Software assurance tools examine code for problems. To test such tools, we need programs with known bugs as ground truth. The Software Assurance Reference Dataset (SARD) is a publicly accessible collection of over 100,000 test cases in different programming languages, covering dozens of different classes of weaknesses, such as those in the Common Weakness Enumeration (CWE). The cases range from small, synthetic cases to production code, such as Google Chrome. In addition to collecting test cases, we are also working on a more precise and nuanced description language for weaknesses. We show examples such as heartbleed and Ghost.