{"id":"https://openalex.org/W7127135740","doi":"https://doi.org/10.1109/trustcom66490.2025.00275","title":"Towards System-of-Systems Bill of Material Solution for Vulnerability Operational Impact Analysis","display_name":"Towards System-of-Systems Bill of Material Solution for Vulnerability Operational Impact Analysis","publication_year":2025,"publication_date":"2025-11-14","ids":{"openalex":"https://openalex.org/W7127135740","doi":"https://doi.org/10.1109/trustcom66490.2025.00275"},"language":null,"primary_location":{"id":"doi:10.1109/trustcom66490.2025.00275","is_oa":false,"landing_page_url":"https://doi.org/10.1109/trustcom66490.2025.00275","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE 24th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5123018698","display_name":"Lucas Tesson","orcid":null},"institutions":[{"id":"https://openalex.org/I2801356230","display_name":"Thales (Australia)","ror":"https://ror.org/00f7vya03","country_code":"AU","type":"company","lineage":["https://openalex.org/I2801356230","https://openalex.org/I4210140930"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Lucas Tesson","raw_affiliation_strings":["Thales Land and Air Systems, BL IAS"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Thales Land and Air Systems, BL IAS","institution_ids":["https://openalex.org/I2801356230"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5124814314","display_name":"Jamal El Hachem","orcid":null},"institutions":[{"id":"https://openalex.org/I2802204017","display_name":"Universit\u00e9 de Bretagne Sud","ror":"https://ror.org/04ed7fw48","country_code":"FR","type":"education","lineage":["https://openalex.org/I2802204017"]},{"id":"https://openalex.org/I2802519937","display_name":"Institut de Recherche en Informatique et Syst\u00e8mes Al\u00e9atoires","ror":"https://ror.org/00myn0z94","country_code":"FR","type":"facility","lineage":["https://openalex.org/I1294671590","https://openalex.org/I1294671590","https://openalex.org/I1326498283","https://openalex.org/I205703379","https://openalex.org/I2802204017","https://openalex.org/I2802519937","https://openalex.org/I28221208","https://openalex.org/I4210127572","https://openalex.org/I4210159245","https://openalex.org/I56067802"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"Jamal El Hachem","raw_affiliation_strings":["IRISA &#x2013; UMR 6074, Univ. Bretagne-Sud,Vannes,France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"IRISA &#x2013; UMR 6074, Univ. Bretagne-Sud,Vannes,France","institution_ids":["https://openalex.org/I2802204017","https://openalex.org/I2802519937"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123005854","display_name":"Patrice Guillou","orcid":null},"institutions":[{"id":"https://openalex.org/I2801356230","display_name":"Thales (Australia)","ror":"https://ror.org/00f7vya03","country_code":"AU","type":"company","lineage":["https://openalex.org/I2801356230","https://openalex.org/I4210140930"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Patrice Guillou","raw_affiliation_strings":["Thales Land and Air Systems, BL IAS"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Thales Land and Air Systems, BL IAS","institution_ids":["https://openalex.org/I2801356230"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5112731370","display_name":"J\u00e9r\u00e9my Buisson","orcid":null},"institutions":[{"id":"https://openalex.org/I33976269","display_name":"Xerox (France)","ror":"https://ror.org/033q0mv79","country_code":"FR","type":"company","lineage":["https://openalex.org/I33976269","https://openalex.org/I4210132870"]}],"countries":["FR"],"is_corresponding":false,"raw_author_name":"J\u00e9r\u00e9my Buisson","raw_affiliation_strings":["CR&#x00E9;A &#x2013; &#x00C9;cole de l&#x2019;Air et de l&#x2019;Espace,Salon de Provence,France"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"CR&#x00E9;A &#x2013; &#x00C9;cole de l&#x2019;Air et de l&#x2019;Espace,Salon de Provence,France","institution_ids":["https://openalex.org/I33976269"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.78043132,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"2363","last_page":"2372"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.31349998712539673,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.31349998712539673,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12423","display_name":"Software Reliability and Analysis Research","score":0.2678999900817871,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10639","display_name":"Advanced Software Engineering Methodologies","score":0.11670000106096268,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/software-deployment","display_name":"Software deployment","score":0.857699990272522},{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.7279000282287598},{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.6359999775886536},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5964999794960022},{"id":"https://openalex.org/keywords/trace","display_name":"TRACE (psycholinguistics)","score":0.5949000120162964},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.5848000049591064},{"id":"https://openalex.org/keywords/software-system","display_name":"Software system","score":0.4684000015258789},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.4262000024318695},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.42419999837875366}],"concepts":[{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.857699990272522},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7462000250816345},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.7279000282287598},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.6359999775886536},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5964999794960022},{"id":"https://openalex.org/C75291252","wikidata":"https://www.wikidata.org/wiki/Q1315756","display_name":"TRACE (psycholinguistics)","level":2,"score":0.5949000120162964},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.5848000049591064},{"id":"https://openalex.org/C149091818","wikidata":"https://www.wikidata.org/wiki/Q2429814","display_name":"Software system","level":3,"score":0.4684000015258789},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4406000077724457},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.4262000024318695},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.42419999837875366},{"id":"https://openalex.org/C48103436","wikidata":"https://www.wikidata.org/wiki/Q599031","display_name":"State (computer science)","level":2,"score":0.42160001397132874},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.37529999017715454},{"id":"https://openalex.org/C201995342","wikidata":"https://www.wikidata.org/wiki/Q682496","display_name":"Systems engineering","level":1,"score":0.36489999294281006},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.36320000886917114},{"id":"https://openalex.org/C174683762","wikidata":"https://www.wikidata.org/wiki/Q609588","display_name":"Component-based software engineering","level":4,"score":0.36309999227523804},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.35359999537467957},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.33009999990463257},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.3208000063896179},{"id":"https://openalex.org/C81293917","wikidata":"https://www.wikidata.org/wiki/Q4189534","display_name":"System deployment","level":3,"score":0.3133000135421753},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.2870999872684479},{"id":"https://openalex.org/C200601418","wikidata":"https://www.wikidata.org/wiki/Q2193887","display_name":"Reliability engineering","level":1,"score":0.2825999855995178},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.2768999934196472},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.2750000059604645},{"id":"https://openalex.org/C174839445","wikidata":"https://www.wikidata.org/wiki/Q1134386","display_name":"Lock (firearm)","level":2,"score":0.2621000111103058},{"id":"https://openalex.org/C137287247","wikidata":"https://www.wikidata.org/wiki/Q1329550","display_name":"Static program analysis","level":4,"score":0.2614000141620636},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.2612999975681305},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.2554999887943268},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.2535000145435333},{"id":"https://openalex.org/C24119478","wikidata":"https://www.wikidata.org/wiki/Q679871","display_name":"Systems analysis","level":2,"score":0.25189998745918274}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/trustcom66490.2025.00275","is_oa":false,"landing_page_url":"https://doi.org/10.1109/trustcom66490.2025.00275","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE 24th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.6281317472457886,"display_name":"Industry, innovation and infrastructure","id":"https://metadata.un.org/sdg/9"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":17,"referenced_works":["https://openalex.org/W2051600169","https://openalex.org/W2058107586","https://openalex.org/W2528913414","https://openalex.org/W2733373979","https://openalex.org/W2901560623","https://openalex.org/W2951760215","https://openalex.org/W2990518741","https://openalex.org/W2992944009","https://openalex.org/W3040158574","https://openalex.org/W4281772577","https://openalex.org/W4312792397","https://openalex.org/W4312957922","https://openalex.org/W4391849119","https://openalex.org/W4399667984","https://openalex.org/W4401084229","https://openalex.org/W4401352299","https://openalex.org/W4411484386"],"related_works":[],"abstract_inverted_index":{"Modern":[0],"systems":[1,54],"rely":[2],"on":[3,112,180],"numerous":[4],"third-party":[5,31],"software":[6,17,39],"components":[7,40],"from":[8,73,84],"various":[9],"vendors":[10],"and":[11,98,158],"open-source":[12],"repositories.":[13],"To":[14,116,171],"secure":[15],"their":[16],"supply":[18],"chain,":[19],"Software":[20],"Bill":[21],"of":[22,30,37,125,138,202],"Materials":[23],"(SBOM)":[24],"has":[25],"emerged":[26],"as":[27],"an":[28,122,160],"inventory":[29],"components,":[32],"hence":[33],"enabling":[34],"the":[35,45,53,61,74,80,85,88,113,139,168,193,200],"identification":[36,48],"vulnerable":[38],"among":[41],"those":[42],"integrated":[43],"in":[44,102],"systems.":[46],"This":[47],"is":[49],"a":[50,103,130,149,177,181,203],"prerequisite":[51],"for":[52,184],"designers":[55],"to":[56,70,79,87,141,153,165],"mitigate":[57],"vulnerabilities":[58],"brought":[59],"by":[60],"components.":[62],"However,":[63],"current":[64],"SBOM":[65],"techniques":[66],"are":[67],"not":[68],"enough":[69],"trace":[71],"dependencies":[72],"source":[75],"code":[76],"scaling":[77],"up":[78],"service-oriented":[81,169],"level,":[82],"nor":[83,107],"design":[86],"operation":[89],"phases.":[90],"These":[91],"limitations":[92],"prevent":[93],"discovering":[94],"potential":[95],"vulnerability":[96],"propagation":[97],"operational":[99],"impact":[100],"analysis":[101],"System-of-Systems":[104],"(SoS)":[105],"context,":[106],"lateral":[108,155],"movement":[109,156],"analysis,":[110],"e.g.,":[111],"deployment":[114,150],"configuration.":[115],"overcome":[117],"these":[118],"limitations,":[119],"we":[120,175],"propose":[121],"original":[123],"combination":[124],"three":[126],"dependency":[127,133,151],"graphs:":[128],"(1)":[129],"call-level,":[131],"static":[132],"graph,":[134,152,164],"following":[135],"recent":[136],"state":[137],"art":[140],"reduce":[142],"false":[143],"positives":[144],"over":[145],"package-level":[146],"graphs;":[147],"(2)":[148],"enable":[154],"analysis;":[157],"(3)":[159],"observed":[161],"runtime":[162],"interaction":[163],"deal":[166],"with":[167],"scale.":[170],"illustrate":[172],"our":[173],"proposal,":[174],"executed":[176],"case":[178],"study":[179],"real-life":[182],"infrastructure":[183],"Capture":[185],"The":[186],"Flag":[187],"challenges.":[188],"Our":[189],"approach":[190],"successfully":[191],"reconstructed":[192],"system":[194],"architecture,":[195],"then":[196],"it":[197],"correctly":[198],"reported":[199],"exploitability":[201],"zip-slip":[204],"vulnerability.":[205]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-02-03T00:00:00"}