pith. sign in

arxiv: 2604.21278 · v1 · submitted 2026-04-23 · 💻 cs.SE

Hidden Dependencies and Component Variants in SBOM-Based Software Composition Analysis

Shawn Rasheed , Max McPhee , Lisa Patterson , Stephen MacDonell , Jens Dietrich This is my paper

Pith reviewed 2026-05-09 21:24 UTC · model grok-4.3

classification 💻 cs.SE
keywords SBOMSoftware Composition AnalysisVulnerability ManagementSupply Chain SecurityHidden DependenciesComponent VariantsVEX Statements
0
0 comments X

The pith

SBOMs often miss hidden code dependencies and fail to tag component variants consistently, causing scanners to disagree on which vulnerabilities apply.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper identifies two common mismatches in how Software Bills of Material represent real software: code-level dependencies that never appear as component entries, and duplicate or variant components that scanners label differently. It shows these gaps produce conflicting vulnerability lists and uneven treatment of VEX statements when the same product is scanned by different tools. A reader would care because SBOMs are now required or recommended for supply-chain security, yet these representation problems can leave real risks unaddressed or over-reported. The authors ground the claim in concrete examples drawn from popular scanners and real artifacts rather than abstract theory.

Core claim

Hidden code-level dependencies that are not recorded as component-level relations, together with component variants that lack stable identity across tools, produce inconsistent vulnerability reports and inconsistent VEX handling in current SBOM-based scanners.

What carries the argument

Two mismatch patterns—hidden dependencies (actual code relations absent from the SBOM component graph) and component variants (clones whose identities scanners cannot reconcile)—that directly alter the input to vulnerability matching.

If this is right

  • The same software product can receive different vulnerability assessments depending on which scanner consumes its SBOM.
  • VEX statements attached to one SBOM may be ignored or interpreted differently by other tools.
  • Current SBOM formats limit the reliability of software composition analysis for vulnerability management.
  • Richer ways to express dependencies and component identities are required before SBOMs can deliver consistent results.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Organizations may need to run multiple independent scanners and reconcile their outputs rather than trust any single one.
  • Component identity schemes that survive cloning and variant creation would reduce one source of mismatch.
  • Automated checks that detect hidden dependencies from source or binary analysis could be added to SBOM generation pipelines.

Load-bearing premise

The observed mismatches in the examined cases are representative of wider SBOM production and consumption practice and are the direct cause of the differing scanner outputs.

What would settle it

A broad audit that examines many real SBOMs and scanners and finds no measurable difference in reported vulnerabilities or VEX outcomes even when hidden dependencies and variants are present would falsify the central claim.

Figures

Figures reproduced from arXiv: 2604.21278 by Jens Dietrich, Lisa Patterson, Max McPhee, Shawn Rasheed, Stephen MacDonell.

Figure 1
Figure 1. Figure 1: Component-level vs. code-level dependency graph. [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: VEX suppression scope across dependency paths [PITH_FULL_IMAGE:figures/full_fig_p008_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Type-0 component variant: a repackaged component sharing code with [PITH_FULL_IMAGE:figures/full_fig_p009_3.png] view at source ↗
read the original abstract

Software Bills of Material (SBOMs) have emerged as an important technology for vulnerability management amid rising supply-chain attacks. They represent component relationships within a software product and support software composition analysis (SCA) by linking components to known vulnerabilities. However, the effectiveness of SBOM-based analysis depends on how accurately SBOMs represent component identities and actual dependencies in software. This paper studies two mismatch patterns: hidden code-level dependencies that are not represented as component-level dependencies, and component variants (clones) that cannot be identified consistently by scanners. We show that these mismatches can lead to inconsistent vulnerability reporting and inconsistent handling of VEX statements across popular SBOM-based vulnerability scanners. These results highlight limitations in current SBOM production and consumption and motivate richer dependency representation and component identity.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper investigates two mismatch patterns in SBOMs for software composition analysis: hidden code-level dependencies not captured as component-level dependencies, and component variants (clones) that cannot be consistently identified by scanners. Through analysis of popular SBOM-based vulnerability scanners, it claims to demonstrate that these mismatches produce inconsistent vulnerability reports and inconsistent handling of VEX statements, thereby highlighting limitations in current SBOM production and consumption practices and motivating richer dependency representations and component identity mechanisms.

Significance. If the observed inconsistencies are shown to be systematic rather than isolated, the work would be significant for the SBOM and supply-chain security community by providing concrete evidence of how representational gaps affect downstream vulnerability management. The observational grounding in real scanner behavior is a positive feature, but the absence of quantification or controlled experiments limits the strength of the broader claims about systemic issues in SBOM ecosystems.

major comments (2)
  1. [Results and Discussion sections] The central claim that hidden dependencies and component variants lead to inconsistent vulnerability reporting and VEX handling rests on targeted case studies. Without a larger sample, frequency counts, or an ablation that isolates these mismatches from scanner-specific heuristics and CVE database differences, the causal link and generalizability to production SBOMs remain under-supported (see the results and discussion sections describing the scanner comparisons).
  2. [Introduction and Conclusion] The assumption that the studied mismatches are representative of broader SBOM production/consumption problems is load-bearing for the motivation to adopt richer representations, yet no data on the prevalence of such patterns across open-source or commercial SBOMs is provided to substantiate this.
minor comments (2)
  1. [Abstract] The abstract states the claims but provides no overview of the methodology, dataset size, or scanner selection criteria; adding a brief methods summary would improve readability.
  2. [Background] Notation for component variants and hidden dependencies could be formalized earlier (e.g., with a small diagram or table) to make the mismatch patterns clearer before the case studies.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address the two major comments point by point below, clarifying the exploratory scope of our case studies while making targeted revisions to better align the claims with the evidence presented.

read point-by-point responses

  1. Referee: [Results and Discussion sections] The central claim that hidden dependencies and component variants lead to inconsistent vulnerability reporting and VEX handling rests on targeted case studies. Without a larger sample, frequency counts, or an ablation that isolates these mismatches from scanner-specific heuristics and CVE database differences, the causal link and generalizability to production SBOMs remain under-supported (see the results and discussion sections describing the scanner comparisons).

    Authors: We appreciate this observation. The manuscript presents targeted case studies to demonstrate that the identified mismatch patterns can produce inconsistent outputs across scanners, as shown through concrete examples of vulnerability reporting and VEX handling. We do not assert systematic prevalence or isolate every confounding factor via ablation; the contribution is in surfacing these representational gaps through real scanner behavior. We have revised the Results and Discussion sections to explicitly describe the findings as illustrative, to acknowledge scanner-specific heuristics as a potential influence, and to recommend controlled experiments in future work. revision: partial

  2. Referee: [Introduction and Conclusion] The assumption that the studied mismatches are representative of broader SBOM production/consumption problems is load-bearing for the motivation to adopt richer representations, yet no data on the prevalence of such patterns across open-source or commercial SBOMs is provided to substantiate this.

    Authors: We acknowledge that the paper provides no prevalence statistics across a broad corpus of SBOMs. The motivation is grounded in the observation that these mismatches exist and affect downstream analysis in the studied cases, thereby indicating limitations in current SBOM practices. We have revised the Introduction and Conclusion to remove any implication of representativeness, to frame the work as identifying specific patterns that warrant richer representations, and to explicitly note the absence of prevalence data as an area for future study. revision: partial

Circularity Check

0 steps flagged

No circularity: purely observational empirical analysis

full rationale

The paper conducts a case-study examination of SBOM production/consumption mismatches (hidden dependencies and component variants) and their effects on scanner outputs and VEX handling. No equations, derivations, fitted parameters, or predictive models are present. Claims rest on direct inspection of real scanners and SBOMs rather than any self-referential construction or self-citation chain. The work is therefore self-contained with no reduction of results to their own inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

This is an empirical study of software tools and no formal parameters, axioms or new entities are introduced in the abstract.

pith-pipeline@v0.9.0 · 5432 in / 1048 out tokens · 35635 ms · 2026-05-09T21:24:44.466876+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

57 extracted references · 57 canonical work pages

  1. [1]

    Empirical Software Engineering28(3), 59 (2023)

    Alfadel, M., Costa, D.E., Shihab, E.: Empirical analysis of security vulnera- bilities in Python packages. Empirical Software Engineering28(3), 59 (2023). https://doi.org/10.1007/s10664-022-10278-4

    work page doi:10.1007/s10664-022-10278-4 2023

  2. [2]

    ACM Transactions on Software Engineering and Methodology33(6), 1–25 (2024)

    Bi, T., Xia, B., Xing, Z., Lu, Q., Zhu, L.: On the way to SBOMs: Investigating design issues and solutions in practice. ACM Transactions on Software Engineering and Methodology33(6), 1–25 (2024). https://doi.org/10.1145/3654442

    work page doi:10.1145/3654442 2024

  3. [3]

    Federal Register, Vol

    Biden, J.R.: Executive order 14028: Improving the nation’s cybersecurity. Federal Register, Vol. 86, No. 93, pp. 26633–26647 (May 2021), signed 12 May 2021; pub- lished 17 May 2021. Available athttps://www.federalregister.gov/document s/2021/05/17/2021-10460/improving-the-nations-cybersecurity

    work page 2021

  4. [4]

    ACM Transactions on Internet Technology21(1), 1–14 (2021)

    Boldi, P., Gousios, G.: Fine-grained network analysis for modern software ecosystems. ACM Transactions on Internet Technology21(1), 1–14 (2021). https://doi.org/10.1145/3418209 Hidden Dependencies... 17

    work page doi:10.1145/3418209 2021

  5. [5]

    In: 36th European Conference on Object-Oriented Programming (ECOOP)

    Chakraborty, M., Olivares, R., Sridharan, M., Hassanshahi, B.: Automatic root cause quantification for missing edges in JavaScript call graphs. In: 36th European Conference on Object-Oriented Programming (ECOOP). LIPIcs, vol. 222, pp. 3:1–3:28. Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2022). https://doi.org/10.4230/LIPIcs.ECOOP.2022.3

    work page doi:10.4230/lipics.ecoop.2022.3 2022

  6. [6]

    arXiv preprint arXiv:2503.14388 (2025)

    Churakova,Y.,Ekstedt,M.,Schmid,L.:Vexedbyvextools:Consistencyevaluation of container vulnerability scanners. arXiv preprint arXiv:2503.14388 (2025)

    work page arXiv 2025

  7. [7]

    Communications of the ACM62(9), 36–43 (2019)

    Cox, R.: Surviving software dependencies. Communications of the ACM62(9), 36–43 (2019)

    work page 2019

  8. [8]

    Technical report, U.S

    Cybersecurity and Infrastructure Security Agency (CISA): Vulnerability ex- ploitability eXchange (VEX) – use cases. Technical report, U.S. Cybersecurity and Infrastructure Security Agency (Apr 2022),https://www.cisa.gov/sites/d efault/files/publications/VEX_Use_Cases_Document_508c.pdf

    work page 2022

  9. [9]

    Technical report, U.S

    Cybersecurity and Infrastructure Security Agency (CISA): Minimum requirements for vulnerability exploitability eXchange (VEX). Technical report, U.S. Cyberse- curity and Infrastructure Security Agency (Apr 2023),https://www.cisa.gov/s ites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf, vEX Working Group coordinated by CISA

    work page 2023

  10. [10]

    2022), 3613–3625

    Dann, A., Plate, H., Hermann, B., Ponta, S.E., Bodden, E.: Iden- tifying challenges for OSS vulnerability scanners – a study & test suite. IEEE Transactions on Software Engineering48(9), 3613–3625 (2022). https://doi.org/10.1109/TSE.2021.3101739

    work page doi:10.1109/tse.2021.3101739 2022

  11. [11]

    An evaluation of open-source software microbenchmark suites for continuous performance assessment,

    Decan, A., Mens, T., Constantinou, E.: On the impact of security vulnerabilities in the npm package dependency network. In: Proceedings of the 15th International ConferenceonMiningSoftwareRepositories(MSR).pp.181–191.ACM,NewYork, NY, USA (2018). https://doi.org/10.1145/3196398.3196401

    work page doi:10.1145/3196398.3196401 2018

  12. [12]

    InProceedings of the 2024 Workshop on Software Supply Chain Offen- sive Research and Ecosystem Defenses (SCORED ’24)

    Dietrich, J., Rasheed, S., Jordan, A., White, T.: On the security blind spots of software composition analysis. In: Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses (SCORED). pp. 1–11. ACM, New York, NY, USA (2024). https://doi.org/10.1145/3689944.3696165

    work page doi:10.1145/3689944.3696165 2024

  13. [13]

    In: Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

    Dietrich, J., Rasheed, S., Jordan, A., White, T.: On the security blind spots of software composition analysis. In: Proceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses. pp. 77–87 (2024)

    work page 2024

  14. [14]

    In: Proceedings of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE)

    Ernst, M.D.: Static and dynamic analysis: Synergy and duality. In: Proceedings of the ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE). pp. 35–35. ACM, New York, NY, USA (2003), invited talk, also presented at WODA 2003

    work page 2003

  15. [15]

    In: Proceedings of the 12th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Ap- plications (OOPSLA)

    Grove, D., DeFouw, G., Dean, J., Chambers, C.: Call graph construction in object-oriented languages. In: Proceedings of the 12th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Ap- plications (OOPSLA). pp. 108–124. ACM, New York, NY, USA (1997). https://doi.org/10.1145/263698.264352

    work page doi:10.1145/263698.264352 1997

  16. [16]

    Empirical Software Engineering27(5), 102 (2022)

    Hejderup, J., Beller, M., Triantafyllou, K., Gousios, G.: Präzi: From package-based to call-based dependency networks. Empirical Software Engineering27(5), 102 (2022). https://doi.org/10.1007/s10664-021-10071-9

    work page doi:10.1007/s10664-021-10071-9 2022

  17. [17]

    In: Proceedings of the 40th International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER)

    Hejderup, J., van Deursen, A., Gousios, G.: Software ecosystem call graph for dependency management. In: Proceedings of the 40th International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER). pp. 101–

    work page

  18. [18]

    https://doi.org/10.1145/3183399.3183417 18 Rasheed et al

    ACM, New York, NY, USA (2018). https://doi.org/10.1145/3183399.3183417 18 Rasheed et al

    work page doi:10.1145/3183399.3183417 2018

  19. [19]

    In: Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineer- ing and Measurement (ESEM)

    Imtiaz, N., Thorn, S., Williams, L.: A comparative study of vulnerabil- ity reporting by software composition analysis tools. In: Proceedings of the 15th ACM/IEEE International Symposium on Empirical Software Engineer- ing and Measurement (ESEM). pp. 1–11. ACM, New York, NY, USA (2021). https://doi.org/10.1145/3475716.3475769

    work page doi:10.1145/3475716.3475769 2021

  20. [20]

    IEEE Transactions on Software Engineering48(10), 3887–3899 (2022)

    Jafari, A.J., Costa, D.E., Abdalkareem, R., Shihab, E., Tsantalis, N.: Dependency smells in JavaScript projects. IEEE Transactions on Software Engineering48(10), 3887–3899 (2022). https://doi.org/10.1109/TSE.2021.3106247

    work page doi:10.1109/tse.2021.3106247 2022

  21. [21]

    In: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA)

    Jayasuriya, D., Terragni, V., Dietrich, J., Ou, S., Blincoe, K.: Understanding break- ing changes in the wild. In: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA). pp. 1433–1444. ACM, New York, NY, USA (2023). https://doi.org/10.1145/3597926.3598147

    work page doi:10.1145/3597926.3598147 2023

  22. [22]

    Kern, P.: How to ensure the software supply chain security of a product without disclosing it/author philipp kern, bsc (2025)

    work page 2025

  23. [23]

    Frankenstein: fast and lightweight call graph generation for software builds,

    Keshani, M., Mir, A.M., Gousios, G., Proksch, S.: Frankenstein: Fast and lightweight call graph generation for software builds. Empirical Software Engi- neering29(1), 10 (2024). https://doi.org/10.1007/s10664-023-10388-7

    work page doi:10.1007/s10664-023-10388-7 2024

  24. [24]

    Empirical Software Engineering23(1), 384–417 (2018)

    Kula, R.G., German, D.M., Ouni, A., Ishio, T., Inoue, K.: Do developers update their library dependencies? an empirical study on the impact of security advi- sories on library migration. Empirical Software Engineering23(1), 384–417 (2018). https://doi.org/10.1007/s10664-017-9521-5

    work page doi:10.1007/s10664-017-9521-5 2018

  25. [25]

    Transplantfix: Graph differencing-based code transplantation for automated program repair,

    Latendresse, J., Mujahid, S., Costa, D.E., Shihab, E.: Not all dependen- cies are equal: An empirical study on production dependencies in NPM. In: Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE). pp. 1–12. ACM, New York, NY, USA (2022). https://doi.org/10.1145/3551349.3556896

    work page doi:10.1145/3551349.3556896 2022

  26. [26]

    In: Proceed- ings of the 32nd ACM SIGSOFT International Symposium on Software Test- ing and Analysis (ISSTA)

    Lehmann, D., Thalakottur, M., Tip, F., Pradel, M.: That’s a tough call: Study- ing the challenges of call graph construction for WebAssembly. In: Proceed- ings of the 32nd ACM SIGSOFT International Symposium on Software Test- ing and Analysis (ISSTA). pp. 892–903. ACM, New York, NY, USA (2023). https://doi.org/10.1145/3597926.3598104

    work page doi:10.1145/3597926.3598104 2023

  27. [27]

    In: Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE)

    Lhoták, O.: Comparing call graphs. In: Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE). pp. 37–42. ACM, New York, NY, USA (2007). https://doi.org/10.1145/1251535.1251542

    work page doi:10.1145/1251535.1251542 2007

  28. [28]

    We Feel Like We’re Winging It:

    Liu, C., Chen, S., Fan, L., Chen, B., Liu, Y., Peng, X.: Software composition analy- sis for vulnerability detection: An empirical study on java projects. In: Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE). ACM, New York, NY, USA (2023). https://doi.org/10.1145...

    work page doi:10.1145/3611643.3616299 2023

  29. [29]

    Nelson Amaral, Bor-Yuh Evan Chang, Samuel Z

    Livshits, B., Sridharan, M., Smaragdakis, Y., Lhoták, O., Amaral, J.N., Chang, B.Y.E., Guyer, S.Z., Khedker, U.P., Møller, A., Vardoulakis, D.: In defense of soundiness: A manifesto. Communications of the ACM58(2), 44–46 (2015). https://doi.org/10.1145/2644805

    work page doi:10.1145/2644805 2015

  30. [30]

    Maratos, A., Lubinsky, E., Methman, J., Surti, J., Peele, L.: Supply chain security: The role of sboms and vex in cyber risk mitigation (2025)

    work page 2025

  31. [31]

    Melara, M.S., Bowman, M.: What is software supply chain security? arXiv preprint arXiv:2209.04006 (2022)

    work page arXiv 2022

  32. [32]

    In: 2023 IEEE International Hidden Dependencies

    Mir, A.M., Keshani, M., Proksch, S.: On the effect of transitivity and granularity on vulnerability propagation in the Maven ecosystem. In: 2023 IEEE International Hidden Dependencies... 19 Conference on Software Analysis, Evolution and Reengineering (SANER). pp. 201–

    work page 2023

  33. [33]

    Mir, Mehdi Keshani, and Sebastian Proksch

    IEEE (2023). https://doi.org/10.1109/SANER56733.2023.00028

    work page doi:10.1109/saner56733.2023.00028 2023

  34. [34]

    A landscape study of open source and proprietary tools for software bill of materials (sbom)

    Mirakhorli, M., Garcia, D., Dillon, S., Laporte, K., Morrison, M., Lu, H., Koscinski, V., Enoch, C.: A landscape study of open source and proprietary tools for software bill of materials (sbom). arXiv preprint arXiv:2402.11151 (2024)

    work page arXiv 2024

  35. [35]

    Murphy, David Notkin, William G

    Murphy, G.C., Notkin, D., Griswold, W.G., Lan, E.S.: An empirical study of static call graph extractors. ACM Transactions on Software Engineering and Methodol- ogy7(2), 158–191 (1998). https://doi.org/10.1145/279310.279314

    work page doi:10.1145/279310.279314 1998

  36. [36]

    In: 2024 IEEE International Confer- ence on Software Analysis, Evolution and Reengineering - Companion (SANER-C)

    O’Donoghue, E., Reinhold, A.M., Izurieta, C.: Assessing security risks of software supply chains using software bill of materials. In: 2024 IEEE International Confer- ence on Software Analysis, Evolution and Reengineering - Companion (SANER-C). pp. 134–140 (2024). https://doi.org/10.1109/SANER-C62648.2024.00023

    work page doi:10.1109/saner-c62648.2024.00023 2024

  37. [37]

    In: Proceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnera- bility Assessment (DIMVA)

    Ohm, M., Plate, H., Sykosch, A., Meier, M.: Backstabber’s knife collection: A re- view of open source software supply chain attacks. In: Proceedings of the 17th International Conference on Detection of Intrusions and Malware, and Vulnera- bility Assessment (DIMVA). Lecture Notes in Computer Science, vol. 12223, pp. 23–43. Springer (2020). https://doi.org/...

    work page doi:10.1007/978-3-030-52683-2_2 2020

  38. [38]

    openvex: Openvex specification (2025),https://github.com/openvex/spec/blob /main/OPENVEX-SPEC.md

    work page 2025

  39. [39]

    OWASP CycloneDX Working Group: CycloneDX: Vulnerability exploitability eX- change (VEX) capabilities.https://cyclonedx.org/capabilities/vex/(2025), part of the CycloneDX Bill of Materials specification

    work page 2025

  40. [40]

    IEEE Transactions on Software Engineering48(5), 1592–1609 (2022)

    Pashchenko, I., Plate, H., Ponta, S.E., Sabetta, A., Massacci, F.: Vuln4real: A methodology for counting actually vulnerable dependen- cies. IEEE Transactions on Software Engineering48(5), 1592–1609 (2022). https://doi.org/10.1109/TSE.2020.3025443

    work page doi:10.1109/tse.2020.3025443 2022

  41. [41]

    Empirical Software Engineering25(5), 3175–3215 (2020)

    Ponta, S.E., Plate, H., Sabetta, A.: Detection, assessment and mitigation of vul- nerabilities in open source dependencies. Empirical Software Engineering25(5), 3175–3215 (2020). https://doi.org/10.1007/s10664-020-09830-x

    work page doi:10.1007/s10664-020-09830-x 2020

  42. [42]

    Sánchez, Pedro Delgado-Pérez, Inmaculada Medina-Bulo, and Sergio Segura

    Prana, G.A.A., Sharma, A., Shar, L.K., Foo, D., Santosa, A.E., Sharma, A., Lo, D.: Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empirical Software Engineering26(4), 59 (2021). https://doi.org/10.1007/s10664- 021-09959-3

    work page doi:10.1007/s10664- 2021

  43. [43]

    Oasis standard, OASIS Open (Nov 2022),https://docs.oasis-open.org/cs af/csaf/v2.0/os/csaf-v2.0-os.html, approved 18 November 2022; subsequently published as ISO/IEC 20153:2025

    Rock, L., Hagen, S., Schmidt, T.: Common security advisory framework version 2.0. Oasis standard, OASIS Open (Nov 2022),https://docs.oasis-open.org/cs af/csaf/v2.0/os/csaf-v2.0-os.html, approved 18 November 2022; subsequently published as ISO/IEC 20153:2025

    work page 2022

  44. [44]

    arXiv preprint arXiv:2512.17710 (2025)

    Rosso, M., Jaffar, M.A.J., Brighente, A., Conti, M.: A practical solution to sys- tematically monitor inconsistencies in sbom-based vulnerability scanners. arXiv preprint arXiv:2512.17710 (2025)

    work page arXiv 2025

  45. [45]

    Schott, S., Klauke, J., Fischer, W., Ponta, S.E., Bodden, E.: Uncovering hidden inclusions of vulnerable dependencies in real-world Java projects (2026), preprint: arXiv:2601.23020

    work page arXiv 2026

  46. [46]

    arXiv preprint arXiv:2510.19393 (2025)

    Schott, S., Ponta, S.E., Fischer, W., Klauke, J., Bodden, E.: Bytecode-centric de- tection of known-to-be-vulnerable dependencies in java projects. arXiv preprint arXiv:2510.19393 (2025)

    work page arXiv 2025

  47. [47]

    Empirical Software Engineering 26(3), 45 (2021)

    Soto-Valero, C., Harrand, N., Monperrus, M., Baudry, B.: A comprehensive study of bloated dependencies in the Maven ecosystem. Empirical Software Engineering 26(3), 45 (2021). https://doi.org/10.1007/s10664-020-09914-8 20 Rasheed et al

    work page doi:10.1007/s10664-020-09914-8 2021

  48. [48]

    Dataflow analysis-inspired deep learning for efficient vulnerability detection

    Stalnaker, T., Wintersgill, N., Chaparro, O., Di Penta, M., German, D.M., Poshy- vanyk, D.: BOMs away! inside the minds of stakeholders: A comprehensive study of bills of materials for software systems. In: Proceedings of the 46th IEEE/ACM International Conference on Software Engineering (ICSE). pp. 1–13. ACM, New York, NY, USA (2024). https://doi.org/10....

    work page doi:10.1145/3597503.3623347 2024

  49. [49]

    In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE)

    Sui, L., Dietrich, J., Tahir, A., Fourtounis, G.: On the recall of static call graph construction in practice. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE). pp. 1049–1060. ACM, New York, NY, USA (2020). https://doi.org/10.1145/3377811.3380441

    work page doi:10.1145/3377811.3380441 2020

  50. [50]

    The OpenVEX Authors: OpenVEX specification.https://github.com/openvex /spec(2023), lightweight JSON-LD VEX implementation meeting the CISA VEX Minimum Requirements

    work page 2023

  51. [51]

    In: Proceedings of the 15th ACM SIGPLAN Confer- ence on Object-Oriented Programming, Systems, Languages, and Appli- cations (OOPSLA)

    Tip, F., Palsberg, J.: Scalable propagation-based call graph construc- tion algorithms. In: Proceedings of the 15th ACM SIGPLAN Confer- ence on Object-Oriented Programming, Systems, Languages, and Appli- cations (OOPSLA). pp. 281–293. ACM, New York, NY, USA (2000). https://doi.org/10.1145/353171.353190

    work page doi:10.1145/353171.353190 2000

  52. [52]

    Empirical Software Engineering 30(4) (2025)

    Turcotte, A., Arteca, E., Soto-Valero, C., Monperrus, M.: Detecting and remov- ing bloated dependencies in CommonJS packages. Empirical Software Engineering 30(4) (2025). https://doi.org/10.1007/s10664-025-10618-0

    work page doi:10.1007/s10664-025-10618-0 2025

  53. [53]

    Wu, W., Hu, H., Fan, Z., Qiao, Y., Huang, Y., Li, Y., Zheng, Z., Lyu, M.: An empirical study of code clones from commercial ai code generators. Proc. ACM Softw. Eng.2(FSE) (Jun 2025). https://doi.org/10.1145/3729397,https://doi. org/10.1145/3729397

    work page doi:10.1145/3729397 2025

  54. [54]

    In: Proceedings of the 45th IEEE/ACM International Conference on Software Engineering (ICSE)

    Xia, B., Bi, T., Xing, Z., Lu, Q., Zhu, L.: An empirical study on software bill of materials: Where we stand and the road ahead. In: Proceedings of the 45th IEEE/ACM International Conference on Software Engineering (ICSE). pp. 2630–

    work page

  55. [55]

    In 45th IEEE/ACM International Conference on Software Engineering, ICSE 2023, Melbourne, Australia, May 14-20, 2023

    IEEE (2023). https://doi.org/10.1109/ICSE48619.2023.00219

    work page doi:10.1109/icse48619.2023.00219 2023

  56. [56]

    In: Proceed- ings of the IEEE/ACM International Conference on Software Engineering (ICSE), NIER Track

    Zhan, Y., Sharma, A.: The dynamics of software composition analysis. In: Proceed- ings of the IEEE/ACM International Conference on Software Engineering (ICSE), NIER Track. IEEE (2021). https://doi.org/10.1109/ICSE-NIER52604.2021.00019

    work page doi:10.1109/icse-nier52604.2021.00019 2021

  57. [57]

    In: Proceedings of the 28th USENIX Security Symposium (USENIX Security)

    Zimmermann, M., Staicu, C.A., Tenny, C., Pradel, M.: Small world with high risks: A study of security threats in the npm ecosystem. In: Proceedings of the 28th USENIX Security Symposium (USENIX Security). pp. 995–1010. USENIX Association (2019)

    work page 2019