In our work, we have designed and implemented a novel workflow with several heuristic methods to combine state-of-the-art methods related to CVE fix commits gathering. As a consequence of our improvements, we have been able to gather the largest programming language-independent real-world dataset of CVE vulnerabilities with the associated fix commits. Our dataset containing 29,203 unique CVEs coming from 7,238 unique GitHub projects is, to the best of our knowledge, by far the biggest CVE vulnerability dataset with fix commits available today. These CVEs are associated with 35,276 unique commits as sql and 39,931 patch commit files that fixed those vulnerabilities(some patch files can't be saved as sql due to several techincal reasons) Our larger dataset thus substantially improves over the current real-world vulnerability datasets and enables further progress in research on vulnerability detection and software security. We used NVD(nvd.nist.gov) and Github Secuirty advisory Database as the main sources of our pipeline.

We release to the community a 16GB PostgreSQL database that contains information on CVEs up to 2024-09-26, CWEs of each CVE, files and methods changed by each commit, and repository metadata. Additionally, patch files related to the fix commits are available as a separate package. Furthermore, we make our dataset collection tool also available to the community.

cvedataset-patches.zip file contains fix patches, and postgrescvedumper.sql.zip contains a postgtesql dump of fixes, together with several other fields such as CVEs, CWEs, repository meta-data, commit data, file changes, method changed, etc.

MoreFixes data-storage strategy is based on CVEFixes to store CVE commits fixes from open-source repositories, and uses a modified version of Porspector(part of ProjectKB from SAP) as a module to detect commit fixes of a CVE. Our full methodology is presented in the paper, with the title of "MoreFixes: A Large-Scale Dataset of CVE Fix Commits Mined through Enhanced Repository Discovery", which will be published in the Promise conference (2024).

For more information about usage and sample queries, visit the Github repository: https://github.com/JafarAkhondali/Morefixes

If you are using this dataset, please be aware that the repositories that we mined contain different licenses and you are responsible to handle any licesnsing issues. This is also the similar case with CVEFixes.

This product uses the NVD API but is not endorsed or certified by the NVD.

This research was partially supported by the Dutch Research Council (NWO) under the project NWA.1215.18.008 Cyber Security by Integrated Design (C-SIDe).

To restore the dataset, you can use the docker-compose file available at the gitub repository. Dataset default credentials after restoring dump:

POSTGRES_USER=postgrescvedumper POSTGRES_DB=postgrescvedumper POSTGRES_PASSWORD=a42a18537d74c3b7e584c769152c3d

Please use this for citation:

 title={MoreFixes: A large-scale dataset of CVE fix commits mined through enhanced repository discovery},
 author={Akhoundali, Jafar and Nouri, Sajad Rahim and Rietveld, Kristian and Gadyatskaya, Olga},
 booktitle={Proceedings of the 20th International Conference on Predictive Models and Data Analytics in Software Engineering},
 pages={42--51},
 year={2024}
}

CVEfixes is a comprehensive vulnerability dataset that is automatically collected and curated from Common Vulnerabilities and Exposures (CVE) records in the public U.S. National Vulnerability Database (NVD). The goal is to support data-driven security research based on source code and source code metrics related to fixes for CVEs in the NVD by providing detailed information at different interlinked levels of abstraction, such as the commit-, file-, and method level, as well as the repository- and CVE level.

This release, v1.0.8, covers all published CVEs up to 23 July 2024. All open-source projects that were reported in CVE records in the NVD in this time frame and had publicly available git repositories were fetched and considered for the construction of this vulnerability dataset. The dataset is organized as a relational database and covers 12107 vulnerability fixing commits in 4249 open source projects for a total of 11873 CVEs in 272 different Common Weakness Enumeration (CWE) types. The dataset includes the source code before and after changing 51342 files and 138974 functions. The collection took 48 hours with 4 workers (AMD EPYC Genoa-X 9684X).

This repository includes the SQL dump of the dataset, as well as the JSON for the CVEs and XML of the CWEs at the time of collection. The complete process has been documented in the paper "CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software", which is published in the Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE '21). You will find a copy of the paper in the Doc folder.

Citation and Zenodo links

Please cite this work by referring to the published paper:

Guru Bhandari, Amara Naseer, and Leon Moonen. 2021. CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software. In Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE '21). ACM, 10 pages. https://doi.org/10.1145/3475960.3475985

@inproceedings{bhandari2021:cvefixes, title = {{CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software}}, booktitle = {{Proceedings of the 17th International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE '21)}}, author = {Bhandari, Guru and Naseer, Amara and Moonen, Leon}, year = {2021}, pages = {10}, publisher = {{ACM}}, doi = {10.1145/3475960.3475985}, copyright = {Open Access}, isbn = {978-1-4503-8680-7}, language = {en} }

The dataset has been released on Zenodo with DOI:10.5281/zenodo.4476563. The GitHub repository containing the code to automatically collect the dataset can be found at https://github.com/secureIT-project/CVEfixes, released with DOI:10.5281/zenodo.5111494.

With over 17,000 identified vulnerable functions and 320,000 non-vulnerable functions extracted from 9,000 vulnerability fix commits, MegaVul provides multi-dimensional data to help you train state-of-the-art sequence-based vulnerability detectors.

DISCLAIMER

I am not the author of this dataset. I simply uploaded the dataset on Kaggle to simplify its use (instead of the OneDrive originally provided by the authors). To contact the authors, we refer to their GitHub (https://github.com/Icyrockton/MegaVul) that also provides the code necessary to crawl the data.

Getting Started

We offer three versions of the pre-crawled MegaVul, as well as providing Joern graphs extracted from all functions.

The differences between the three versions are as follows:

• cve_with_graph_abstract_commit.json: Raw dataset with complete hierarchical structure. It includes information such as CVE, Commit, :wqFile, Functions, etc.
• megavul.json is a version of cve_with_graph_abstract_commit.json after flattened, for easier use. Keep all fields but losing the hierarchical structure.
• megavul_simple.json is a simple version of megavul.json, designed to provide a more concise representation of the dataset. It retains essential fields such as Functions and CVE IDs while omitting detail information like function parameter lists and commit message.

⏩ Simple use case

More code examples can be found there: https://github.com/Icyrockton/MegaVul/tree/main/examples

The following code reads megavul_simple.json

import json
from pathlib import Path
graph_dir = Path('../megavul/storage/result/c_cpp/graph')

with Path("../megavul/storage/result/c_cpp/megavul_simple.json").open(mode='r') as f:
  megavul = json.load(f)
  item = megavul[9]
  cve_id = item['cve_id'] # CVE-2022-24786
  cvss_vector = item['cvss_vector']  # AV:N/AC:L/Au:N/C:P/I:P/A:P
  is_vul = item['is_vul'] # True
  if is_vul:
    func_before = item['func_before'] # vulnerable function

  func_after = item['func']  # after vul function fixed(i.e., clean function)
  abstract_func_after = item['abstract_func']

  diff_line_info = item['diff_line_info'] # {'deleted_lines': ['pjmedia_rtcp_comm .... ] , 'added_lines': [ .... ] }
  git_url = item['git_url']  # https://github.com/pjsip/pjproject/commit/11559e49e65bdf00922ad5ae28913ec6a198d508

  if item['func_graph_path_before'] is not None: # graphs of some functions cannot be exported successfully
    graph_file_path = graph_dir / item['func_graph_path_before']
    graph_file = json.load(graph_file_path.open(mode='r'))
    nodes, edges = graph_file['nodes'] , graph_file['edges']
    print(nodes)  # [{'version': '0.1', 'language': 'NEWC', '_label': 'META_DATA', 'overlays': ....
    print(edges)  # [{'innode': 196, 'outnode': 2, 'etype': 'AST', 'variable': None}, ...]

The dataset of "Finding A Needle in a Haystack: Automated Mining of Silent Vulnerability Fixes", which was accepted in the 36th IEEE/ACM Automated Software Engineering (ASE) Conference.

Followings are the descriptions of columns:

1. commit_id: The commit ID/hash.
2. repo: The Github Author and repository (e.g., "apache/hive").
3. filename: The name of the file changed in the commit.
4. partition: Which dataset the commit information belongs to (i.e., "train", "val", or "test").
5. PL: Programming Language (PL) (i.e., "java" or "py").
6. label: Label of the commit, 0 for non-vulnerability fixing commit and 1 for vulnerability fixing commit.
7. diff: The entire code change information of the file in this commit.
8. committer_date: The date of the commit (e.g., 2015-03-02 13:48:25+13:00)
9. msg: The commit message (NA if empty).
10. MOD_DIFF: The code change of the file in this commit after preprocessing: filtering out lines that are not added lines or removed lines, and removing refactoring information and comments.
11. BPE_MOD_DIFF: BPE processing applied to MOD_DIFF information (using codeprep Python package).
12. ADD_DIFF: The added lines from the MOD_DIFF information (indicated as a line starting with '+' character).
13. REM_DIFF: The removed lines from the MOD_DIFF information (indicated as a line starting with '-' character).
14. LOC_ADD: Total lines of code added in this file change.
15. LOC_REM: Total lines of code removed in this file change.
16. LOC_MOD: Total lines of code modified in this file change (LOC_ADD + LOC_REM).
17. commit_repo: The commit ID and repository concatenated.
18. cve_list: A list of CVEs which the commit fixes (e.g., CVE-2015-5348, CVE-2016-8902).

A clean union of BigVul and CVE-Fixes.

This repository has the FixMe dataset and the source code for extracting the new dataset. is a lightweight approach for collecting code patches based on analyzing the commits of various version control systems. The practical framework is designed to generate patches across a wide array of programming languages. This open-source tool streamlines the process of gathering vulnerability records from the Common Vulnerabilities and Exposures (CVE) database through an incremental approach. By embracing an incremental methodology, we expedite the acquisition of data, ensuring the inclusion of newly identified vulnerabilities and their corresponding patch pairs. Our methodology involves extracting security issues, obtaining vulnerability-fixing commits, and retrieving relevant source code from various projects. The extracted dataset by the FixMe tool supports for the automated patch prediction, automated program repair, commit classification, vulnerability prediction and more.

A complete list of live websites affected by CVE-2025-21973, compiled through global website indexing conducted by WebTechSurvey.

We present HaPy-Bug, a curated dataset of 793 Python source code commits associated with bug fixes, with each line of code annotated by three domain experts. The annotations offer insights into the purpose of modified files, changes at the line level, and reviewers’ confidence levels. We analyze HaPy-Bug to examine the distribution of file purposes, types of modifications, and tangled changes. Additionally, we explore its potential applications in bug tracking, the analysis of bug-fixing practices, and the development of repository analysis tools. HaPy-Bug serves as a valuable resource for advancing research in software maintenance and security.

This dataset, CIRCL/vulnerability-cwe-patch, provides structured real-world vulnerabilities enriched with CWE identifiers and actual patches from platforms like GitHub and GitLab. It was built to support the development of tools for vulnerability classification, triage, and automated repair. Each entry includes metadata such as CVE/GHSA ID, a description, CWE categorization, and links to verified patch commits with associated diff content and commit messages. The dataset is automatically… See the full description on the dataset page: https://huggingface.co/datasets/CIRCL/vulnerability-cwe-patch.

A complete list of live websites affected by CVE-2025-21948, compiled through global website indexing conducted by WebTechSurvey.

A complete list of live websites affected by CVE-2025-30797, compiled through global website indexing conducted by WebTechSurvey.

A complete list of live websites affected by CVE-2025-21984, compiled through global website indexing conducted by WebTechSurvey.

λℓ1 is fixed to the optimal value (2λℓ1/M = 1, coincidentally common to all cases). The number in brackets denotes the error bar to the last digits. The optimal values are bolded. The tuning constants δ and θ are set to be δ = 10−4 and θ = 10−12, respectively.

A complete list of live websites affected by CVE-2021-29053, compiled through global website indexing conducted by WebTechSurvey.

Wireshark Vulnerability Prediction Dataset

This dataset is constructed by a team of researchers in Istanbul Techical University Faculty of Computer and Informatics, and used in the paper entitled as "Predicting Vulnerability Inducing Function Versions Using Node Embeddings and Graph Neural Networks". Please see the GitHub repository https://github.com/erensahin/gnn-vulnerability-prediction for more details on usage.

This dataset consists of two main parts: * AST dumps which can be used as inputs for any Machine Learning model. (ast_input) * Wireshark file changes and bugs (file_changes_and_bugs)

ast_input

asp_input folder contains three files:

• ast_input.zip: This file is a compressed version of AST dumps in Python pickle format. You should use python pickle library to unpickle and use the data.
• node_embeddings_by_kind.pkl: Embedding vectors corresponding to AST node kinds in python pickle format.
• token_id_vocabulary.pkl: Map of token ids and their corresponding tokens in python pickle format.

file_changes_and_bugs

file_changes_and_bugs folder consists of five files:

• wireshark_file_changes.csv: list of file changes made in wireshark repository. file changes are basicly commit-file pairs.
• wireshark_cve_bug_matching.csv: this entity maps CVE entries to bug ids in wireshark bug repository. This is scraped from https://www.wireshark.org/security/
• additional_bugs.csv: additional security related bugs that our team manually identified by investigating security advisories and bug reports.
• wireshark_bug_commit_matching.csv: this entity maps security bugs (vulnerabilities) to commits in wireshark source code repositry.
• wireshark_bug_inducing_file_changes.csv: this entity maps vulnerabilities in wireshark source files in terms of in which commit a vulnerability is induced and fixed.

A complete list of live websites affected by CVE-2020-15839, compiled through global website indexing conducted by WebTechSurvey.

A complete list of live websites affected by CVE-2022-45320, compiled through global website indexing conducted by WebTechSurvey.