Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Comprehensively Labeled Weakness and Vulnerability Datasets via Unambiguous Formal Bugs Framework (BF) Specifications

Published

Author(s)

Irena Bojanova

Abstract

The current state of the art in software security -- describing weaknesses as CWEs, vulnerabilities as CVEs, and labeling CVEs with CWEs -- is not keeping up with the modern cybersecurity research and application requirements for comprehensively labeled datasets. As a formal classification system of software security bugs, faults, and weaknesses enabling unambiguous specification of vulnerabilities, the NIST Bugs Framework (BF) offers a prominent new approach towards systematic creation of labeled with the BF taxonomy datasets. This work presents methodologies based on BF and tools for comprehensive labeling of common weakness types (including CWEs) and publicly disclosed vulnerabilities (including CVEs). The BFCWE tool facilitates generation of unambiguous formal BF weakness specifications as entries of a comprehensively labeled BFCWE dataset. The BFCVE tool generates a comprehensively pre-labeled vulnerability dataset further refined via code analysis. Via a rich GUI it also guides the creation of unambiguous formal BF specifications as entries of a comprehensively labeled BFCVE dataset. The developed taxonomic datasets, transformation algorithms, databases, and queries can benefit the implementation of a new range of software testing, bug detection, test-case generation, and weakness/vulnerability specification generation tools.
Citation
IEEE IT Professional
Volume
26
Issue
1

Keywords

Bug, Bug Classification, Bug Detection, Bug Taxonomy, Cybersecurity, Generation Tool, Labeled Dataset, Software Bug, Security Failure, Software Testing, Software Vulnerability, Software Weakness, Test-Case Generation, Vulnerability Dataset, Weakness Dataset.

Citation

Bojanova, I. (2024), Comprehensively Labeled Weakness and Vulnerability Datasets via Unambiguous Formal Bugs Framework (BF) Specifications, IEEE IT Professional, [online], https://doi.org/10.1109/MITP.2024.3358970, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=957238 (Accessed July 23, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created January 20, 2024, Updated March 26, 2024