Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

SARD: Thousands of Reference Programs for Software Assurance



Paul E. Black


A corpus of computer programs with known bugs is useful in determining the ability of tools to find bugs. This article describes the content of NIST's Software Assurance Reference Dataset (SARD), which is a publicly available collection of thousands of programs with known weaknesses. SARD has programs in C, C++, Java, PHP, and C# covering over 150 classes of weaknesses. Most of the test cases are synthetic programs of a page or two of code, but there are over 7,000 full size applications, mostly derived from a dozen base applications. The collection also includes buggy code used in Static Analysis Tool Expositions (SATE). Although not every bug is indicated in every program, the vast majority of weaknesses are noted in files that can be automatically processed. Many test cases are grouped into suites, such as CAS Juliet, IARPA STONESOUP, and Kratkiewicz's buffer overflow. Test cases and suites came from many software developers, tool developers, and academic researchers. Users can search for test cases by language, weakness type, and several other criteria and can then browse, select, and download them. Analysts can cut months off the time needed to evaluate a tool or technique using test cases from the SARD.
Journal of Cyber Security and Information Systems


software assurance, static analysis, programming language test material, software quality, cybersecurity


Black, P. (2017), SARD: Thousands of Reference Programs for Software Assurance, Journal of Cyber Security and Information Systems, [online], (Accessed July 21, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created October 31, 2017, Updated May 4, 2021