init commit

Author: gOATiful

.gitignore

@@ -0,0 +1,210 @@
+# File created using '.gitignore Generator' for Visual Studio Code: https://bit.ly/vscode-gig
+# Created by https://www.toptal.com/developers/gitignore/api/macos,python
+# Edit at https://www.toptal.com/developers/gitignore?templates=macos,python
+
+### macOS ###
+# General
+.DS_Store
+.AppleDouble
+.LSOverride
+
+# Icon must end with two \r
+Icon
+
+
+# Thumbnails
+._*
+
+# Files that might appear in the root of a volume
+.DocumentRevisions-V100
+.fseventsd
+.Spotlight-V100
+.TemporaryItems
+.Trashes
+.VolumeIcon.icns
+.com.apple.timemachine.donotpresent
+
+# Directories potentially created on remote AFP share
+.AppleDB
+.AppleDesktop
+Network Trash Folder
+Temporary Items
+.apdisk
+
+### macOS Patch ###
+# iCloud generated files
+*.icloud
+
+### Python ###
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/#use-with-ide
+.pdm.toml
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+### Python Patch ###
+# Poetry local configuration file - https://python-poetry.org/docs/configuration/#local-configuration
+poetry.toml
+
+# ruff
+.ruff_cache/
+
+# End of https://www.toptal.com/developers/gitignore/api/macos,python
+
+# Custom rules (everything added below won't be overriden by 'Generate .gitignore File' if you use 'Update' option)
+

README.md

@@ -0,0 +1,94 @@
+# Tool Assisted Manual Data Set on Vulnerability Introducing Commits
+
+Research in identifying vulnerabilities and the commits that introduce them is ongoing. However, many current methods rely heavily on automation, which can lead to a high rate of false positives and require significant error-checking. To address this issue, we developed a tool-assisted pipeline to manually review and examine vulnerabilities and their corresponding commits. Additionally, we collected relevant metadata such as modified lines of code, and the mapping of CVE and CWE categories. This data set can be used to validate automated methods like machine learning approaches.
+
+## Table of Contents
+
+- [Tool Assisted Manual Data Set on Vulnerability Introducing Commits](#tool-assisted-manual-data-set-on-vulnerability-introducing-commits)
+  - [Table of Contents](#table-of-contents)
+  - [Dataset Description](#dataset-description)
+    - [JSON Fields](#json-fields)
+    - [Example](#example)
+  - [Review Pipeline Instructions](#review-pipeline-instructions)
+    - [Prerequisites](#prerequisites)
+    - [Setup](#setup)
+    - [Usage](#usage)
+    - [Input Dataset](#input-dataset)
+
+[![DOI](https://zenodo.org/badge/587266310.svg)](https://zenodo.org/badge/latestdoi/587266310)
+
+## Dataset Description
+
+The complete dataset can be found [here](/dataset/).
+
+It is structured in an JSON file with the following fields:
+### JSON Fields
+| Fieldname | Brief |
+| --- | --- |
+|cwe| Common Weakness Enumeration ID |
+|introducing| Commit hash that introduces the vulnerability |
+|intro_stats| Number of lines added/deleted in the introducing commit |
+|intro_lines| Lines marked as vulnerable in the introducing commit |
+|fixing_stats| Number of lines added/deleted in the fixing commits |
+|fixing_lines| Lines marked as fixing the vulnerability in the fixing commit |
+|days_between| Days between the identified introducing and fixing commits |
+
+### Example
+```json
+{
+    "cve": "CVE-2019-11274",
+    "cwe": "CWE-79",
+    "repository": "https://github.com/cloudfoundry/uaa",
+    "fixing": [
+      "a34f55fc97a81966faf21e3ae404ec24f1f31cf7"
+    ],
+    "introducing": "bb8ff8f4e8969b46fdacffcd27781d223c8c7244",
+    "intro_stats": {
+      "bb8ff8f4e8969b46fdacffcd27781d223c8c7244": {
+        "add": 320,
+        "del": 7
+      }
+    },
+    "fixing_stats": {
+      "a34f55fc97a81966faf21e3ae404ec24f1f31cf7": {
+        "add": 68,
+        "del": 17
+      }
+    },
+    "days_between": 1836,
+    "fixing_lines": {
+      "server/src/main/java/org/cloudfoundry/identity/uaa/scim/endpoints/ScimGroupEndpoints.java": "168"
+    },
+    "introducing_lines": {
+      "scim/src/main/java/org/cloudfoundry/identity/uaa/scim/endpoints/ScimGroupEndpoints.java": "190"
+    }
+  },
+
+```
+
+## Review Pipeline Instructions
+
+### Prerequisites
+| Software | Used Version |
+| --- | --- |
+| Python3 |3.10.8 |
+| pip3 | 22.3.1 |
+| git | 2.29.0 |
+| Webbrowser of choice | Safari 16.1|
+
+### Setup
+In order to  install all required python packages please run the following command inside the `tool/src` directory:
+- `python3 -m pip install -R requirements.txt`
+
+### Usage
+The pipeline can be executed by the following command inside the `tool/src` directory:
+- `python3 manual_analysis_pipeline.py <path_to_input_dataset>`
+
+### Input Dataset
+The input dataset is expected to be a JSON file with the following fields:
+
+| Fieldname | Brief |
+| --- | --- |
+|cve_id| CVE id of the vulnerability|
+|repository| URL to the repository |
+|fixing_commits| List of fixing commit SHA-1 hashes |

citation.cff

@@ -0,0 +1,15 @@
+cff-version: 1.2.0
+message: "If you use this dataset or tool, please cite it as below."
+preferred-citation: dataset
+authors:
+- family-names: "Hinrichs"
+  given-names: "Torge"
+  orcid: "https://orcid.org/0000-0001-7489-3540"
+- family-names: "Scandariato"
+  given-names: "Riccardo"
+  orcid: "https://orcid.org/0000-0003-3591-7671"
+title: "Tool Assisted Manual Dataset on Vulnerability Introducing Commits"
+version: 0.1.0
+doi: 10.5281/zenodo.7565542
+date-released: 25.01.2023
+url: "https://github.com/tuhh-softsec/Tool-Assisted-Manual-Dataset-on-Vulnerability-Introducing-Commits"