{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2025:FT2ASBGRSVFQ2DKH6RB6F2WY7S","short_pith_number":"pith:FT2ASBGR","canonical_record":{"source":{"id":"2503.20265","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-03-26T06:16:58Z","cross_cats_sorted":[],"title_canon_sha256":"35fffb1ea9a137594e6b16659df7f08f42f8aa2a5f395e34bb1265f042e09de9","abstract_canon_sha256":"1e98b0900ec3092f9c9486de38825b29788a1e303728d1821a7b80beb5bda5a0"},"schema_version":"1.0"},"canonical_sha256":"2cf40904d1954b0d0d47f443e2ead8fc890cafcec38c099bd9d43c3802e439a5","source":{"kind":"arxiv","id":"2503.20265","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2503.20265","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"arxiv_version","alias_value":"2503.20265v1","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2503.20265","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"pith_short_12","alias_value":"FT2ASBGRSVFQ","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"pith_short_16","alias_value":"FT2ASBGRSVFQ2DKH","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"pith_short_8","alias_value":"FT2ASBGR","created_at":"2026-07-05T10:39:35Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2025:FT2ASBGRSVFQ2DKH6RB6F2WY7S","target":"record","payload":{"canonical_record":{"source":{"id":"2503.20265","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-03-26T06:16:58Z","cross_cats_sorted":[],"title_canon_sha256":"35fffb1ea9a137594e6b16659df7f08f42f8aa2a5f395e34bb1265f042e09de9","abstract_canon_sha256":"1e98b0900ec3092f9c9486de38825b29788a1e303728d1821a7b80beb5bda5a0"},"schema_version":"1.0"},"canonical_sha256":"2cf40904d1954b0d0d47f443e2ead8fc890cafcec38c099bd9d43c3802e439a5","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-07-05T10:39:35.955051Z","signature_b64":"iARKTBZGO6tblANBMH5mGNt5nrU3gxJtWDk1/+Ygij8oT9E1Axh7ymzefC69BDzbTJeQTneV5tIDALWK91hWBA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"2cf40904d1954b0d0d47f443e2ead8fc890cafcec38c099bd9d43c3802e439a5","last_reissued_at":"2026-07-05T10:39:35.954556Z","signature_status":"signed_v1","first_computed_at":"2026-07-05T10:39:35.954556Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2503.20265","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-07-05T10:39:35Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"UN2Xe3m/QAH3cGR0qissNIb8hWIVbgrUjV6qiYC0WZZwPx8QdBPZxVivmacBgTZl0K0iRVcOMS3f79BgOxvkCA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-07-07T10:26:48.689243Z"},"content_sha256":"9d50413ae9bc906eb7e2be050888a31bd9b333668fec280b2c0de433ca89b123","schema_version":"1.0","event_id":"sha256:9d50413ae9bc906eb7e2be050888a31bd9b333668fec280b2c0de433ca89b123"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2025:FT2ASBGRSVFQ2DKH6RB6F2WY7S","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Fixseeker: An Empirical Driven Graph-based Approach for Detecting Silent Vulnerability Fixes in Open Source Software","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.SE","authors_text":"David Lo, Dongliang Fang, Limin Sun, Lwin Khin Shar, Shichao Lv, Ting Zhang, Yiran Cheng, Zhe Lang, Zhiqiang Shi","submitted_at":"2025-03-26T06:16:58Z","abstract_excerpt":"Open source software vulnerabilities pose significant security risks to downstream applications. While vulnerability databases provide valuable information for mitigation, many security patches are released silently in new commits of OSS repositories without explicit indications of their security impact. This makes it challenging for software maintainers and users to detect and address these vulnerability fixes. There are a few approaches for detecting vulnerability-fixing commits (VFCs) but most of these approaches leverage commit messages, which would miss silent VFCs. On the other hand, the"},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2503.20265","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2503.20265/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-07-05T10:39:35Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"HbxSJr9mTN30Sl1dRplNI/AqdkSUcDFhulgrZzMwcUxXEuPWHcGUM6Fc8Xu0YHzUMhvT3+W7IjLsiBs67QmfBw==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-07-07T10:26:48.689647Z"},"content_sha256":"d222eee6f4d938c0945deed27a6656287ffc78b562dcb832e4cd2ed65279b852","schema_version":"1.0","event_id":"sha256:d222eee6f4d938c0945deed27a6656287ffc78b562dcb832e4cd2ed65279b852"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/FT2ASBGRSVFQ2DKH6RB6F2WY7S/bundle.json","state_url":"https://pith.science/pith/FT2ASBGRSVFQ2DKH6RB6F2WY7S/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/FT2ASBGRSVFQ2DKH6RB6F2WY7S/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-07-07T10:26:48Z","links":{"resolver":"https://pith.science/pith/FT2ASBGRSVFQ2DKH6RB6F2WY7S","bundle":"https://pith.science/pith/FT2ASBGRSVFQ2DKH6RB6F2WY7S/bundle.json","state":"https://pith.science/pith/FT2ASBGRSVFQ2DKH6RB6F2WY7S/state.json","well_known_bundle":"https://pith.science/.well-known/pith/FT2ASBGRSVFQ2DKH6RB6F2WY7S/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2025:FT2ASBGRSVFQ2DKH6RB6F2WY7S","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"1e98b0900ec3092f9c9486de38825b29788a1e303728d1821a7b80beb5bda5a0","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-03-26T06:16:58Z","title_canon_sha256":"35fffb1ea9a137594e6b16659df7f08f42f8aa2a5f395e34bb1265f042e09de9"},"schema_version":"1.0","source":{"id":"2503.20265","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2503.20265","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"arxiv_version","alias_value":"2503.20265v1","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2503.20265","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"pith_short_12","alias_value":"FT2ASBGRSVFQ","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"pith_short_16","alias_value":"FT2ASBGRSVFQ2DKH","created_at":"2026-07-05T10:39:35Z"},{"alias_kind":"pith_short_8","alias_value":"FT2ASBGR","created_at":"2026-07-05T10:39:35Z"}],"graph_snapshots":[{"event_id":"sha256:d222eee6f4d938c0945deed27a6656287ffc78b562dcb832e4cd2ed65279b852","target":"graph","created_at":"2026-07-05T10:39:35Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2503.20265/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Open source software vulnerabilities pose significant security risks to downstream applications. While vulnerability databases provide valuable information for mitigation, many security patches are released silently in new commits of OSS repositories without explicit indications of their security impact. This makes it challenging for software maintainers and users to detect and address these vulnerability fixes. There are a few approaches for detecting vulnerability-fixing commits (VFCs) but most of these approaches leverage commit messages, which would miss silent VFCs. On the other hand, the","authors_text":"David Lo, Dongliang Fang, Limin Sun, Lwin Khin Shar, Shichao Lv, Ting Zhang, Yiran Cheng, Zhe Lang, Zhiqiang Shi","cross_cats":[],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-03-26T06:16:58Z","title":"Fixseeker: An Empirical Driven Graph-based Approach for Detecting Silent Vulnerability Fixes in Open Source Software"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2503.20265","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:9d50413ae9bc906eb7e2be050888a31bd9b333668fec280b2c0de433ca89b123","target":"record","created_at":"2026-07-05T10:39:35Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"1e98b0900ec3092f9c9486de38825b29788a1e303728d1821a7b80beb5bda5a0","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.SE","submitted_at":"2025-03-26T06:16:58Z","title_canon_sha256":"35fffb1ea9a137594e6b16659df7f08f42f8aa2a5f395e34bb1265f042e09de9"},"schema_version":"1.0","source":{"id":"2503.20265","kind":"arxiv","version":1}},"canonical_sha256":"2cf40904d1954b0d0d47f443e2ead8fc890cafcec38c099bd9d43c3802e439a5","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"2cf40904d1954b0d0d47f443e2ead8fc890cafcec38c099bd9d43c3802e439a5","first_computed_at":"2026-07-05T10:39:35.954556Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-07-05T10:39:35.954556Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"iARKTBZGO6tblANBMH5mGNt5nrU3gxJtWDk1/+Ygij8oT9E1Axh7ymzefC69BDzbTJeQTneV5tIDALWK91hWBA==","signature_status":"signed_v1","signed_at":"2026-07-05T10:39:35.955051Z","signed_message":"canonical_sha256_bytes"},"source_id":"2503.20265","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:9d50413ae9bc906eb7e2be050888a31bd9b333668fec280b2c0de433ca89b123","sha256:d222eee6f4d938c0945deed27a6656287ffc78b562dcb832e4cd2ed65279b852"],"state_sha256":"d7153ef4a4f177ba8c3855759a6a2ef94b5ee64f403512596745e5020297bae1"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"fprJdEJA3uA/wOnPJCWg9YP76AcV6iX/HoWe+FARRt5QXttpfJ1EYLYaGlofzkn3uDoEBRDV1mdYaj1yPsUODA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-07-07T10:26:48.691917Z","bundle_sha256":"d09f264dc89b1c6a5a54a4358ba4b5e0b305b353d629e8d987febf1dc3863732"}}