Collecting Vulnerable Source Code from Open-Source Repositories for Dataset Generation

Raducu, Razvan; Esteban, Gonzalo; Lera, Francisco Javier Rodríguez; Fernández, Camino

doi:10.3390/app10041270

Cited by 8 publications

(5 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Raducu et al [14] emphasize that different machine learning techniques have emerged and developed to detect security vulnerabilities. However, they point out that the performance of these algorithms require data driven engines that rely on processing large amounts of data known as data sets.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Comparison and Analysis of Software Vulnerability Databases

KEKÜL¹,

Ergen²,

Arslan³

2022

IJEM

View full text Add to dashboard Cite

In order to protect information systems against threats and vulnerabilities, security breaches should be analyzed. In this case, analysts primarily conduct intelligence research through open source systems. In particular, vulnerability databases stand out as the most preferred references at this stage. At this point, our study will be the main reference for the verification of vulnerability analysis. It will assist in the planning of testing processes, patches and updates in the development of software. Moreover, it will create a perspective in this field, enabling readers to understand the concept of software security and databases. In addition to unique advantages of this diversity, this has also led to some disadvantages. Our study focused on the reasons behind the creation of different databases. In addition, its advantages and disadvantages have been clearly demonstrated. First, the databases used were determined by examining the academic studies in the field of software security vulnerabilities. Twelve different databases used in the literature were identified. However, among these, the ones that are current and accessible to researchers were selected. As a result of this screening process, seven different databases were included in this study. The determined databases were examined in detail and explained. Then, databases were compared according to certain criteria. The data obtained as a result of the comparison are presented in detail. In this study, a systematic review of up-to-date and accessible vulnerability databases that are widely used in the literature is presented to help researchers decide which database to use.

show abstract

Section: Related Workmentioning

confidence: 99%

“…However, as can be understood from the literature reviews, it is clear that in order to achieve high performance, it is necessary to use structured and extracted data sets in studies. [7,10,11,14,15]. The NVD data set, which dominates the field, cannot ensure this due to its structure.…”

Section: Related Workmentioning

confidence: 99%

Comparison and Analysis of Software Vulnerability Databases

KEKÜL¹,

Ergen²,

Arslan³

2022

IJEM

View full text Add to dashboard Cite

show abstract

“…SVCP4C (SonarCloud Vulnerable Code Prospector for C) is an online tool for collecting vulnerable source code from opensource repositories linked to SonarCloud. The tool performs static analysis and labels the potentially vulnerable source code at the file level [20]. The Devign [21] dataset includes four real-world open-source C/C++ projects, Linux, FFmpeg, Qemu and Wireshark, where the labeling is performed using security-related keyword filtering.…”

Section: Related Workmentioning

confidence: 99%

CVEfixes: automated collection of vulnerabilities and their fixes from open-source software

Bhandari

Naseer

Moonen

2021

Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering

View full text Add to dashboard Cite

Data-driven research on the automated discovery and repair of security vulnerabilities in source code requires comprehensive datasets of real-life vulnerable code and their fixes. To assist in such research, we propose a method to automatically collect and curate a comprehensive vulnerability dataset from Common Vulnerabilities and Exposures (CVE) records in the public National Vulnerability Database (NVD). We implement our approach in a fully automated dataset collection tool and share an initial release of the resulting vulnerability dataset named CVEfixes.The CVEfixes collection tool automatically fetches all available CVE records from the NVD, gathers the vulnerable code and corresponding fixes from associated open-source repositories, and organizes the collected information in a relational database. Moreover, the dataset is enriched with meta-data such as programming language, and detailed code and security metrics at five levels of abstraction. The collection can easily be repeated to keep up-todate with newly discovered or patched vulnerabilities. The initial release of CVEfixes spans all published CVEs up to 9 June 2021, covering 5365 CVE records for 1754 open-source projects that were addressed in a total of 5495 vulnerability fixing commits.CVEfixes supports various types of data-driven software security research, such as vulnerability prediction, vulnerability classification, vulnerability severity prediction, analysis of vulnerabilityrelated code changes, and automated vulnerability repair. CCS CONCEPTS• Security and privacy → Software and application security; Vulnerability management; • Software and its engineering → Software defect analysis; Software libraries and repositories.

show abstract

“…Raducu vd. (Raducu et al 2020), güvenlik açıklarını tespit etmek için farklı makine öğrenimi tekniklerinin ortaya çıktığını ve geliştirildiğini vurgulanmaktadır. Ancak, bu algoritmaların performanslarının veri kümeleri olarak bilinen çok miktarda verinin işlenmesine dayanan veri güdümlü motorlara ihtiyaç duyduğunu belirtmektedir.…”

Section: Introductionunclassified

“…Son yıllarda yapılan çalışmalar makine öğrenmesi temelli yaklaşımların kullanımı tavsiye etmektedir. Ancak literatür incelemelerinden de anlaşılacağı üzere yüksek başarım elde edilebilmesi için çalışmalarda yapılandırılmış ve özellikleri çıkarılmış veri setlerinin kullanılmasına ihtiyaç olduğu açıktır (Ghaffarian and Shahriari 2017;Miyamoto, Yamamoto, and Nakayama 2017;Raducu et al 2020;Theisen and Williams 2020;Wu et al 2020). Alana yön veren NVD veri seti yapısı itibari ile bunu sağlayamamaktadır.…”

Section: Introductionunclassified

Yazılım Güvenlik Açığı Veri Tabanları

Kekül¹,

Ergen²,

Arslan³

2021

European Journal of Science and Technology

View full text Add to dashboard Cite

ÖzBir yazılım bileşeninin güvenlik açığı eğiliminin öngörülmesi, yazılım mühendisliğinin zorlayıcı araştırma alanlarından biridir. Bir bileşenin güvenlik açığı eğilimi hakkında önceden bilgi sahibi olmak, test çabasını ve süreyi önemli ölçüde azaltabilir. Yazılım güvenlik açıklarının belirlenmesi ve sınıflandırılması geliştiricilere yazılımın geliştirilmesinde doğru karar verme noktasında yardımcı olacaktır. Bu sebeple yazılımlarda tespit edilen açıklar çok uzun zamandır veri tabanlarına kaydedilmektedir. Farklı araştırma grupları tarafından pek çok veri tabanı oluşmuştur. Bu çeşitlilik her veri tabanına kendi içinde avantajlar ve dezavantajlar sağlamıştır. Bu çalışmada araştırmacıların çalışmalarında hangi veri tabanını kullanacaklarına karar vermelerine yardımcı olmak ve literatürde kullanılan en güncel ve erişime açık olanların sistematik bir listesi oluşturulmuştur. Yazılım güvenlik açığı tespiti ve sınıflandırmasında kullanan birçok farklı veri tabanının incelenmesi ve karşılaştırması yer almaktadır. Çalışmanın sonunda sonuçlar sunulmuş ve gelecekteki çalışmalar için yönlendirici tavsiyeler verilmiştir.

show abstract

Collecting Vulnerable Source Code from Open-Source Repositories for Dataset Generation

Cited by 8 publications

References 40 publications

Comparison and Analysis of Software Vulnerability Databases

Comparison and Analysis of Software Vulnerability Databases

CVEfixes: automated collection of vulnerabilities and their fixes from open-source software

Yazılım Güvenlik Açığı Veri Tabanları

Contact Info

Product

Resources

About