references.bib

@inproceedings{reid2021tracing,
  title={Tracing Vulnerable Code Lineage},
  author={Reid, David and Eng, Kalvin and Bogart, Chris and Tutko, Adam},
  booktitle={2021 IEEE/ACM 18th International Conference on Mining Software Repositories (MSR)},
  pages={621--623},
  year={2021},
  organization={IEEE}
}

@article{dusing2021analyzing,
  title={Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories},
  author={D{\"u}sing, Johannes and Hermann, Ben},
  journal={Digital Threats: Research and Practice},
  year={2021},
  publisher={ACM New York, NY}
}

@article{kula2018developers,
  title={Do developers update their library dependencies?},
  author={Kula, Raula Gaikovina and German, Daniel M and Ouni, Ali and Ishio, Takashi and Inoue, Katsuro},
  journal={Empirical Software Engineering},
  volume={23},
  number={1},
  pages={384--417},
  year={2018},
  publisher={Springer}
}

@inproceedings{pashchenko2018vulnerable,
  title={Vulnerable open source dependencies: Counting those that matter},
  author={Pashchenko, Ivan and Plate, Henrik and Ponta, Serena Elisa and Sabetta, Antonino and Massacci, Fabio},
  booktitle={Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement},
  pages={1--10},
  year={2018}
}

@inproceedings{pashchenko2020qualitative,
  title={A qualitative study of dependency management and its security implications},
  author={Pashchenko, Ivan and Vu, Duc-Ly and Massacci, Fabio},
  booktitle={Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security},
  pages={1513--1531},
  year={2020}
}

@inproceedings{decan2018impact,
  title={On the impact of security vulnerabilities in the npm package dependency network},
  author={Decan, Alexandre and Mens, Tom and Constantinou, Eleni},
  booktitle={Proceedings of the 15th international conference on mining software repositories},
  pages={181--191},
  year={2018}
}

@inproceedings{alfadel2021empirical,
  title={Empirical analysis of security vulnerabilities in python packages},
  author={Alfadel, Mahmoud and Costa, Diego Elias and Shihab, Emad},
  booktitle={2021 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)},
  pages={446--457},
  year={2021},
  organization={IEEE}
}

@inproceedings{zimmermann2019small,
  title={Small world with high risks: A study of security threats in the npm ecosystem},
  author={Zimmermann, Markus and Staicu, Cristian-Alexandru and Tenny, Cam and Pradel, Michael},
  booktitle={28th USENIX Security Symposium (USENIX Security 19)},
  pages={995--1010},
  year={2019}
}

@article{kula2018developers,
  title={Do developers update their library dependencies?},
  author={Kula, Raula Gaikovina and German, Daniel M and Ouni, Ali and Ishio, Takashi and Inoue, Katsuro},
  journal={Empirical Software Engineering},
  volume={23},
  number={1},
  pages={384--417},
  year={2018},
  publisher={Springer}
}

@inproceedings{bhandari2021:cvefixes,
    title = {{CVEfixes: Automated Collection of Vulnerabilities  and Their Fixes from Open-Source Software}},
    booktitle = {{Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE '21)}},
    author = {Bhandari, Guru and Naseer, Amara and Moonen, Leon},
    year = {2021},
    pages = {10},
    publisher = {{ACM}},
    doi = {10.1145/3475960.3475985},
    copyright = {Open Access},
    isbn = {978-1-4503-8680-7},
    language = {en}
}

@inproceedings{nguyen2013reliability,
  title={The (un) reliability of {NVD} vulnerable versions data: An empirical experiment on {Google} {Chrome} vulnerabilities},
  author={Nguyen, Viet Hung and Massacci, Fabio},
  booktitle={Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security},
  pages={493--498},
  year={2013}
}