{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2025:CJ2QRJVJ4MJ27PVXIIS7GIDSCP","short_pith_number":"pith:CJ2QRJVJ","canonical_record":{"source":{"id":"2506.09702","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-06-11T13:14:29Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"fe3ea0e1a30c6f4ea8870fa40253a27c2d90ed33a0f4cc2d1f452225a63683fb","abstract_canon_sha256":"00b0253cac84d4c97b8875c2ed786f2588684e7aad107640557edad819cbccc3"},"schema_version":"1.0"},"canonical_sha256":"127508a6a9e313afbeb74225f3207213cae6c42de799fc7c02cf45f36ff3699e","source":{"kind":"arxiv","id":"2506.09702","version":2},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2506.09702","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"arxiv_version","alias_value":"2506.09702v2","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2506.09702","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"pith_short_12","alias_value":"CJ2QRJVJ4MJ2","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"pith_short_16","alias_value":"CJ2QRJVJ4MJ27PVX","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"pith_short_8","alias_value":"CJ2QRJVJ","created_at":"2026-05-20T00:05:30Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2025:CJ2QRJVJ4MJ27PVXIIS7GIDSCP","target":"record","payload":{"canonical_record":{"source":{"id":"2506.09702","kind":"arxiv","version":2},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-06-11T13:14:29Z","cross_cats_sorted":["cs.CR"],"title_canon_sha256":"fe3ea0e1a30c6f4ea8870fa40253a27c2d90ed33a0f4cc2d1f452225a63683fb","abstract_canon_sha256":"00b0253cac84d4c97b8875c2ed786f2588684e7aad107640557edad819cbccc3"},"schema_version":"1.0"},"canonical_sha256":"127508a6a9e313afbeb74225f3207213cae6c42de799fc7c02cf45f36ff3699e","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-20T00:05:30.033605Z","signature_b64":"5Kl2jHe6jgZNLNjkKldyUn63bqIdXJ7M4k+qnCjSPAZOJM8CAzGbHMHa+wtifV1CXrZaZ72llkRQHLPf4Q5/Cg==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"127508a6a9e313afbeb74225f3207213cae6c42de799fc7c02cf45f36ff3699e","last_reissued_at":"2026-05-20T00:05:30.032832Z","signature_status":"signed_v1","first_computed_at":"2026-05-20T00:05:30.032832Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2506.09702","source_version":2,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-20T00:05:30Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"3/lc4ycmoApAS1WlzWohmGtforF/nOF5vb9hK8OdPvLaHYfUGqBOWjAM7gJ54DrGpe5BLOCSK7cZjoqVuOdRBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-26T07:53:32.060296Z"},"content_sha256":"2ff0756938e184abd802e1f7d85f80cbdaadf6e9be8d14d40f642fa1855da824","schema_version":"1.0","event_id":"sha256:2ff0756938e184abd802e1f7d85f80cbdaadf6e9be8d14d40f642fa1855da824"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2025:CJ2QRJVJ4MJ27PVXIIS7GIDSCP","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Mapping NVD Records to Their Vulnerability-fixing Commits: How Hard is It?","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":["cs.CR"],"primary_cat":"cs.SE","authors_text":"David Lo, Duc Manh Tran, Hong Jin Kang, Huu Hung Nguyen, Ouh Eng Lieh, Ratnadira Widyasari, Shar Lwin Khin, Thanh Le-Cong, Ting Zhang, Yiran Cheng","submitted_at":"2025-06-11T13:14:29Z","abstract_excerpt":"Mapping National Vulnerability Database (NVD) records to vulnerability-fixing commits (VFCs) is crucial for vulnerability analysis but challenging due to sparse explicit links in NVD references. This study explores this mapping's feasibility through an empirical approach. Manual analysis of NVD references showed Git references enable over 86% success, while non-Git references achieve under 14%. Using these findings, we built an automated pipeline extracting 31,942 VFCs from 20,360 NVD records (8.7% of 235,341) with 87% precision, mainly from Git references. To fill gaps, we mined six external "},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2506.09702","kind":"arxiv","version":2},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2506.09702/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-20T00:05:30Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"iCywqQ4bUjDAuFg1i0WwrUbr6xrMjrG2H/aSXjqp2THlIqxlWhEIENS1KFXbKP2YtS55akok3MQvtvDJ89YqBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-26T07:53:32.060925Z"},"content_sha256":"3d5548849c96ffe5784aadc4f5cb26b0c082cab3b05ceca7f5252854e5ab2647","schema_version":"1.0","event_id":"sha256:3d5548849c96ffe5784aadc4f5cb26b0c082cab3b05ceca7f5252854e5ab2647"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/CJ2QRJVJ4MJ27PVXIIS7GIDSCP/bundle.json","state_url":"https://pith.science/pith/CJ2QRJVJ4MJ27PVXIIS7GIDSCP/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/CJ2QRJVJ4MJ27PVXIIS7GIDSCP/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-26T07:53:32Z","links":{"resolver":"https://pith.science/pith/CJ2QRJVJ4MJ27PVXIIS7GIDSCP","bundle":"https://pith.science/pith/CJ2QRJVJ4MJ27PVXIIS7GIDSCP/bundle.json","state":"https://pith.science/pith/CJ2QRJVJ4MJ27PVXIIS7GIDSCP/state.json","well_known_bundle":"https://pith.science/.well-known/pith/CJ2QRJVJ4MJ27PVXIIS7GIDSCP/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2025:CJ2QRJVJ4MJ27PVXIIS7GIDSCP","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"00b0253cac84d4c97b8875c2ed786f2588684e7aad107640557edad819cbccc3","cross_cats_sorted":["cs.CR"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-06-11T13:14:29Z","title_canon_sha256":"fe3ea0e1a30c6f4ea8870fa40253a27c2d90ed33a0f4cc2d1f452225a63683fb"},"schema_version":"1.0","source":{"id":"2506.09702","kind":"arxiv","version":2}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2506.09702","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"arxiv_version","alias_value":"2506.09702v2","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2506.09702","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"pith_short_12","alias_value":"CJ2QRJVJ4MJ2","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"pith_short_16","alias_value":"CJ2QRJVJ4MJ27PVX","created_at":"2026-05-20T00:05:30Z"},{"alias_kind":"pith_short_8","alias_value":"CJ2QRJVJ","created_at":"2026-05-20T00:05:30Z"}],"graph_snapshots":[{"event_id":"sha256:3d5548849c96ffe5784aadc4f5cb26b0c082cab3b05ceca7f5252854e5ab2647","target":"graph","created_at":"2026-05-20T00:05:30Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2506.09702/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Mapping National Vulnerability Database (NVD) records to vulnerability-fixing commits (VFCs) is crucial for vulnerability analysis but challenging due to sparse explicit links in NVD references. This study explores this mapping's feasibility through an empirical approach. Manual analysis of NVD references showed Git references enable over 86% success, while non-Git references achieve under 14%. Using these findings, we built an automated pipeline extracting 31,942 VFCs from 20,360 NVD records (8.7% of 235,341) with 87% precision, mainly from Git references. To fill gaps, we mined six external ","authors_text":"David Lo, Duc Manh Tran, Hong Jin Kang, Huu Hung Nguyen, Ouh Eng Lieh, Ratnadira Widyasari, Shar Lwin Khin, Thanh Le-Cong, Ting Zhang, Yiran Cheng","cross_cats":["cs.CR"],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-06-11T13:14:29Z","title":"Mapping NVD Records to Their Vulnerability-fixing Commits: How Hard is It?"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2506.09702","kind":"arxiv","version":2},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:2ff0756938e184abd802e1f7d85f80cbdaadf6e9be8d14d40f642fa1855da824","target":"record","created_at":"2026-05-20T00:05:30Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"00b0253cac84d4c97b8875c2ed786f2588684e7aad107640557edad819cbccc3","cross_cats_sorted":["cs.CR"],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-06-11T13:14:29Z","title_canon_sha256":"fe3ea0e1a30c6f4ea8870fa40253a27c2d90ed33a0f4cc2d1f452225a63683fb"},"schema_version":"1.0","source":{"id":"2506.09702","kind":"arxiv","version":2}},"canonical_sha256":"127508a6a9e313afbeb74225f3207213cae6c42de799fc7c02cf45f36ff3699e","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"127508a6a9e313afbeb74225f3207213cae6c42de799fc7c02cf45f36ff3699e","first_computed_at":"2026-05-20T00:05:30.032832Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-20T00:05:30.032832Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"5Kl2jHe6jgZNLNjkKldyUn63bqIdXJ7M4k+qnCjSPAZOJM8CAzGbHMHa+wtifV1CXrZaZ72llkRQHLPf4Q5/Cg==","signature_status":"signed_v1","signed_at":"2026-05-20T00:05:30.033605Z","signed_message":"canonical_sha256_bytes"},"source_id":"2506.09702","source_kind":"arxiv","source_version":2}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:2ff0756938e184abd802e1f7d85f80cbdaadf6e9be8d14d40f642fa1855da824","sha256:3d5548849c96ffe5784aadc4f5cb26b0c082cab3b05ceca7f5252854e5ab2647"],"state_sha256":"19682bfc640cc5d5082b3f22bdd652694e68cf06e5bc05a815a54ee9b6cab8dc"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"vv5mdPSlVdOQorLP+8Hpe81LjtIDMTqXz55Rnh/nJPcvM7theN0HlKcT4/YazkEdm/UwyhACh41JOYApSmz+BQ==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-26T07:53:32.064548Z","bundle_sha256":"05c57950307dbcfc34bee9be2efb350d0583944e11c523dde205d713f85dba22"}}