Paper accepted at IEEE Transactions on Software Engineering
Together with SAP we investigated the current practice for open-source software reuse at SAP and in open projects. We found that more than 87% (resp. 56%) of the dependencies were re-bundled (or re-packaged). This is a major barrier for current open-source dependency vulnerability scanners as they cannot identify these dependencies correctly. We evaluated this hypothesis using several open-source and commercial vulnerability scanners.
The IEEE Transactions on Software Engineering journal is a premier publication venue for software systems research in computer science. With an h5-index of 59 and an impact factor of 6.226 it is the 3rd ranked publication venue in software system research according to Google Scholar.
Identifying Challenges for OSS Vulnerability Scanners - A Study & Test Suite
Andreas Dann, Henrik Plate, Ben Hermann, Serena Elisa Ponta, and Eric Bodden
In IEEE Transactions on Software Engineering
DOI: https://doi.org/10.1109/TSE.2021.3101739
Artifact: https://github.com/secure-software-engineering/achilles-benchmark-depscanners