Test cases in SARD can be combined and form multiple test suites and all are present in this page. Please use the links below to quick access to each section:

Results: 42 Test Suites.

Test Suite ID

View

Download

Manifest Creation Date Title Description Contributor # of Cases

109 2017-11-03 Juliet 1.3 Java A collection of Java test cases updated from Juliet 1.2 Paul E. Black 28881

108 2017-11-03 Juliet 1.3 C/C++ A collection of C and C++ test cases updated from Juliet 1.2



Note: An error in the SARD database caused wrong files to be included in some test cases. The error has been fixed on 11/17/2018. Paul E. Black 64099

107 2017-09-19 VLC test suite (Deprecated) This test suite is a version of the open-source application VLC for Android in which vulnerabilities have been injected. It contains 14 differents CWEs written in the Java language and a total of 34 weaknesses. Some of them are security related and some of them are bad java programming practices. SAMATE Team Staff 16

106 2017-09-19 Klocwork test suite Klocwork, Inc. donated 41 C and C++ test cases from the regression test suite for their tool. Most are related to memory management, e.g., memory leak, bad free, and use after free. SAMATE Team Staff 41

105 2016-09-13 C# Vulnerability Test Suite Bertrand C. Stivalet and Aurelien Delaitre designed the architecture and oversaw development of the more modular and extensible test generator based on Test Suite 103 by Telecom Nancy students to create 32 003 test cases in C#. Bertrand C. Stivalet 32003

104 2016-09-13 ITC-Benchmarks Toyota InfoTechnology Center (ITC), U.S.A. static analysis benchmarks for undefined behavior and concurrency weaknesses. 100 test cases in C and C++ containing a total of 685 pairs of intended weaknesses. Each pair has a version with a weakness and a fixed version. The test cases are Copyright (c) 2012-2014 and distributed under the "BSD License." See Shin'ichi Shiraishi, Veena Mohan, and Hemalatha Marimuthu, "Test Suites for Benchmarks of Static Analysis Tools," IEEE Int'l Symp. on Software Reliability Engineering (ISSRE '15), DOI: 10.1109/ISSREW.2015.7392027, originally obtained from https://github.com/regehr/itc-benchmarks.



Please note that test cases contain coincidental weaknesses flagged by SAMATE team, each described accordingly and individually.



Also please note that the SAMATE team determined that in a few cases, the code that was marked as weakness originally was in fact correct code. We describe these cases accordingly and individually. Charles Oliveira 100

103 2015-10-28 PHP Vulnerability Test Suite Bertrand C. Stivalet and Aurelien Delaitre designed the architecture and oversaw development of a test generator by Telecom Nancy students to create 42 212 test cases in PHP, covering the most common security weakness categories, including XSS, SQL injection, URL redirection, etc. See Bertrand Stivalet and Elizabeth Fong, "Large Scale Generation of Complex and Faulty PHP Test Cases," 2016 IEEE International Conference on Software Testing, Verification and Validation (ICST), Chicago, IL. Bertrand C. Stivalet 42212

102 2015-10-28 IARPA STONESOUP Phase 3 Test Cases A collection of C and Java test cases based on 16 widely-used open-source software in which vulnerabilities have been seeded. It comes bundled in a virtual machine for ease of use.

This product contains or makes use of Intelligence Advanced Research Projects Activity (IARPA) data from the STONESOUP program. Any product, report, publication, presentation, or other document including or referencing the IARPA data herein should include this statement.

All documents related to the STONESOUP program can be found at the documents page.

NIST assumes no responsibility whatsoever for its use by other parties, and makes no guaranties, expressed or implied, about its quality, reliability, or any other characteristic. Charles Oliveira 7770

101 2015-03-16 C Test Suite for Source Code Analyzer v2 - Secure This test suite replaces test suite 46 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of targeted weaknesses from 13 "GOOD" test cases in test suite 46, removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published. Aurelien Delaitre 102

100 2015-03-16 C Test Suite for Source Code Analyzer v2 - Vulnerable This test suite replaces test suite 45 based on a collaboration with Alexander Hoole from University of Victoria, BC, Canada. The new test cases provided by these test suites contain the following improvements: removal of extraneous weaknesses, replacement of test cases to align with the CWEs specified in NIST SP 500-268 v1.1, creation of additional test cases to provide consistent BAD/GOOD pairings, application of minor improvements to code, renaming of files and the addition of FLAW/FIX comments to assist automation, and insertion of improved metadata to assist researchers using SARD. Please refer to the test case metadata fields to view additional information for each test case. Note: Some test cases have been deprecated and replaced with fixed versions since this test suite has been initially published. Aurelien Delaitre 102

99 2014-08-01 wordpress-2.0 Content management system based on PHP and MySQL. Contains CVEs. SAMATE Team Staff 22

98 2014-08-01 openfire-3.6.0 Real time collaboration server that uses XMPP (Jabber). Contains CVEs. SAMATE Team Staff 12

97 2014-08-01 jspwiki-2.5.124 WikiWiki engine built around JEE components (Java, servlets, JSP). Contains CVEs. SAMATE Team Staff 3

96 2014-08-01 jetty-6.1.16 Web server and javax.servlet container with support for SPDY, WebSocket, OSGi, JMX, JNDI, JAAS, along with other integrations. Contains CVEs. SAMATE Team Staff 6

95 2014-08-01 apache-tomcat-5.5.13 Open source software implementation of the Java Servlet and JavaServer Pages technologies. Contains CVEs. SAMATE Team Staff 37

94 2014-08-01 wireshark-1.8.0 Network traffic analyzer containing CVEs. SAMATE Team Staff 127

93 2014-08-01 wireshark-1.2.0 Network traffic analyzer containing CVEs. SAMATE Team Staff 44

92 2014-08-01 dovecot-1.2.0 IMAP and POP3 email server for Linux/UNIX-like systems. Contains CVEs. SAMATE Team Staff 9

91 2014-08-01 chrome-5.0.375.54 Google web browser containing CVEs. SAMATE Team Staff 10

90 2014-08-01 asterisk-10.2.0 VoIP communication system with chat, conferencing, instant messaging, fax and other features. Contains CVEs. SAMATE Team Staff 20

89 2014-06-09 A Taxonomy of Buffer Overflows Kendra Kratkiewicz developed a taxonomy of C buffer overflows and 291 test cases representing this taxonomy. Each test case has three flawed versions (with overflows just outside, moderately outside, and far outside the buffer) and a patched version (without buffer overflow). Examples of using these are in "A Taxonomy of Buffer Overflows for Evaluating Static and Dynamic Software Testing Tools" 2005. Eric Rosenberg 1164

88 2014-06-09 Testing Exploitable Buffer Overflows From Open Source Code Zitser, Lippmann, and Leek extracted 14 model programs from internet applications (BIND, Sendmail, WU-FTP) with known buffer overflows. These models have the portion of code with the overflows. Patched versions are also included. Examples of using these are in "Using Exploitable Buffer Overflows From Open Source Code" 2004. Eric Rosenberg 28

87 2013-05-15 Juliet Test Suite for Java (v1.2) (Deprecated) This is a collection of test cases in the Java language. It contains examples for 112 different CWEs. NOTE: This package contains only individual test cases. We recommend to download the full test suite at the top of the "Test Suite" page. All documents related to the Juliet Test Suite can be found at the documents page SAMATE Team Staff 25477

86 2013-05-15 Juliet Test Suite for C/C++ (v1.2) (Deprecated) This is a collection of test cases in the C/C++ language. It contains examples for 118 different CWEs. NOTE: This package contains only individual test cases. We recommend to download the full test suite at the top of the "Test Suite" page. All documents related to the Juliet Test Suite can be found at the documents page SAMATE Team Staff 61387

81 2013-02-08 Basic CWE Effectiveness, CWE-121: Stack-based Buffer Overflow, for C. These allow a prospective user to understand that a capability is effective in locating CWE-121: Stack-based Buffer Overflow in the most basic situations in C code. Michael Koo 5

69 2011-04-08 Juliet Test Suite for Java (v1.0 - Deprecated) This is a collection of test cases in the Java language. It contains examples for 106 different CWEs. NOTE: This package contains only individual test cases. We recommend to download the full test suite at the top of the "Test Suite" page. All documents related to the Juliet Test Suite can be found at the documents page SAMATE Team Staff 14184

68 2011-04-08 Juliet Test Suite for C/C++ (v1.0 - Deprecated) This is a collection of test cases in the C/C++ language. It contains examples for 116 different CWEs. NOTE: This package contains only individual test cases. We recommend to download the full test suite at the top of the "Test Suite" page. All documents related to the Juliet Test Suite can be found at the documents page SAMATE Team Staff 45309

65 2010-02-04 Java Test Suite for Source Code Analyzer - weakness suppresion This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RO-2 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 10

64 2010-02-04 Java Test Suite for Source Code Analyzer - false positive This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RM-6 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 27

63 2010-02-04 Java Test Suite for Source Code Analyzer - weakness This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RM-1 through SCA-RM-5 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 27

62 2008-10-02 Defence R&D Canada 25 C++ test cases (plus a main including all of them) created in 2006 by Frederic Michaud and Frederic Painchaud, Defence Research & Development Canada, http://www.drdc-rddc.gc.ca/ SAMATE Team Staff 26

59 2007-12-06 C++ Test Suite for Source Code Analyzer - weakness suppresion This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RO-2 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 14

58 2007-12-06 C++ Test Suite for Source Code Analyzer - false positive This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RM-6 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 39

57 2007-12-06 C++ Test Suite for Source Code Analyzer - weakness This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RM-1 through SCA-RM-5 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 41

47 2007-02-05 C Test Suite for Source Code Analyzer - weakness suppresion (deprecated) This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RO-2 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 21

46 2007-02-05 C Test Suite for Source Code Analyzer - false positive (deprecated) This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RM-6 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 73

45 2007-01-24 C Test Suite for Source Code Analyzer - weakness (deprecated) This test suite tests against Source Code Security Analyzer based on functional requirements SCA-RM-1 through SCA-RM-5 specified in "Source Code Security Analysis Tool Functional Specification" Michael Koo 77

31 2006-10-24 Web Applications in PHP The PHP Test cases Romain Gaucher 15

17 2006-08-09 CANDIDATE Source Code Analysis Tool Functional Specification Test Suite This test suite contains all test cases that can be used to test a general purpose, production source code analysis tool implementation against the SAMATE Source Code Analysis Tool Functional Specification. SAMATE Team Staff 34

9 2006-07-11 Test suite (2006/07/11 18:32:50) Redge Bartholomew 5