Vulnerability Detection aims to mitigate and detect software vulnerabilities in real-world software products.
The dataset we used is provided by Li et al. (SySeVR), which is collected from SARD and NVD and contains a total of 15,592 C/C++ programs.
The processed datasets including ASTs, PDGs, semantic graphs and labels can be downloaded from OneDrive. Please unpack the downloaded file into the resources dir.
-
resources/dataset/OJ-Data-*/programs.pkl is stored in pickle format. Each row in this file represents one function and its label. One row is illustrated below.
- Testid: the id of CVE or SARD programs
- tree-graph: the generated semantic graph of Testid
- label: the class-label of the semantic graph.
Data statistics of the dataset are shown in the below table:
#Programs | #semantic graphs | |
---|---|---|
SARD | 14,000 | 387,695 |
NVD | 1,592 | 14,640 |
You can get data using the following command.
import os
import pandas as pd
data_path = '../resources/*_graph_data/All_data_input.pkl'
if os.path.exists(data_path):
data = pd.read_pickle(data_path)
We also provide a pipeline that generates inputs for our model on this task.
- dgl==0.8.0.post1
- dgl_cu110==0.7.2
- gensim==3.8.3
- networkx==2.1
- nltk==3.3
- numpy==1.19.4
- pandas==1.1.4
- torch
Use joern to parse source code: the input is source code files, and the output is a file named .joernIndex.
We provide a script to train and evaluate our model for this task, and report FNR, FPR, Accuracy, Precision, Recall, F-measure score
python Entry/train_graph_lstm.py
[Epoch: 100/100] Train Loss: 0.0075, Val Loss: 0.0365, Train result: (FPR:0.1798859799634693, FNR:0.4122965641953016, accuracy: 99.75579975579976, prec: 99.53010915925685, recall:99.5877034358047, f_measure: 99.55889796803818), Test result: (FPR: 1.6569525395503746, FNR: 3.8983415894895472, accuracy: 97.71812886566985, prec: 95.73052992919975, recall: 96.10165841051045, f_measure: 95.91573516766982)