Differences

This shows you the differences between two versions of the page.

--- vulnerability_discovery_models [2018/08/31 11:29]
ivan.pashchenko@unitn.it Added paper from WEIS
+++ vulnerability_discovery_models [2025/01/28 00:47] (current)
fabio.massacci@unitn.it
@@ Line 18: / Line 18: @@
 Vulnerable dependencies are a known problem in today’s open-source software ecosystems because FOSS libraries are highly interconnected and developers do not always update their dependencies.
-In {{https://drive.google.com/file/d/1IewO3T_cZuz2GkRctDJYvyMJAqXxTamc/view?usp=sharing|our recent paper}} we show how to avoid the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in FOSS software, and therefore, satisfy the needs of industrial practice for correct allocation of development and audit resources.
+You may want to read first a thematic analysis study ({{:research_activities:vulnerability-analysis:ccs-2020-aam.pdf|Accepted in CCS}}) in which we interviewed 25 developers all over the world provide some important insight in the choice of company to update or not update the software.
+In {{:research_activities:vulnerability-analysis:pashchenko-vuln4real.pdf |TSE 2020 Paper}} we show how to avoid the over-inflation problem of academic and industrial approaches for reporting vulnerable dependencies in FOSS software, and therefore, satisfy the needs of industrial practice for correct allocation of development and audit resources.
 To achieve this, we carefully analysed the deployed dependencies, aggregated dependencies by their projects, and distinguished halted dependencies. All this allowed us to obtain a counting method that avoids over-inflation.

DISI Security Research Group Wiki

User Tools

Site Tools

Differences

Page Tools