부산대학교 도서관

The current state of the art in software security—describing weakness types as Common Weakness Enumeration (CWE) entries and vulnerabilities as Common Vulnerabilities and Exposures (CVE) entries, and labeling CVEs with CWEs—is not keeping up with the modern cybersecurity research and application requirements for comprehensively labeled datasets. As a formal classification system of software security bugs and related software faults enabling unambiguous specification of software security weaknesses and vulnerabilities, the NIST Bugs Framework (BF) offers a prominent new approach toward systematic creation of weakness and vulnerability datasets labeled with the BF taxonomy. This work presents methodologies based on the BF formal language and developed BF tools for comprehensive labeling of common weaknesses–including CWEs—and publicly disclosed vulnerabilities—including CVEs. The developed taxonomic datasets and transformation algorithms databases, and queries can support a new range of research and implementation efforts for weakness and vulnerability specification generation, bug detection, vulnerability remediation or mitigation, and test-case generation.