{"id":"https://openalex.org/W4411271558","doi":"https://doi.org/10.1109/msr66628.2025.00064","title":"Tracing Vulnerabilities in Maven: A Study of CVE lifecycles and Dependency Networks","display_name":"Tracing Vulnerabilities in Maven: A Study of CVE lifecycles and Dependency Networks","publication_year":2025,"publication_date":"2025-04-28","ids":{"openalex":"https://openalex.org/W4411271558","doi":"https://doi.org/10.1109/msr66628.2025.00064"},"language":"en","primary_location":{"id":"doi:10.1109/msr66628.2025.00064","is_oa":false,"landing_page_url":"https://doi.org/10.1109/msr66628.2025.00064","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5116211111","display_name":"Corey Yang-Smith","orcid":null},"institutions":[{"id":"https://openalex.org/I168635309","display_name":"University of Calgary","ror":"https://ror.org/03yjb2x39","country_code":"CA","type":"education","lineage":["https://openalex.org/I168635309"]}],"countries":["CA"],"is_corresponding":true,"raw_author_name":"Corey Yang-Smith","raw_affiliation_strings":["University of Calgary,Calgary,Canada"],"affiliations":[{"raw_affiliation_string":"University of Calgary,Calgary,Canada","institution_ids":["https://openalex.org/I168635309"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5108338171","display_name":"Ahmad Abdellatif","orcid":null},"institutions":[{"id":"https://openalex.org/I168635309","display_name":"University of Calgary","ror":"https://ror.org/03yjb2x39","country_code":"CA","type":"education","lineage":["https://openalex.org/I168635309"]}],"countries":["CA"],"is_corresponding":false,"raw_author_name":"Ahmad Abdellatif","raw_affiliation_strings":["University of Calgary,Calgary,Canada"],"affiliations":[{"raw_affiliation_string":"University of Calgary,Calgary,Canada","institution_ids":["https://openalex.org/I168635309"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5116211111"],"corresponding_institution_ids":["https://openalex.org/I168635309"],"apc_list":null,"apc_paid":null,"fwci":4.7589,"has_fulltext":false,"cited_by_count":3,"citation_normalized_percentile":{"value":0.95054022,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":96,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"349","last_page":"353"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9994000196456909,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9988999962806702,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.9952999949455261,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7440491318702698},{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.6969836950302124},{"id":"https://openalex.org/keywords/tracing","display_name":"Tracing","score":0.6496788859367371},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.15558648109436035},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.14638099074363708}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7440491318702698},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.6969836950302124},{"id":"https://openalex.org/C138673069","wikidata":"https://www.wikidata.org/wiki/Q322229","display_name":"Tracing","level":2,"score":0.6496788859367371},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.15558648109436035},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.14638099074363708}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/msr66628.2025.00064","is_oa":false,"landing_page_url":"https://doi.org/10.1109/msr66628.2025.00064","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE/ACM 22nd International Conference on Mining Software Repositories (MSR)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":25,"referenced_works":["https://openalex.org/W2021565261","https://openalex.org/W2043837581","https://openalex.org/W2060337373","https://openalex.org/W2733373979","https://openalex.org/W2975550303","https://openalex.org/W3172189288","https://openalex.org/W3181225367","https://openalex.org/W3187000578","https://openalex.org/W3208497051","https://openalex.org/W4280632162","https://openalex.org/W4309529433","https://openalex.org/W4321634205","https://openalex.org/W4360770768","https://openalex.org/W4360948905","https://openalex.org/W4376606615","https://openalex.org/W4384345738","https://openalex.org/W4388502396","https://openalex.org/W4393284663","https://openalex.org/W4399667987","https://openalex.org/W4404347037","https://openalex.org/W4404403066","https://openalex.org/W4404515219","https://openalex.org/W6759246942","https://openalex.org/W6863147015","https://openalex.org/W6874302962"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W2888673113","https://openalex.org/W2390279801","https://openalex.org/W4391913857","https://openalex.org/W2358668433","https://openalex.org/W4396701345","https://openalex.org/W2056065966","https://openalex.org/W2376932109"],"abstract_inverted_index":{"Software":[0],"ecosystems":[1,22],"rely":[2],"on":[3],"centralized":[4],"package":[5,121],"registries,":[6],"such":[7,162,179],"as":[8,163,180],"Maven,":[9],"to":[10,80,116,154],"enable":[11],"code":[12],"reuse":[13],"and":[14,32,43,58,61,86,109,167,185,194],"collaboration.":[15],"However,":[16],"the":[17,24,52,62,73,173,181,192],"interconnected":[18],"nature":[19],"of":[20,54,65,75,100,105,111,175,196],"these":[21],"amplifies":[23],"risks":[25,199],"posed":[26],"by":[27,148],"security":[28,198],"vulnerabilities":[29,40,55,139],"in":[30,41,50,67,78,83,132,200],"direct":[31],"transitive":[33],"dependencies.":[34],"While":[35],"numerous":[36],"studies":[37],"have":[38],"examined":[39],"Maven":[42,79],"other":[44],"ecosystems,":[45],"there":[46],"remains":[47],"a":[48,94,120,130],"gap":[49],"understanding":[51],"behavior":[53],"across":[56],"parent":[57],"dependent":[59],"packages,":[60],"response":[63,114,146],"times":[64,115],"maintainers":[66,135],"addressing":[68],"vulnerabilities.":[69],"This":[70],"study":[71,96],"analyzes":[72],"lifecycle":[74],"3,362":[76],"CVEs":[77],"uncover":[81],"patterns":[82],"vulnerability":[84],"mitigation":[85],"identify":[87],"factors":[88],"influencing":[89],"at-risk":[90],"packages.":[91],"We":[92],"conducted":[93],"comprehensive":[95],"integrating":[97],"temporal":[98],"analyses":[99,104],"CVE":[101],"lifecycles,":[102],"correlation":[103],"GitHub":[106],"repository":[107],"metrics,":[108],"assessments":[110],"library":[112],"maintainers\u2019":[113],"patch":[117],"vulnerabilities,":[118],"utilizing":[119],"dependency":[122],"graph":[123],"for":[124],"Maven.":[125,201],"A":[126],"key":[127],"finding":[128],"reveals":[129],"trend":[131],"\u201cPublish-Before-Patch\u201d":[133],"scenarios:":[134],"prioritize":[136],"patching":[137],"severe":[138],"more":[140],"quickly":[141],"after":[142],"public":[143],"disclosure,":[144],"reducing":[145],"time":[147],"48.3%":[149],"from":[150],"low":[151],"(151":[152],"days)":[153],"critical":[155],"severity":[156],"(78":[157],"days).":[158],"Additionally,":[159],"project":[160],"characteristics,":[161],"contributor":[164],"absence":[165],"factor":[166],"issue":[168],"activity,":[169],"strongly":[170],"correlate":[171],"with":[172],"presence":[174],"CVEs.":[176],"Leveraging":[177],"tools":[178],"Goblin":[182],"Ecosystem,":[183],"OSV.dev,":[184],"OpenDigger,":[186],"our":[187],"findings":[188],"provide":[189],"insights":[190],"into":[191],"practices":[193],"challenges":[195],"managing":[197]},"counts_by_year":[{"year":2025,"cited_by_count":3}],"updated_date":"2025-11-06T03:46:38.306776","created_date":"2025-10-10T00:00:00"}