crossref_primary_10_1109_TSE_2024_3454960 crossref_primary_10_1109_TNSE_2023_3260880 crossref_primary_10_1145_3714464 crossref_primary_10_1109_MSEC_2023_3343836 |
| Cites_doi | 10.1109/TSE.2007.70731 10.1007/s10664-017-9521-5 10.1007/s10664-014-9325-9 10.1007/s10664-015-9408-2 10.1016/j.scico.2016.01.005 10.1109/ICSE.2009.5070565 10.1145/1869459.1869486 10.1109/SCAM.2014.30 10.1109/ICSM.2012.6405296 10.1109/ICSME.2018.00058 10.1109/SANER.2015.7081868 10.1109/ICSE.2017.53 10.1145/3092703.3092721 10.1145/2484313.2484377 10.1007/s42979-021-00566-z 10.1109/ICSM.2015.7332478 10.1145/2642937.2642982 10.1145/1595808.1595821 10.1109/TSE.2018.2816033 10.1109/ASE.2017.8115621 10.1109/ICSME.2018.00054 10.1109/MSR.2019.00064 10.1109/ICSME.2018.00067 10.1109/ICSM.2015.7332492 |
| ContentType | Journal Article |
| Copyright | The Author(s) 2020 The Author(s) 2020. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License. |
| Copyright_xml | – notice: The Author(s) 2020 – notice: The Author(s) 2020. This work is published under http://creativecommons.org/licenses/by/4.0/ (the “License”). Notwithstanding the ProQuest Terms and Conditions, you may use this content in accordance with the terms of the License. |
| DBID | C6C AAYXX CITATION 7SC 8FD 8FE 8FG ABJCF AFKRA ARAPS BENPR BGLVJ CCPQU DWQXO HCIFZ JQ2 L6V L7M L~C L~D M7S P5Z P62 PHGZM PHGZT PKEHL PQEST PQGLB PQQKQ PQUKI PRINS PTHSS S0W |
| DOI | 10.1007/s10664-020-09830-x |
| DatabaseName | Springer Nature OA Free Journals CrossRef Computer and Information Systems Abstracts Technology Research Database ProQuest SciTech Collection ProQuest Technology Collection Materials Science & Engineering Collection ProQuest Central UK/Ireland Health Research Premium Collection ProQuest Central Technology Collection ProQuest One Community College ProQuest Central SciTech Premium Collection ProQuest Computer Science Collection ProQuest Engineering Collection Advanced Technologies Database with Aerospace Computer and Information Systems Abstracts Academic Computer and Information Systems Abstracts Professional Engineering Database Advanced Technologies & Aerospace Database ProQuest Advanced Technologies & Aerospace Collection ProQuest Central Premium ProQuest One Academic (New) ProQuest One Academic Middle East (New) ProQuest One Academic Eastern Edition (DO NOT USE) ProQuest One Applied & Life Sciences ProQuest One Academic (retired) ProQuest One Academic UKI Edition ProQuest Central China Engineering Collection DELNET Engineering & Technology Collection |
| DatabaseTitle | CrossRef Technology Collection Technology Research Database Computer and Information Systems Abstracts – Academic ProQuest One Academic Middle East (New) ProQuest Advanced Technologies & Aerospace Collection ProQuest Computer Science Collection Computer and Information Systems Abstracts SciTech Premium Collection ProQuest One Community College ProQuest Central China ProQuest Central ProQuest One Applied & Life Sciences ProQuest Engineering Collection ProQuest Central Korea ProQuest Central (New) Advanced Technologies Database with Aerospace Engineering Collection Advanced Technologies & Aerospace Collection Engineering Database ProQuest One Academic Eastern Edition ProQuest Technology Collection ProQuest SciTech Collection Computer and Information Systems Abstracts Professional Advanced Technologies & Aerospace Database ProQuest One Academic UKI Edition ProQuest DELNET Engineering and Technology Collection Materials Science & Engineering Collection ProQuest One Academic ProQuest One Academic (New) |
| DatabaseTitleList | CrossRef Technology Collection |
| Database_xml | – sequence: 1 dbid: BENPR name: ProQuest Central url: https://www.proquest.com/central sourceTypes: Aggregation Database |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISSN | 1573-7616 |
| EndPage | 3215 |
| ExternalDocumentID | 10_1007_s10664_020_09830_x |
| GroupedDBID | -4Z -59 -5G -BR -EM -Y2 -~C .86 .DC .VR 06D 0R~ 0VY 199 1N0 1SB 2.D 203 28- 29G 2J2 2JN 2JY 2KG 2LR 2P1 2VQ 2~H 30V 4.4 406 408 409 40D 40E 5GY 5QI 5VS 67Z 6NX 78A 8FE 8FG 8TC 8UJ 95- 95. 95~ 96X AABHQ AACDK AAHNG AAIAL AAJBT AAJKR AANZL AAOBN AARHV AARTL AASML AATNV AATVU AAUYE AAWCG AAYIU AAYOK AAYQN AAYTO AAYZH ABAKF ABBBX ABBXA ABDZT ABECU ABFTD ABFTV ABHLI ABHQN ABJCF ABJNI ABJOX ABKCH ABKTR ABMNI ABMQK ABNWP ABQBU ABQSL ABSXP ABTEG ABTHY ABTKH ABTMW ABULA ABWNU ABXPI ACAOD ACBXY ACDTI ACGFS ACHSB ACHXU ACIWK ACKNC ACMDZ ACMLO ACOKC ACOMO ACPIV ACSNA ACZOJ ADHHG ADHIR ADIMF ADINQ ADKNI ADKPE ADRFC ADTPH ADURQ ADYFF ADZKW AEBTG AEFIE AEFQL AEGAL AEGNC AEJHL AEJRE AEKMD AEMSY AENEX AEOHA AEPYU AESKC AETLH AEVLU AEXYK AFBBN AFEXP AFGCZ AFKRA AFLOW AFQWF AFWTZ AFZKB AGAYW AGDGC AGGDS AGJBK AGMZJ AGQEE AGQMX AGRTI AGWIL AGWZB AGYKE AHAVH AHBYD AHKAY AHSBF AHYZX AIAKS AIGIU AIIXL AILAN AITGF AJBLW AJRNO AJZVZ ALMA_UNASSIGNED_HOLDINGS ALWAN AMKLP AMXSW AMYLF AMYQR AOCGG ARAPS ARMRJ ASPBG AVWKF AXYYD AYJHY AZFZN B-. BA0 BBWZM BDATZ BENPR BGLVJ BGNMA BSONS C6C CAG CCPQU COF CS3 CSCUP DDRTE DL5 DNIVK DPUIP DU5 EBLON EBS EIOEI EJD ESBYG FEDTE FERAY FFXSO FIGPU FINBP FNLPD FRRFC FSGXE FWDCC GGCAI GGRSB GJIRD GNWQR GQ6 GQ7 GQ8 GXS H13 HCIFZ HF~ HG5 HG6 HMJXF HQYDN HRMNR HVGLF HZ~ I09 IHE IJ- IKXTQ ITM IWAJR IXC IZIGR IZQ I~X I~Z J-C J0Z JBSCW JCJTX JZLTJ KDC KOV KOW L6V LAK LLZTM M4Y M7S MA- N2Q NB0 NDZJH NPVJJ NQJWS NU0 O9- O93 O9G O9I O9J OAM P19 P62 P9O PF0 PT4 PT5 PTHSS Q2X QOK QOS R4E R89 R9I RHV RNI RNS ROL RPX RSV RZC RZE RZK S0W S16 S1Z S26 S27 S28 S3B SAP SCJ SCLPG SCO SDH SDM SHX SISQX SJYHP SNE SNPRN SNX SOHCF SOJ SPISZ SRMVM SSLCW STPWE SZN T13 T16 TSG TSK TSV TUC U2A UG4 UOJIU UTJUX UZXMN VC2 VFIZW W23 W48 WK8 YLTOR Z45 Z7R Z7S Z7V Z7X Z7Z Z81 Z83 Z86 Z88 Z8M Z8N Z8P Z8R Z8T Z8U Z8W Z92 ZMTXR ~EX AAPKM AAYXX ABBRH ABDBE ABFSG ABRTQ ACSTC ADHKG AEZWR AFDZB AFFHD AFHIU AFOHR AGQPQ AHPBZ AHWEU AIXLP ATHPR AYFIA CITATION PHGZM PHGZT PQGLB 7SC 8FD DWQXO JQ2 L7M L~C L~D PKEHL PQEST PQQKQ PQUKI PRINS |
| ID | FETCH-LOGICAL-c477t-a04f717359ec3e714f47d6e0ebf62ef07966a175219d1ae735a6e3d5579560e13 |
| IEDL.DBID | M7S |
| ISICitedReferencesCount | 64 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000544612800001&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| ISSN | 1382-3256 |
| IngestDate | Tue Dec 02 16:05:53 EST 2025 Sat Nov 29 05:37:44 EST 2025 Tue Nov 18 22:01:37 EST 2025 Fri Feb 21 02:35:49 EST 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | 5 |
| Keywords | Usage-based update support Code-centric vulnerability analysis Publicly known vulnerabilities Open source software Combination of static and dynamic analysis |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c477t-a04f717359ec3e714f47d6e0ebf62ef07966a175219d1ae735a6e3d5579560e13 |
| Notes | ObjectType-Article-1 SourceType-Scholarly Journals-1 ObjectType-Feature-2 content type line 14 |
| ORCID | 0000-0002-6208-4743 |
| OpenAccessLink | https://link.springer.com/10.1007/s10664-020-09830-x |
| PQID | 2439758729 |
| PQPubID | 326341 |
| PageCount | 41 |
| ParticipantIDs | proquest_journals_2439758729 crossref_citationtrail_10_1007_s10664_020_09830_x crossref_primary_10_1007_s10664_020_09830_x springer_journals_10_1007_s10664_020_09830_x |
| PublicationCentury | 2000 |
| PublicationDate | 2020-09-01 |
| PublicationDateYYYYMMDD | 2020-09-01 |
| PublicationDate_xml | – month: 09 year: 2020 text: 2020-09-01 day: 01 |
| PublicationDecade | 2020 |
| PublicationPlace | New York |
| PublicationPlace_xml | – name: New York – name: Dordrecht |
| PublicationSubtitle | An International Journal |
| PublicationTitle | Empirical software engineering : an international journal |
| PublicationTitleAbbrev | Empir Software Eng |
| PublicationYear | 2020 |
| Publisher | Springer US Springer Nature B.V |
| Publisher_xml | – name: Springer US – name: Springer Nature B.V |
| References | CR19 CR17 CR16 Nguyen, Dashevskyi, Massacci (CR18) 2016; 21 CR15 CR14 CR13 CR12 CR10 CR30 Kula, Germán, Ouni, Ishio, Inoue (CR11) 2018; 23 Alqahtani, Eghan, Rilling (CR1) 2016; 121 CR4 CR3 CR5 CR8 (CR2) 2015; 20 CR7 Fluri, Wuersch, PInzger, Gall (CR9) 2007; 33 CR28 CR27 CR26 CR25 CR24 CR23 CR22 CR21 CR20 (CR29) 2019 Dashevskyi, Brucker, Massacci (CR6) 2018; 2018 Bavota G (9830_CR2) 2015; 20 9830_CR28 9830_CR27 9830_CR26 9830_CR25 9830_CR24 9830_CR23 9830_CR22 9830_CR21 9830_CR20 B Fluri (9830_CR9) 2007; 33 S Dashevskyi (9830_CR6) 2018; 2018 RG Kula (9830_CR11) 2018; 23 9830_CR19 SS Alqahtani (9830_CR1) 2016; 121 9830_CR17 9830_CR16 9830_CR15 9830_CR14 9830_CR13 9830_CR12 9830_CR10 Synopsys Black Duck (9830_CR29) 2019 9830_CR30 9830_CR8 9830_CR7 VH Nguyen (9830_CR18) 2016; 21 9830_CR5 9830_CR4 9830_CR3 |
| References_xml | – ident: CR22 – volume: 33 start-page: 725 issue: 11 year: 2007 end-page: 743 ident: CR9 article-title: Change distilling: Tree differencing for fine-grained source code change extraction publication-title: IEEE Trans Softw Eng doi: 10.1109/TSE.2007.70731 – ident: CR4 – ident: CR14 – year: 2019 ident: CR29 publication-title: 2019 open source security and risk analysis – ident: CR16 – ident: CR12 – ident: CR30 – ident: CR10 – volume: 23 start-page: 384 issue: 1 year: 2018 end-page: 417 ident: CR11 article-title: Do developers update their library dependencies? - an empirical study on the impact of security advisories on library migration publication-title: Empirical Software Engineering doi: 10.1007/s10664-017-9521-5 – volume: 20 start-page: 1275 issue: 5 year: 2015 end-page: 1317 ident: CR2 article-title: How the Apache community upgrades dependencies: An evolutionary study publication-title: Empirical Soft Eng doi: 10.1007/s10664-014-9325-9 – volume: 21 start-page: 2268 issue: 6 year: 2016 end-page: 2297 ident: CR18 article-title: An automatic method for assessing the versions affected by a vulnerability publication-title: Empirical Software Engineering doi: 10.1007/s10664-015-9408-2 – ident: CR8 – ident: CR25 – ident: CR27 – ident: CR23 – ident: CR21 – volume: 121 start-page: 153 year: 2016 end-page: 175 ident: CR1 article-title: Tracing known security vulnerabilities in software repositories–a semantic web enabled modeling approach publication-title: Sci Comput Program doi: 10.1016/j.scico.2016.01.005 – ident: CR19 – ident: CR3 – ident: CR15 – ident: CR17 – ident: CR13 – ident: CR5 – volume: 2018 start-page: 1 year: 2018 end-page: 1 ident: CR6 article-title: A screening test for disclosed vulnerabilities in foss components publication-title: IEEE Trans Softw Eng – ident: CR7 – ident: CR28 – ident: CR26 – ident: CR24 – ident: CR20 – ident: 9830_CR5 doi: 10.1109/ICSE.2009.5070565 – ident: 9830_CR20 – volume: 121 start-page: 153 year: 2016 ident: 9830_CR1 publication-title: Sci Comput Program doi: 10.1016/j.scico.2016.01.005 – volume: 23 start-page: 384 issue: 1 year: 2018 ident: 9830_CR11 publication-title: Empirical Software Engineering doi: 10.1007/s10664-017-9521-5 – ident: 9830_CR16 doi: 10.1145/1869459.1869486 – volume: 20 start-page: 1275 issue: 5 year: 2015 ident: 9830_CR2 publication-title: Empirical Soft Eng doi: 10.1007/s10664-014-9325-9 – ident: 9830_CR25 doi: 10.1109/SCAM.2014.30 – ident: 9830_CR24 doi: 10.1109/ICSM.2012.6405296 – volume: 21 start-page: 2268 issue: 6 year: 2016 ident: 9830_CR18 publication-title: Empirical Software Engineering doi: 10.1007/s10664-015-9408-2 – ident: 9830_CR26 doi: 10.1109/ICSME.2018.00058 – ident: 9830_CR4 doi: 10.1109/SANER.2015.7081868 – ident: 9830_CR27 – ident: 9830_CR12 doi: 10.1109/ICSE.2017.53 – ident: 9830_CR15 doi: 10.1145/3092703.3092721 – ident: 9830_CR19 – ident: 9830_CR17 doi: 10.1145/2484313.2484377 – ident: 9830_CR3 doi: 10.1007/s42979-021-00566-z – ident: 9830_CR10 doi: 10.1109/ICSM.2015.7332478 – ident: 9830_CR8 doi: 10.1145/2642937.2642982 – ident: 9830_CR13 doi: 10.1145/1595808.1595821 – ident: 9830_CR7 – volume: 33 start-page: 725 issue: 11 year: 2007 ident: 9830_CR9 publication-title: IEEE Trans Softw Eng doi: 10.1109/TSE.2007.70731 – volume: 2018 start-page: 1 year: 2018 ident: 9830_CR6 publication-title: IEEE Trans Softw Eng doi: 10.1109/TSE.2018.2816033 – ident: 9830_CR14 doi: 10.1109/ASE.2017.8115621 – ident: 9830_CR22 doi: 10.1109/ICSME.2018.00054 – ident: 9830_CR23 doi: 10.1109/MSR.2019.00064 – ident: 9830_CR30 doi: 10.1109/ICSME.2018.00067 – ident: 9830_CR28 – volume-title: 2019 open source security and risk analysis year: 2019 ident: 9830_CR29 – ident: 9830_CR21 doi: 10.1109/ICSM.2015.7332492 |
| SSID | ssj0009745 |
| Score | 2.4844384 |
| Snippet | Open source software (OSS) libraries are widely used in the industry to speed up the development of software products. However, these libraries are subject to... |
| SourceID | proquest crossref springer |
| SourceType | Aggregation Database Enrichment Source Index Database Publisher |
| StartPage | 3175 |
| SubjectTerms | Compilers Computer Science Empirical analysis Interpreters Libraries Open source software Programming Languages Quality Software Software Engineering/Programming and Operating Systems Software Maintenance and Evolution (ICSME) |
| SummonAdditionalLinks | – databaseName: SpringerLINK Contemporary 1997-Present dbid: RSV link: http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV1LT8MwDI4QcODCeIrBQDlwY5HSNs8jAiYOaEIMpt2qrEmkSaOb1m7i55P0sQICJLi2jlXZcWw39mcALvHYBpHWEhmuCSKSCaQkkcipOmFUYUWKcW_DB97vi9FIPlZNYVld7V5fSRYn9YdmN8YI8ukOliLCyEWOW87dCW-OT4NhA7XLi9HEHlwPRc6jV60y3_P47I6aGPPLtWjhbXqt_33nHtitokt4XW6HfbBh0gPQqic3wMqQD8Hg1uRFDVbahWqNzQlVquHrpETdmKVwZuFqOfWw1EUFrcup4cQ9nZsUlv_8YT1C1_HNjsBL7-755h5V4xVQQjjPkcLE-jt4Kk0SGR4QS7hmBpuxZaGxmLtMSLnowp1pOlDGESpmIk0p9zmVCaJjsJnOUnMCICE0tJpjZlw6ZxMqXeDAuRKCWEOVFm0Q1FKOkwp73I_AmMYNarKXWuykFhdSi9_a4Gq9Zl4ib_xK3amVF1dWmMWhj7aocPlDG3RrZTWvf-Z2-jfyM7ATlvpGOOiAzXyxNOdgO1nlk2xxUezOd_z63pE priority: 102 providerName: Springer Nature |
| Title | Detection, assessment and mitigation of vulnerabilities in open source dependencies |
| URI | https://link.springer.com/article/10.1007/s10664-020-09830-x https://www.proquest.com/docview/2439758729 |
| Volume | 25 |
| WOSCitedRecordID | wos000544612800001&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVAVX databaseName: SpringerLINK Contemporary 1997-Present customDbUrl: eissn: 1573-7616 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0009745 issn: 1382-3256 databaseCode: RSV dateStart: 19970101 isFulltext: true titleUrlDefault: https://link.springer.com/search?facet-content-type=%22Journal%22 providerName: Springer Nature |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwpV09T8MwED1BYWChfIpCQR7YwMJJ7DiZEF8VA6oqCqhiidzYlipBWmhB_fnYjtMIJFhYMiSOFeXZvjvf-T2AYzLUQSRlihWXFNM0TrBIaYoN1HnMBBHUyb093fFuNxkM0p7fcJv6sspqTXQLtRzndo_8LLSWkyXGFzyfvGGrGmWzq15CYxlWLEtC6Er3-jXpLncixZZmD0fGtvtDM_7oXBxTbIMnkiYRwfPvhqn2Nn8kSJ3d6TT_-8UbsO49TnRRDpFNWFLFFjQrNQfkJ_c29K_VzNVlFadILPg6kSgkeh2VTBzjAo01-vx4sVTVrqrWxNloZO5OVIHKPACqZHVNv9MdeOzcPFzdYi-5gHPK-QwLQrXNy7NU5ZHiAdWUy1gRNdRxqDThJjoSxuMw65wMhDINRawiyRi3cZYKol1oFONC7QGilIVachIrE-LpnKXGmeBcJAnVigmZtCCo_neWez5yK4vxktVMyhajzGCUOYyyeQtOFu9MSjaOP1u3K2AyPzOnWY1KC04raOvHv_e2_3dvB7AWlqMJk6ANjdn7hzqE1fxzNpq-H8HK5U23d3_kxqe59tizud73n74A4Orrsg |
| linkProvider | ProQuest |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMw1V3JTuQwEC1BMxJcWGYG0aw-wGmwxkmcODkghFgEomkhsYhbxsRlqSVIN6Rp4Kf4RmwnIRokuHHgmjglJX6uJWW_B7DOrrUXKJVQFIpTnkQxlQlPqJnqLAolk9zJvV12RLcbX10lp2PwUp-Fsdsqa5_oHLXqZ_Yf-V_fRs4wNrng9uCOWtUo212tJTRKWBzj86Mp2Yqtoz0zvxu-f7B_vntIK1UBmnEhhlQyrm3rOUwwC1B4XHOhImR4rSMfNROmAJAmqJqlrDyJZqCMMFBhKGwpgV5g7I7DBLfe320VPGtIfoUTRba0fjQwuUR1SKc6qhdFnNpijSVxwOjT_4GwyW7fNWRdnDuY-W5faBamq4ya7JRLYA7GMP8JM7VaBamc1y8428Oh23eWbxL5xkdKZK7Iba9kGunnpK_J6OHGUnG7XcM9LEjPXB1gTso-B6llg43d4jdcfMmrzUMr7-e4AITz0NdKsAhNCauzMDHJkhAyjrnGUKq4DV49v2lW8a1b2Y-btGGKtphIDSZSh4n0qQ1_3p4ZlGwjn45eroGQVp6nSBsUtGGzhlJz-2Nri59bW4PJw_OTTto56h4vwZRfIpkybxlaw_sHXIEf2WjYK-5X3Zog8O-rIfYK8BJDNw |
| linkToPdf | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMw1V1LT9wwEB5RWqFeoC0glkLrQ3sqFk5ix8kBVRXbVRFotVIpQlyCicfSSpDdkuX11_rrGOdBRKVy49Br4oyU-PM8Mvb3AXwSZy6IrE05aiu5TOOEm1SmnKY6j5URRlZyb0cHejhMjo_T0Rz8ac_C-G2VrU-sHLWd5P4f-XboI6dKKBfcds22iFF_8HX6m3sFKd9pbeU0aojs490NlW_lzl6f5vpzGA6-H-7-4I3CAM-l1jNuhHS-Da1SzCPUgXRS2xgFnrk4RCc0FQOGAiwtaxsYpIEmxsgqpX1ZgUFEdl_AS001pi_8RuqkI_zVlUCyp_jjEeUVzYGd5theHEvuCzeRJpHgt4-DYpfp_tWcrWLeYOl__lpvYLHJtNm3emm8hTks3sFSq2LBGqe2DD_7OKv2oxVbzDzwlDJTWHYxrhlIJgWbOHZ9de4puqvdxGMs2ZiuTrFgdf-DtXLCZLdcgV_P8mqrMF9MClwDJqUKndUiRiptXa5SSqK0NkkiHSpjkx4E7VxnecPD7uVAzrOOQdrjIyN8ZBU-stsefHl4ZlqzkDw5eqMFRdZ4pDLrENGDrRZW3e1_W1t_2tpHWCBkZQd7w_338DqsQc1FsAHzs8sr3IRX-fVsXF5-qJYHg9PnRtg9OpdMGg |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Detection%2C+assessment+and+mitigation+of+vulnerabilities+in+open+source+dependencies&rft.jtitle=Empirical+software+engineering+%3A+an+international+journal&rft.au=Ponta%2C+Serena+Elisa&rft.au=Plate+Henrik&rft.au=Sabetta+Antonino&rft.date=2020-09-01&rft.pub=Springer+Nature+B.V&rft.issn=1382-3256&rft.eissn=1573-7616&rft.volume=25&rft.issue=5&rft.spage=3175&rft.epage=3215&rft_id=info:doi/10.1007%2Fs10664-020-09830-x&rft.externalDBID=HAS_PDF_LINK |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1382-3256&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1382-3256&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1382-3256&client=summon |