The database, known as the Software Assurance Metrics and Tool Evaluation (SAMATE) Reference Dataset (SRD) version 4.0, is available free online.
SRD version 4.0 contains 175 broad categories of weakness types that encompass more than 60,000 specific cases of code errors—an addition of 100 more categories and 30 times the number of cases in SRD version 3.0.
Each specific case is about a page of computer code showing a problematic way of composing functions, loops, or logic operations written in languages such as Java, C and C++. The dataset is searchable by language, type of weakness, and code construct, and search results are available in a downloadable zip file.
"The SRD is for companies that build static analyzers”, which run through codes looking for problems, said SRD project leader Michael Koo. "It will help their products catch the most common errors in the software they are supposed to check. It brings rigor into software assurance, so that the public can be more confident that there are fewer dangerous weaknesses in the software they use."
NIST said the next step is to include errors in more languages, as well as in longer stretches of computer code. The 4.0 release includes mostly short examples, but Koo said there are plans to explore vulnerabilities in large open-source software packages of up to a million lines of code and expand the SRD to include these in the near future.