🤖 AI Summary
This study addresses the critical issue of inconsistent results from open-source software vulnerability scanners, which significantly hinders informed supply chain security decisions. The work proposes a novel conceptual framework that characterizes the information flows and root causes of inconsistency within the open-source vulnerability ecosystem, modeling vulnerability management as a distributed information transformation process encompassing creation, standardization, enrichment, and contextual interpretation. By integrating multiple vulnerability data standards and real-world case studies, the analysis systematically identifies four core challenges—identity modeling, version semantics, temporal evolution, and contextual assessment—that underlie result discrepancies. This framework establishes a theoretical foundation and offers practical guidance for reproducible evaluation, accurate interpretation of scanner outputs, and dynamic vulnerability knowledge management.
📝 Abstract
Identifying known software vulnerabilities is a central task in software supply chain security management. Although publicly available vulnerability information is based on shared standards, different vulnerability scanners often report divergent results for identical software inventories. These differences do not arise solely from individual data sources or scanner implementations. They can emerge at several stages of the open-source vulnerability ecosystem. This paper presents a conceptual framework that describes vulnerability management as a distributed process of information exchange and transformation. It traces vulnerability information from its creation and standardization through enrichment to context-dependent interpretation. The analysis identifies heterogeneous information sources, divergent identity and version models, temporal change, and context-dependent assessment as major causes of inconsistent scanner findings. It then discusses the implications for interpreting analysis results, designing reproducible evaluation methods, and handling dynamic vulnerability knowledge in practice.