{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:4WYSJIU4A5MO6525I455FSM7AU","short_pith_number":"pith:4WYSJIU4","canonical_record":{"source":{"id":"2603.18693","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.CR","submitted_at":"2026-03-19T09:52:29Z","cross_cats_sorted":["cs.SE"],"title_canon_sha256":"5ef726d71dc8c2b53291e30d98e5857ae8bd5957bed3431ab075de60200f8b3d","abstract_canon_sha256":"a77ae5c7999283c68ac6adb1ca40d8b0970a4b651f94662b42bbb4a00d7684ac"},"schema_version":"1.0"},"canonical_sha256":"e5b124a29c0758ef775d473bd2c99f0519d580d0620a7de151cec0a9860b165c","source":{"kind":"arxiv","id":"2603.18693","version":2},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2603.18693","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"arxiv_version","alias_value":"2603.18693v2","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2603.18693","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"pith_short_12","alias_value":"4WYSJIU4A5MO","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"pith_short_16","alias_value":"4WYSJIU4A5MO6525","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"pith_short_8","alias_value":"4WYSJIU4","created_at":"2026-05-29T01:05:07Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:4WYSJIU4A5MO6525I455FSM7AU","target":"record","payload":{"canonical_record":{"source":{"id":"2603.18693","kind":"arxiv","version":2},"metadata":{"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.CR","submitted_at":"2026-03-19T09:52:29Z","cross_cats_sorted":["cs.SE"],"title_canon_sha256":"5ef726d71dc8c2b53291e30d98e5857ae8bd5957bed3431ab075de60200f8b3d","abstract_canon_sha256":"a77ae5c7999283c68ac6adb1ca40d8b0970a4b651f94662b42bbb4a00d7684ac"},"schema_version":"1.0"},"canonical_sha256":"e5b124a29c0758ef775d473bd2c99f0519d580d0620a7de151cec0a9860b165c","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-29T01:05:07.495100Z","signature_b64":"2mgHRpMaUP/pd22QJAqOJWUfimo0tCjW5UY/k/QbSuJcUPvIM3wFwET+X4+9dMeY7cfGKK4OEf1unvWdbhQ3Cw==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"e5b124a29c0758ef775d473bd2c99f0519d580d0620a7de151cec0a9860b165c","last_reissued_at":"2026-05-29T01:05:07.494197Z","signature_status":"signed_v1","first_computed_at":"2026-05-29T01:05:07.494197Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2603.18693","source_version":2,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-29T01:05:07Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"FjPj/OCYj/28PQggUc0pY/85IxqkYfZ9zc/AtdzR13mVA8s9jd6RYXncoLlV9HRiXuzIHP+SjrWNuuPD3SfwDg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-30T17:22:50.563292Z"},"content_sha256":"9616c24f6882159aa2c648d550886dc7a47af14961264f54b042b59ffc270e5f","schema_version":"1.0","event_id":"sha256:9616c24f6882159aa2c648d550886dc7a47af14961264f54b042b59ffc270e5f"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:4WYSJIU4A5MO6525I455FSM7AU","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Cross-Ecosystem Vulnerability Analysis for Python Applications","license":"http://creativecommons.org/licenses/by-sa/4.0/","headline":"","cross_cats":["cs.SE"],"primary_cat":"cs.CR","authors_text":"Charalambos Mitropoulos, Dimitris Mitropoulos, Georgios Alexopoulos, Nikolaos Alexopoulos, Thodoris Sotiropoulos, Zhendong Su","submitted_at":"2026-03-19T09:52:29Z","abstract_excerpt":"Python applications depend on third-party native libraries that may be vendored within package distributions or installed on the host system. When vulnerabilities are discovered in these native libraries, determining which Python packages are affected requires analysis across ecosystem boundaries, from Python dependency graphs to OS distribution packages. Current vulnerability scanners produce false negatives by overlooking vulnerabilities in vendored native libaries and false positives by failing to account for security patches backported by OS distributions.\n  We present a provenance-aware v"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2603.18693","kind":"arxiv","version":2},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2603.18693/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-29T01:05:07Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"m6t4tELnrMFJqo3uu+c1tZcyEDlMA3blacXmN91lb2bPjB8809u8MTysGSOxYrK8b30G/cbrdKq5IDAmG9MQDw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-30T17:22:50.564113Z"},"content_sha256":"cb9ce62e11906b2cef85079271ea6da1f2efd7c632e8a72abedaf8e28230fe9c","schema_version":"1.0","event_id":"sha256:cb9ce62e11906b2cef85079271ea6da1f2efd7c632e8a72abedaf8e28230fe9c"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/4WYSJIU4A5MO6525I455FSM7AU/bundle.json","state_url":"https://pith.science/pith/4WYSJIU4A5MO6525I455FSM7AU/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/4WYSJIU4A5MO6525I455FSM7AU/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-30T17:22:50Z","links":{"resolver":"https://pith.science/pith/4WYSJIU4A5MO6525I455FSM7AU","bundle":"https://pith.science/pith/4WYSJIU4A5MO6525I455FSM7AU/bundle.json","state":"https://pith.science/pith/4WYSJIU4A5MO6525I455FSM7AU/state.json","well_known_bundle":"https://pith.science/.well-known/pith/4WYSJIU4A5MO6525I455FSM7AU/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:4WYSJIU4A5MO6525I455FSM7AU","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"a77ae5c7999283c68ac6adb1ca40d8b0970a4b651f94662b42bbb4a00d7684ac","cross_cats_sorted":["cs.SE"],"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.CR","submitted_at":"2026-03-19T09:52:29Z","title_canon_sha256":"5ef726d71dc8c2b53291e30d98e5857ae8bd5957bed3431ab075de60200f8b3d"},"schema_version":"1.0","source":{"id":"2603.18693","kind":"arxiv","version":2}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2603.18693","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"arxiv_version","alias_value":"2603.18693v2","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2603.18693","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"pith_short_12","alias_value":"4WYSJIU4A5MO","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"pith_short_16","alias_value":"4WYSJIU4A5MO6525","created_at":"2026-05-29T01:05:07Z"},{"alias_kind":"pith_short_8","alias_value":"4WYSJIU4","created_at":"2026-05-29T01:05:07Z"}],"graph_snapshots":[{"event_id":"sha256:cb9ce62e11906b2cef85079271ea6da1f2efd7c632e8a72abedaf8e28230fe9c","target":"graph","created_at":"2026-05-29T01:05:07Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2603.18693/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Python applications depend on third-party native libraries that may be vendored within package distributions or installed on the host system. When vulnerabilities are discovered in these native libraries, determining which Python packages are affected requires analysis across ecosystem boundaries, from Python dependency graphs to OS distribution packages. Current vulnerability scanners produce false negatives by overlooking vulnerabilities in vendored native libaries and false positives by failing to account for security patches backported by OS distributions.\n  We present a provenance-aware v","authors_text":"Charalambos Mitropoulos, Dimitris Mitropoulos, Georgios Alexopoulos, Nikolaos Alexopoulos, Thodoris Sotiropoulos, Zhendong Su","cross_cats":["cs.SE"],"headline":"","license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.CR","submitted_at":"2026-03-19T09:52:29Z","title":"Cross-Ecosystem Vulnerability Analysis for Python Applications"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2603.18693","kind":"arxiv","version":2},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:9616c24f6882159aa2c648d550886dc7a47af14961264f54b042b59ffc270e5f","target":"record","created_at":"2026-05-29T01:05:07Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"a77ae5c7999283c68ac6adb1ca40d8b0970a4b651f94662b42bbb4a00d7684ac","cross_cats_sorted":["cs.SE"],"license":"http://creativecommons.org/licenses/by-sa/4.0/","primary_cat":"cs.CR","submitted_at":"2026-03-19T09:52:29Z","title_canon_sha256":"5ef726d71dc8c2b53291e30d98e5857ae8bd5957bed3431ab075de60200f8b3d"},"schema_version":"1.0","source":{"id":"2603.18693","kind":"arxiv","version":2}},"canonical_sha256":"e5b124a29c0758ef775d473bd2c99f0519d580d0620a7de151cec0a9860b165c","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"e5b124a29c0758ef775d473bd2c99f0519d580d0620a7de151cec0a9860b165c","first_computed_at":"2026-05-29T01:05:07.494197Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-29T01:05:07.494197Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"2mgHRpMaUP/pd22QJAqOJWUfimo0tCjW5UY/k/QbSuJcUPvIM3wFwET+X4+9dMeY7cfGKK4OEf1unvWdbhQ3Cw==","signature_status":"signed_v1","signed_at":"2026-05-29T01:05:07.495100Z","signed_message":"canonical_sha256_bytes"},"source_id":"2603.18693","source_kind":"arxiv","source_version":2}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:9616c24f6882159aa2c648d550886dc7a47af14961264f54b042b59ffc270e5f","sha256:cb9ce62e11906b2cef85079271ea6da1f2efd7c632e8a72abedaf8e28230fe9c"],"state_sha256":"982aa46ec8b5ecf0f166678de496e94d57ca33a8b09a9f1d2dbc25318d791d1b"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"+Zka+ZZV8M9ySk4RyJLy1cnWZket2q4qKFLO+qJOWQ6M57ZNPvWSx+YoRlfVTIbSEbWXzUiP7/UBIAFfKKW7Aw==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-30T17:22:50.576455Z","bundle_sha256":"88fee798d09bf42907cd060d4fb8a06309277a57e68e8f5f9e55d146bdc55819"}}