A C/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries

March 25, 2021 · View on GitHub

1 . Data Description

  • CVE entries in our dataset cover the period from 2002 to 2019, each consisting of 21 features. Each feature's name and corresponding column name in the CSV file are explained in the following table. The dataset is released as comma-separated values(CSV) format (all_c_cpp_release2.0.csv).
FeaturesColumn Name in the CSVDescription
Access Complexityaccess_complexityReflects the complexity of the attack required to exploit the software feature misuse vulnerability
Authentication Requiredauthentication_requiredIf authentication is required to exploit the vulnerability
Availability Impactavailability_impactMeasures the potential impact to availability of a successfully exploited misuse vulnerability
Commit IDcommit_idCommit ID in code repository, indicating a mini-version
Commit Messagecommit_messageCommit message from developer
Confidentiality Impactconfidentiality_impactMeasures the potential impact on confidentiality of a successfully exploited misuse vulnerability
CWE IDcwe_idCommon Weakness Enumeration ID
CVE IDcve_idCommon Vulnerabilities and Exposures ID
CVE Pagecve_pageCVE Details web page link for that CVE
CVE SummarysummaryCVE summary information
CVSS ScorescoreThe relative severity of software flaw vulnerabilities
Files Changedfiles_changedAll the changed files and corresponding patches
Integrity Impactintegrity_impactMeasures the potential impact to integrity of a successfully exploited misuse vulnerability\
Mini-version After Fixversion_after_fixMini-version ID after the fix
Mini-version Before Fixversion_before_fixMini-version ID before the fix
Programming LanguagelangProject programming language
ProjectprojectProject name
Publish Datepublish_datePublish date of the CVE
Reference Linkref_inkReference link in the CVE page
Update Dateupdate_dateUpdate date of the CVE
Vulnerability Classificationvulnerability_classificationVulnerability type

  • We used the code changes information(minned from commited version patches) to localize which lines of code in the files were modified. Taking modified lines between the two mini-versions as flaw lines, we split the functions in the modified files into vulnerable functions (if there were flaw lines modified in the function) and non-vulnerable functions.

  • The cleaned version of split functions is coming soon.

  • The cleaned version of split functions(CSV format) can be found at: https://drive.google.com/file/d/1-0VhnHBp9IGh90s2wCNjeCMuy70HPl8X/view?usp=sharing

    Some of the intermediary files in the data collecting and cleaning process can be found at:https://drive.google.com/file/d/1E95oVDSO0CfAAs-Q0yav2HBGLZQce_v2/view?usp=sharing

    Pandas is recommended (Python Package, like pandas.read_csv("filepath/file.csv") ) to work on the dataset.

    Also JSON format dataset can be found at: https://drive.google.com/file/d/1deNsPfeh77h1SHjJURYOeyCR96JgxB_A/view?usp=sharing

    • Split functions are released as comma-separated values(CSV) format:
    Column Name in the CSVDescription
    func_beforeThe function before the vulnerability being fixed(if "vul" labeled as "1", then this is the vulnerable function)
    func_afterThe function after the vulnerability being fixed
    lines_beforeThe modified lines in the founction before the vulnerability being fixed
    lines_afterThe modified lines in the founction after the vulnerability being fixed
    vul"1" means vulnerable function and "0" means non-vulnerable function
    vul_func_with_fixThe code comments showing how the vulnerability was fixed

2. HOW To Use The Scripts