Dataset Open Access
CVEfixes Dataset: Automatically Collected Vulnerabilities and Their Fixes from Open-Source Software
Moonen, Leon;
Vidziunas, Linas
CVEfixes is a comprehensive vulnerability dataset that is automatically collected and curated from Common Vulnerabilities and Exposures (CVE) records in the public U.S. National Vulnerability Database (NVD). The goal is to support data-driven security research based on source code and source code metrics related to fixes for CVEs in the NVD by providing detailed information at different interlinked levels of abstraction, such as the commit-, file-, and method level, as well as the repository- and CVE level.
This release, v1.0.7, covers all published CVEs up to 27 August 2022. All open-source projects that were reported in CVE records in the NVD in this time frame _and_ had publicly available git repositories were fetched and considered for the construction of this vulnerability dataset. The dataset is organized as a relational database and covers 7798 vulnerability fixing commits in 2487 open source projects for a total of 7637 CVEs in 209 different Common Weakness Enumeration (CWE) types. The dataset includes the source code before and after changing 29309 files and 98250 functions.
This repository includes the SQL dump of the dataset, as well as the JSON for the CVEs and XML of the CWEs at the time of collection. The complete process has been documented in the paper "CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software", which is published in the Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE '21). You will find a copy of the paper in the Doc folder.
Citation and Zenodo links
Please cite this work by referring to the published paper:
- Guru Bhandari, Amara Naseer, and Leon Moonen. 2021. CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software. In Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE '21). ACM, 10 pages. https://doi.org/10.1145/3475960.3475985
@inproceedings{bhandari2021:cvefixes,
title = {{CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software}},
booktitle = {{Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE '21)}},
author = {Bhandari, Guru and Naseer, Amara and Moonen, Leon},
year = {2021},
pages = {10},
publisher = {{ACM}},
doi = {10.1145/3475960.3475985},
copyright = {Open Access},
isbn = {978-1-4503-8680-7},
language = {en}
}The dataset has been released on Zenodo with DOI:10.5281/zenodo.4476563. The GitHub repository containing the code to automatically collect the dataset can be found at https://github.com/secureIT-project/CVEfixes, released with DOI:10.5281/zenodo.5111494.
| Name | Size | |
|---|---|---|
|
CVEfixes_v1.0.7.zip
md5:d7c90e1b3fc9b7969c7ff9ea14081145 |
3.9 GB | Download |
| All versions | This version | |
|---|---|---|
| Views | 3,154 | 588 |
| Downloads | 1,128 | 421 |
| Data volume | 2.4 TB | 1.6 TB |
| Unique views | 2,649 | 485 |
| Unique downloads | 790 | 273 |
- Publication date:
- August 28, 2022
- DOI:
-
- Keyword(s):
- security vulnerabilities dataset source code security metrics vulnerability identification vulnerability repair
- Meeting:
- 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE), Athens, Greece, 19-20 August 2021
- Related identifiers:
- Compiled by
- 10.5281/zenodo.5111494 (Software)
- Documented by
- 10.1145/3475960.3475985 (Conference paper)
- Communities:
- License (for files):
- Creative Commons Attribution 4.0 International