{"id":"https://openalex.org/W7139927463","doi":"https://doi.org/10.48550/arxiv.2603.18693","title":"Cross-Ecosystem Vulnerability Analysis for Python Applications","display_name":"Cross-Ecosystem Vulnerability Analysis for Python Applications","publication_year":2026,"publication_date":"2026-03-19","ids":{"openalex":"https://openalex.org/W7139927463","doi":"https://doi.org/10.48550/arxiv.2603.18693"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.18693","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18693","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.18693","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5042949856","display_name":"Georgios Alexopoulos","orcid":"https://orcid.org/0009-0005-8947-2075"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Alexopoulos, Georgios","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130249981","display_name":"Nikolaos Alexopoulos","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Alexopoulos, Nikolaos","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5090354733","display_name":"Thodoris Sotiropoulos","orcid":"https://orcid.org/0000-0002-9906-3073"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sotiropoulos, Thodoris","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5090635891","display_name":"Charalambos Mitropoulos","orcid":"https://orcid.org/0000-0002-1080-602X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mitropoulos, Charalambos","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130214480","display_name":"Zhendong Su","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Su, Zhendong","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5050975122","display_name":"Dimitris Mitropoulos","orcid":"https://orcid.org/0000-0001-6184-5320"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mitropoulos, Dimitris","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.19419999420642853,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10743","display_name":"Software Testing and Debugging Techniques","score":0.19419999420642853,"subfield":{"id":"https://openalex.org/subfields/1712","display_name":"Software"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.1932000070810318,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.14159999787807465,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/python","display_name":"Python (programming language)","score":0.8833000063896179},{"id":"https://openalex.org/keywords/dependency-graph","display_name":"Dependency graph","score":0.6897000074386597},{"id":"https://openalex.org/keywords/reachability","display_name":"Reachability","score":0.5813000202178955},{"id":"https://openalex.org/keywords/false-positive-paradox","display_name":"False positive paradox","score":0.5389000177383423},{"id":"https://openalex.org/keywords/dependency","display_name":"Dependency (UML)","score":0.4408999979496002},{"id":"https://openalex.org/keywords/call-graph","display_name":"Call graph","score":0.4032000005245209},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.374099999666214},{"id":"https://openalex.org/keywords/image-stitching","display_name":"Image stitching","score":0.32989999651908875}],"concepts":[{"id":"https://openalex.org/C519991488","wikidata":"https://www.wikidata.org/wiki/Q28865","display_name":"Python (programming language)","level":2,"score":0.8833000063896179},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7695000171661377},{"id":"https://openalex.org/C16311509","wikidata":"https://www.wikidata.org/wiki/Q4148050","display_name":"Dependency graph","level":3,"score":0.6897000074386597},{"id":"https://openalex.org/C136643341","wikidata":"https://www.wikidata.org/wiki/Q1361526","display_name":"Reachability","level":2,"score":0.5813000202178955},{"id":"https://openalex.org/C64869954","wikidata":"https://www.wikidata.org/wiki/Q1859747","display_name":"False positive paradox","level":2,"score":0.5389000177383423},{"id":"https://openalex.org/C19768560","wikidata":"https://www.wikidata.org/wiki/Q320727","display_name":"Dependency (UML)","level":2,"score":0.4408999979496002},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.4072999954223633},{"id":"https://openalex.org/C102379954","wikidata":"https://www.wikidata.org/wiki/Q2589940","display_name":"Call graph","level":2,"score":0.4032000005245209},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.374099999666214},{"id":"https://openalex.org/C29081049","wikidata":"https://www.wikidata.org/wiki/Q1364242","display_name":"Image stitching","level":2,"score":0.32989999651908875},{"id":"https://openalex.org/C112789634","wikidata":"https://www.wikidata.org/wiki/Q18207010","display_name":"False positives and false negatives","level":3,"score":0.3050999939441681},{"id":"https://openalex.org/C2984074130","wikidata":"https://www.wikidata.org/wiki/Q73539779","display_name":"R package","level":2,"score":0.30489999055862427},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.2955000102519989},{"id":"https://openalex.org/C48372109","wikidata":"https://www.wikidata.org/wiki/Q3913","display_name":"Binary number","level":2,"score":0.2784000039100647},{"id":"https://openalex.org/C34736171","wikidata":"https://www.wikidata.org/wiki/Q918333","display_name":"Preprocessor","level":2,"score":0.27720001339912415},{"id":"https://openalex.org/C152752567","wikidata":"https://www.wikidata.org/wiki/Q116877","display_name":"Code refactoring","level":3,"score":0.2768000066280365},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.272599995136261},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.2603999972343445},{"id":"https://openalex.org/C162319229","wikidata":"https://www.wikidata.org/wiki/Q175263","display_name":"Data structure","level":2,"score":0.25270000100135803}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.18693","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18693","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.18693","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18693","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Life in Land","score":0.4634573757648468,"id":"https://metadata.un.org/sdg/15"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Python":[0,30,40,134,151],"applications":[1],"depend":[2],"on":[3,16,149,188],"third-party":[4,159],"native":[5,26,58,160],"libraries":[6,84,98],"that":[7,81],"may":[8],"be":[9],"vendored":[10,57,83,97],"within":[11],"package":[12,88,105],"distributions":[13],"or":[14,90],"installed":[15],"the":[17],"host":[18],"system.":[19],"When":[20],"vulnerabilities":[21,55],"are":[22,32],"discovered":[23],"in":[24,56],"these":[25],"libraries,":[27],"determining":[28],"which":[29],"packages":[31,152,167,176],"affected":[33,177],"requires":[34],"analysis":[35,79,144,182],"across":[36,139],"ecosystem":[37],"boundaries,":[38,141],"from":[39,119,122],"dependency":[41,140,179],"graphs":[42,130,138],"to":[43,65,85,115,191,198,208,215],"OS":[44,72,87,104],"distribution":[45],"packages.":[46],"Current":[47],"vulnerability":[48,78],"scanners":[49],"produce":[50],"false":[51,61,184],"negatives":[52],"by":[53,63,71,131,186,196],"overlooking":[54],"libaries":[59],"and":[60,110,135,153,171,195],"positives":[62,185],"failing":[64],"account":[66],"for":[67,200],"security":[68],"patches":[69],"backported":[70],"distributions.":[73],"We":[74,125,162,203],"present":[75],"a":[76,100],"provenance-aware":[77],"approach":[80,95],"resolves":[82],"specific":[86],"versions":[89],"upstream":[91,123,192],"project":[92],"releases.":[93],"Our":[94,181],"queries":[96],"against":[99],"database":[101],"of":[102,145],"historical":[103],"artifacts":[106],"using":[107],"content-based":[108],"hashing,":[109],"applies":[111],"library-specific":[112],"dynamic":[113],"analyses":[114],"extract":[116],"version":[117,193],"information":[118],"binaries":[120],"built":[121],"source.":[124],"then":[126],"construct":[127],"cross-ecosystem":[128],"call":[129,137],"stitching":[132],"together":[133],"binary":[136],"enabling":[142],"reachability":[143],"vulnerable":[146,166,174],"functions.":[147],"Evaluating":[148],"100,000":[150],"10":[154],"known":[155],"CVEs":[156],"associated":[157],"with":[158],"dependencies,":[161],"identify":[163],"39":[164],"directly":[165],"(47M+":[168],"monthly":[169],"downloads)":[170],"312":[172],"indirectly":[173],"client":[175],"through":[178],"chains.":[180],"reduces":[183],"52%":[187],"average":[189],"compared":[190],"matching,":[194],"up":[197],"97%":[199],"heavily-patched":[201],"libraries.":[202],"responsibly":[204],"disclosed":[205],"all":[206],"findings":[207],"maintainers;":[209],"54":[210],"issues":[211],"have":[212],"been":[213],"fixed":[214],"date.":[216]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-03-21T00:00:00"}