short-paper

VulinOSS: a dataset of security vulnerabilities in open-source systems

Authors:

Antonios Gkortzis,

Dimitris Mitropoulos,

Diomidis SpinellisAuthors Info & Claims

MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

Pages 18 - 21

https://doi.org/10.1145/3196398.3196454

Published: 28 May 2018 Publication History

Get Access

Abstract

Examining the different characteristics of open-source software in relation to security vulnerabilities, can provide the research community with findings that can lead to the development of more secure systems. We present a dataset where the reported vulnerabilities of 8694 open-source project versions, can be correlated with the corresponding source code and a number of software metrics. The metrics were obtained by analyzing the project's source code via well-established tools. Apart from commonly used metrics (e.g. loc), we also provide data related to modern development trends such as continuous integration and testing. We outline motivational examples based on the dataset we describe.

References

[1]

Moritz Beller, Georgios Gousios, and Andy Zaidman. 2017. TravisTorrent: Synthesizing Travis CI and GitHub for Full-Stack Research on Continuous Integration. In Proceedings of the 14th working conference on mining software repositories.

Digital Library

Google Scholar

[2]

Nigel Edwards and Liqun Chen. 2012. An historical examination of open source releases and their vulnerabilities. In Proceedings of the 2012 ACM conference on Computer and communications security (CCS '12). ACM, New York, NY, USA, 183--194.

Digital Library

Google Scholar

[3]

Georgios Gousios. 2013. The GHTorrent dataset and tool suite. In Proceedings of the 10th Working Conference on Mining Software Repositories (MSR '13). 233--236. /pub/ghtorrent-dataset-toolsuite.pdf Best data showcase paper award.

Digital Library

Google Scholar

[4]

Fabio Massacci, Stephan Neuhaus, and Viet Hung Nguyen. 2011. After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes. In Proceedings of the Third international conference on Engineering secure software and systems (ESSoS'11). Springer-Verlag, Berlin, Heidelberg, 195--208.

Digital Library

Google Scholar

[5]

Andrew Meneely, Alberto C. Rodriguez Tejeda, Brian Spates, Shannon Trudeau, Danielle Neuberger, Katherine Whitlock, Christopher Ketant, and Kayla Davis. 2014. An Empirical Investigation of Socio-technical Code Review Metrics and Security Vulnerabilities. In Proceedings of the 6th International Workshop on Social Software Engineering (SSE 2014). ACM, New York, NY, USA, 37--44.

Digital Library

Google Scholar

[6]

Dimitris Mitropoulos, Vassilios Karakoidas, Panos Louridas, Georgios Gousios, and Diomidis Spinellis. 2014. The Bug Catalog of the Maven Ecosystem. In Proceedings of the 11th Working Conference on Mining Software Repositories (MSR 2014). ACM, New York, NY, USA, 372--375.

Digital Library

Google Scholar

[7]

Nuthan Munaiah, Steven Kroh, Craig Cabrey, and Meiyappan Nagappan. 2017. Curating GitHub for engineered software projects. Empirical Software Engineering 22, 6 (Dec. 2017), 3219--3253.

Digital Library

Google Scholar

[8]

Andy Ozment and Stuart E. Schechter. 2006. Milk or wine: does software security improve with age?. In Proceedings of the 15th conference on USENIX Security Symposium - Volume 15 (USENIX-SS'06). USENIX Association, Berkeley, CA, USA.

Digital Library

Google Scholar

[9]

Bogdan Vasilescu, Yue Yu, Huaimin Wang, Premkumar Devanbu, and Vladimir Filkov. 2015. Quality and Productivity Outcomes Relating to Continuous Integration in GitHub. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering (ESEC/FSE 2015). ACM, 805--816.

Digital Library

Google Scholar

Cited By

View all

Broneske DKittan SKrüger J(2024)Sharing Software-Evolution Datasets: Practices, Challenges, and RecommendationsProceedings of the ACM on Software Engineering10.1145/36607981:FSE(2051-2074)Online publication date: 12-Jul-2024
https://doi.org/10.1145/3660798
Liu TJi WDong XYao WWang YLiu HPeng HWang YRoychoudhury APaiva AAbreu RStorey M(2024)JLeaks: A Featured Resource Leak Repository Collected From Hundreds of Open-Source Java ProjectsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639162(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639162
Al Debeyan FMadeyski LHall TBowes D(2024)The impact of hard and easy negative training data on vulnerability prediction performanceJournal of Systems and Software10.1016/j.jss.2024.112003211:COnline publication date: 2-Jul-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112003
Show More Cited By

Index Terms

VulinOSS: a dataset of security vulnerabilities in open-source systems
1. Security and privacy
  1. Software and application security
2. Software and its engineering
  1. Software creation and management
    1. Collaboration in software development
      1. Open source model
    2. Software verification and validation
      1. Software defect analysis

Recommendations

CVEfixes: automated collection of vulnerabilities and their fixes from open-source software
PROMISE 2021: Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering

Data-driven research on the automated discovery and repair of security vulnerabilities in source code requires comprehensive datasets of real-life vulnerable code and their fixes. To assist in such research, we propose a method to automatically collect ...
The extent of orphan vulnerabilities from code reuse in open source software
ICSE '22: Proceedings of the 44th International Conference on Software Engineering

Motivation: A key premise of open source software is the ability to copy code to other open source projects (white-box reuse). Such copying accelerates development of new projects, but the code flaws in the original projects, such as vulnerabilities, may ...
Managing module dependencies to facilitate continuous testing

Developing large commercial software systems is complex. Techniques have been proposed to deal with such large-scale systems development. One approach that has had some success is the combination of continuous integration and unit testing. Large systems ...

Comments

Information & Contributors

Information

Published In

MSR '18: Proceedings of the 15th International Conference on Mining Software Repositories

May 2018

627 pages

ISBN:9781450357166

DOI:10.1145/3196398

General Chair:
Andy Zaidman
Delft University of Technology, Netherlands
,
Program Chairs:
Yasutaka Kamei
Kyushu University, Japan
,
Emily Hill
Drew University

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

ICSE '18

Sponsor:

SIGSOFT
IEEE-CS

ICSE '18: 40th International Conference on Software Engineering

May 28 - 29, 2018

Gothenburg, Sweden

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

46
Total Citations
View Citations
760
Total Downloads

Downloads (Last 12 months)126
Downloads (Last 6 weeks)9

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Broneske DKittan SKrüger J(2024)Sharing Software-Evolution Datasets: Practices, Challenges, and RecommendationsProceedings of the ACM on Software Engineering10.1145/36607981:FSE(2051-2074)Online publication date: 12-Jul-2024
https://doi.org/10.1145/3660798
Liu TJi WDong XYao WWang YLiu HPeng HWang YRoychoudhury APaiva AAbreu RStorey M(2024)JLeaks: A Featured Resource Leak Repository Collected From Hundreds of Open-Source Java ProjectsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639162(1-13)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639162
Al Debeyan FMadeyski LHall TBowes D(2024)The impact of hard and easy negative training data on vulnerability prediction performanceJournal of Systems and Software10.1016/j.jss.2024.112003211:COnline publication date: 2-Jul-2024
https://dl.acm.org/doi/10.1016/j.jss.2024.112003
Esposito MFalessi D(2024)VALIDATEInformation and Software Technology10.1016/j.infsof.2024.107448170:COnline publication date: 9-Jul-2024
https://dl.acm.org/doi/10.1016/j.infsof.2024.107448
Nie XLi NWang KWang SLuo XWang HJust RFraser G(2023)Understanding and Tackling Label Errors in Deep Learning-Based Vulnerability Detection (Experience Paper)Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598037(52-63)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598037
Zuo FRhee JKim YOh JQian G(2023)A Comprehensive Dataset Towards Hands-on Experience Enhancement in a Research-Involved Cybersecurity ProgramProceedings of the 24th Annual Conference on Information Technology Education10.1145/3585059.3611416(118-124)Online publication date: 11-Oct-2023
https://dl.acm.org/doi/10.1145/3585059.3611416
Okutan AMell PMirakhorli MKhokhlov ISantos JGonzalez DSimmons S(2023)Empirical Validation of Automated Vulnerability Curation and CharacterizationIEEE Transactions on Software Engineering10.1109/TSE.2023.325047949:5(3241-3260)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3250479
Chen ZKommrusch SMonperrus M(2023)Neural Transfer Learning for Repairing Security Vulnerabilities in C CodeIEEE Transactions on Software Engineering10.1109/TSE.2022.314726549:1(147-165)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TSE.2022.3147265
Sadman NHasan KRashno EAlaca FTian YZulkernine F(2023)Vulnerability of Open-Source Face Recognition Systems to Blackbox Attacks: A Case Study with InsightFace2023 IEEE Symposium Series on Computational Intelligence (SSCI)10.1109/SSCI52147.2023.10371801(1164-1169)Online publication date: 5-Dec-2023
https://doi.org/10.1109/SSCI52147.2023.10371801
Fourné MWermke DEnck WFahl SAcar Y(2023)It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179320(1527-1544)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179320
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

CVEfixes: automated collection of vulnerabilities and their fixes from open-source software

The extent of orphan vulnerabilities from code reuse in open source software

Managing module dependencies to facilitate continuous testing