Litcius/Paper detail

Building a Commit-level Dataset of Real-world Vulnerabilities

Alexis Challande, Robin David, Guénaël Renault

202213 citationsDOIOpen Access PDF

Abstract

While CVE have become a de facto standard for publishing advisories on vulnerabilities, the state of current CVE databases is lackluster. Yet, CVE advisories are insufficient to bridge the gap with the vulnerability artifacts in the impacted program. Therefore, the community is lacking a public real-world vulnerabilities dataset providing such association. In this paper, we present a method restoring this missing link by analyzing the vulnerabilities from the AOSP, an aggregate of more than 1,800 projects. It is the perfect target for building a representative dataset of vulnerabilities, as it covers the full spectrum that may be encountered in a modern system where a variety of low-level and higher-level components interact. More specifically, our main contribution is a dataset of more than 1,900 vulnerabilities, associating generic metadata (e.g. vulnerability type, impact level) with their respective patches at the commit granularity (e.g. fix commit-id, affected files, source code language). Finally, we also augment this dataset by providing precompiled binaries for a subset of the vulnerabilities. These binaries open various data usage, both for binary only analysis and at the interface between source and binary. In addition of providing a common baseline benchmark, our dataset release supports the community for data-driven software security research.

Topics & Concepts

Computer scienceCommitMetadataVulnerability (computing)Computer securityBenchmark (surveying)SoftwareBaseline (sea)DatabaseWorld Wide WebOperating systemGeodesyOceanographyGeologyGeographySoftware Engineering ResearchSoftware Reliability and Analysis ResearchAdvanced Malware Detection Techniques
Building a Commit-level Dataset of Real-world Vulnerabilities | Litcius