{"id":"https://openalex.org/W4417056127","doi":"https://doi.org/10.48550/arxiv.2503.24273","title":"Generating Mitigations for Downstream Projects to Neutralize Upstream Library Vulnerability","display_name":"Generating Mitigations for Downstream Projects to Neutralize Upstream Library Vulnerability","publication_year":2025,"publication_date":"2025-03-31","ids":{"openalex":"https://openalex.org/W4417056127","doi":"https://doi.org/10.48550/arxiv.2503.24273"},"language":"en","primary_location":{"id":"pmh:oai:arXiv.org:2503.24273","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2503.24273","pdf_url":"https://arxiv.org/pdf/2503.24273","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"type":"preprint","indexed_in":["arxiv","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2503.24273","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5067970007","display_name":"Zirui Chen","orcid":"https://orcid.org/0009-0004-6236-9150"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Chen, Zirui","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5047688641","display_name":"Xing Hu","orcid":"https://orcid.org/0000-0003-0093-3292"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Hu, Xing","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Sun, Puhua","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Sun, Puhua","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101873167","display_name":"Xin Xia","orcid":"https://orcid.org/0000-0002-5108-7578"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Xia, Xin","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5026311099","display_name":"Xiaohu Yang","orcid":"https://orcid.org/0000-0003-3997-4606"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Yang, Xiaohu","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5067970007"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.24660000205039978,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12479","display_name":"Web Application Security Vulnerabilities","score":0.24660000205039978,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.23849999904632568,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.2214999943971634,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.75},{"id":"https://openalex.org/keywords/workaround","display_name":"Workaround","score":0.5759999752044678},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.5019999742507935},{"id":"https://openalex.org/keywords/downstream","display_name":"Downstream (manufacturing)","score":0.5009999871253967},{"id":"https://openalex.org/keywords/upstream","display_name":"Upstream (networking)","score":0.41819998621940613},{"id":"https://openalex.org/keywords/source-code","display_name":"Source code","score":0.38429999351501465},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.3781000077724457},{"id":"https://openalex.org/keywords/baseline","display_name":"Baseline (sea)","score":0.353300005197525}],"concepts":[{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.75},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6097000241279602},{"id":"https://openalex.org/C194541083","wikidata":"https://www.wikidata.org/wiki/Q457174","display_name":"Workaround","level":2,"score":0.5759999752044678},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.5019999742507935},{"id":"https://openalex.org/C2776207758","wikidata":"https://www.wikidata.org/wiki/Q5303302","display_name":"Downstream (manufacturing)","level":2,"score":0.5009999871253967},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4900999963283539},{"id":"https://openalex.org/C191172861","wikidata":"https://www.wikidata.org/wiki/Q7899321","display_name":"Upstream (networking)","level":2,"score":0.41819998621940613},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.38429999351501465},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.3781000077724457},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.3596000075340271},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.353300005197525},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.3490000069141388},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.3440000116825104},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.33799999952316284},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.3321000039577484},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.32580000162124634},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.2955000102519989},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.29030001163482666},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.28380000591278076},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.271699994802475},{"id":"https://openalex.org/C184356942","wikidata":"https://www.wikidata.org/wiki/Q830382","display_name":"Best practice","level":2,"score":0.26840001344680786},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.25859999656677246},{"id":"https://openalex.org/C2780267512","wikidata":"https://www.wikidata.org/wiki/Q6997828","display_name":"Nestedness","level":3,"score":0.25189998745918274}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:arXiv.org:2503.24273","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2503.24273","pdf_url":"https://arxiv.org/pdf/2503.24273","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"doi:10.48550/arxiv.2503.24273","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2503.24273","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2503.24273","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2503.24273","pdf_url":"https://arxiv.org/pdf/2503.24273","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Third-party":[0],"libraries":[1,22],"are":[2],"essential":[3,156],"in":[4,43,119,188],"software":[5],"development":[6],"as":[7],"they":[8],"prevent":[9],"the":[10,51,56,60,65,150,159,181,202],"need":[11],"for":[12,92],"developers":[13],"to":[14,26,31,37,76,96,115,130,162,200],"recreate":[15],"existing":[16,128],"functionalities.":[17],"However,":[18],"vulnerabilities":[19,39,83,118,190],"within":[20],"these":[21],"pose":[23],"significant":[24],"risks":[25],"dependent":[27],"projects.":[28,121],"Upgrading":[29],"dependencies":[30],"secure":[32],"versions":[33],"is":[34,62,90,142],"not":[35],"feasible":[36],"neutralize":[38],"without":[40,84,191],"patches":[41,89],"or":[42],"projects":[44],"with":[45],"specific":[46],"version":[47],"requirements.":[48],"Moreover,":[49],"repairing":[50],"vulnerability":[52,68,151,160],"proves":[53],"challenging":[54],"when":[55],"source":[57,85],"code":[58,86],"of":[59,168,174,180],"library":[61,82,117],"inaccessible.":[63],"Both":[64],"state-of-the-art":[66],"automatic":[67,71],"repair":[69,73],"and":[70,87,106,154,208],"program":[72],"methods":[74],"fail":[75],"address":[77],"this":[78,110],"issue.":[79],"Therefore,":[80],"mitigating":[81,178],"available":[88],"crucial":[91],"a":[93,124,132,139],"swift":[94],"response":[95],"potential":[97],"security":[98],"attacks.":[99],"Existing":[100],"tools":[101],"encounter":[102],"challenges":[103],"concerning":[104],"generalizability":[105],"functional":[107],"security.":[108],"In":[109,136],"study,":[111],"we":[112,126,144,195],"introduce":[113],"LUMEN":[114,169],"mitigate":[116],"impacted":[120,172],"Upon":[122],"disclosing":[123],"vulnerability,":[125],"retrieve":[127],"workarounds":[129],"gather":[131],"resembling":[133,140,206],"mitigation":[134,164],"strategy.":[135],"cases":[137],"where":[138],"strategy":[141],"absent,":[143],"propose":[145],"type-based":[146,209],"strategies":[147,207],"based":[148],"on":[149],"reproducing":[152],"behavior":[153],"extract":[155],"information":[157],"from":[158],"report":[161],"guide":[163],"generation.":[165],"Our":[166],"assessment":[167],"spans":[170],"121":[171],"functions":[173],"40":[175],"vulnerabilities,":[176],"successfully":[177],"70.2%":[179],"functions,":[182],"which":[183],"substantially":[184],"outperforms":[185],"our":[186,205],"baseline":[187],"neutralizing":[189],"functionality":[192],"loss.":[193],"Additionally,":[194],"conduct":[196],"an":[197],"ablation":[198],"study":[199],"validate":[201],"rationale":[203],"behind":[204],"strategies.":[210]},"counts_by_year":[],"updated_date":"2026-04-21T08:09:41.155169","created_date":"2025-10-10T00:00:00"}