Table of Contents
Fetching ...

ICVul: A Well-labeled C/C++ Vulnerability Dataset with Comprehensive Metadata and VCCs

Chaomeng Lu, Tianyu Li, Toon Dehaene, Bert Lagaisse

TL;DR

ICVul addresses the challenge of producing high-quality, comprehensive vulnerability data for ML-based detection by constructing a well-labeled C/C++ dataset enriched with extensive metadata, including Vulnerability-Contributing Commits (VCCs) traced via the SZZ algorithm and enhanced by the Eliminate Suspicious Commit (ESC) noise-filtering workflow. The dataset is assembled through an end-to-end pipeline that filters CVEs from the NVD, traces VCCs, and extracts repository, file, and function-level information, while excluding noisy data and relying on a relational-like schema for efficient analysis. Key contributions include a well-balanced label set with VCC context, noise elimination, and a reproducible construction framework publicly available on GitHub, enabling updates and broader research applications in vulnerability detection, risk assessment, and code quality analysis. The work advances practical SVD research by facilitating multi-dimensional modeling and potential integration with Just-in-Time (JIT) methods trained on VCC data, thus improving label reliability and model robustness across commit-, file-, and function-level signals.

Abstract

Machine learning-based software vulnerability detection requires high-quality datasets, which is essential for training effective models. To address challenges related to data label quality, diversity, and comprehensiveness, we constructed ICVul, a dataset emphasizing data quality and enriched with comprehensive metadata, including Vulnerability-Contributing Commits (VCCs). We began by filtering Common Vulnerabilities and Exposures from the NVD, retaining only those linked to GitHub fix commits. Then we extracted functions and files along with relevant metadata from these commits and used the SZZ algorithm to trace VCCs. To further enhance label reliability, we developed the ESC (Eliminate Suspicious Commit) technique, ensuring credible data labels. The dataset is stored in a relational-like database for improved usability and data integrity. Both ICVul and its construction framework are publicly accessible on GitHub, supporting research in related field.

ICVul: A Well-labeled C/C++ Vulnerability Dataset with Comprehensive Metadata and VCCs

TL;DR

ICVul addresses the challenge of producing high-quality, comprehensive vulnerability data for ML-based detection by constructing a well-labeled C/C++ dataset enriched with extensive metadata, including Vulnerability-Contributing Commits (VCCs) traced via the SZZ algorithm and enhanced by the Eliminate Suspicious Commit (ESC) noise-filtering workflow. The dataset is assembled through an end-to-end pipeline that filters CVEs from the NVD, traces VCCs, and extracts repository, file, and function-level information, while excluding noisy data and relying on a relational-like schema for efficient analysis. Key contributions include a well-balanced label set with VCC context, noise elimination, and a reproducible construction framework publicly available on GitHub, enabling updates and broader research applications in vulnerability detection, risk assessment, and code quality analysis. The work advances practical SVD research by facilitating multi-dimensional modeling and potential integration with Just-in-Time (JIT) methods trained on VCC data, thus improving label reliability and model robustness across commit-, file-, and function-level signals.

Abstract

Machine learning-based software vulnerability detection requires high-quality datasets, which is essential for training effective models. To address challenges related to data label quality, diversity, and comprehensiveness, we constructed ICVul, a dataset emphasizing data quality and enriched with comprehensive metadata, including Vulnerability-Contributing Commits (VCCs). We began by filtering Common Vulnerabilities and Exposures from the NVD, retaining only those linked to GitHub fix commits. Then we extracted functions and files along with relevant metadata from these commits and used the SZZ algorithm to trace VCCs. To further enhance label reliability, we developed the ESC (Eliminate Suspicious Commit) technique, ensuring credible data labels. The dataset is stored in a relational-like database for improved usability and data integrity. Both ICVul and its construction framework are publicly accessible on GitHub, supporting research in related field.
Paper Structure (13 sections, 3 figures, 1 table)

This paper contains 13 sections, 3 figures, 1 table.

Figures (3)

  • Figure 1: Overview of the ICVul construction framework.
  • Figure 2: Structure of our ICVul Dataset.
  • Figure 3: Distribution of top 10 repositories across the top 5 CWE types, sorted by vulnerable function count.