_INP BFCVE Challenge
Irena Bojanova, Inventor, Creator, PI, Bugs Framework (BF)
Let’s start creating of a labeled dataset of input/output check related software security vulnerability specifications using BF’s input/output check bugs formalism (taxonomy and LL(1) formal grammar) .
There are 70 736 input/output check related CVEs (as of August 2023). To start with, we query the CVE for entries with CWEs assigned by NVD, where the CWEs also map by operation to BF Input/Output Check classes. We then order them by their severity scores according to the Common Vulnerability Scoring System (CVSS) and select maximum thirty CVEs per operation – thus reducing the count to the most severe CVEs per _INP BF operation .
First set of steps:
- Explore the CVEs listed below. Each one has input/output check related underlying weaknesses and was identified via the corresponding CWE2BF mappings and the CWE to CVE assignments by NVD.
- Identify at least one CVE for wchich you can find the Bug Report, the Code with Bug, and the Code with Fix (locate the specific GitHub repository with the Diffs). See how these are listed for the examples in BFCVE on the left.
Second set of steps:
- Get to know the BF Input/Output Check Bugs Model .
- Get to know the taxonomies of the BF Input/Output Check Classes .
- Get to know the BF Tool .
- Collaborate on creating BF descriptions of your CVEs.
Important Note:Use the “NVD CWE” and “BF Chain(s) Indentifiable from NVD CWE” columns only as possibly useful guidance. In some cases, a listed CWE may be a wrongly assigned one by NVD, so please notify us if you encounter such. In some cases, the listed chains may be wrong or not the only possible, as the CWE information (from which they are retrieved) may be wrong or limited.
Third set of steps:
- Open in a text editor the .bfcve file where you saved the BF CVE description usign the BF Tool.
- Copy the entire content of the .bfcve file. This is your BF CVE specification in XML format.
- Submit the copied .bfcve content and the links to the Bug Report, the Code with Bug, and the Code with Fix here:
_INP CVEs | CVSS | BF Class | BF Operation | NVD CWE | BF Chain(s) Indentifiable from NVD CWE |
| 10 | DVL | Sanitize | CWE-94 | (Missing Code/Erroneous Code, DVL Sanitize, Source Code Injection) | |
| CVE-2023-1283 | 10 | DVL | Sanitize | CVE-2023-2583 | 10 | DVL | Sanitize | 10 | DVL | Sanitize | CWE-89 | (Missing Code/Erroneous Code, DVL Sanitize, Query Injection) |
| 10 | DVL | Sanitize | CWE-78 | (Missing Code/Erroneous Code, DVL Sanitize, Command Injection) | |
| CVE-2022-30525 | 10 | DVL | Sanitize | CVE-2022-30541 | 10 | DVL | Sanitize | CVE-2022-30603 | 10 | DVL | Sanitize | CVE-2022-31137 | 10 | DVL | Sanitize | CVE-2022-31479 | 10 | DVL | Sanitize | CVE-2022-31794 | 10 | DVL | Sanitize | CVE-2022-31795 | 10 | DVL | Sanitize | CVE-2022-32534 | 10 | DVL | Sanitize | CVE-2022-32773 | 10 | DVL | Sanitize | CVE-2022-33189 | 10 | DVL | Sanitize | CVE-2022-33192 | 10 | DVL | Sanitize | CVE-2022-33193 | 10 | DVL | Sanitize | CVE-2022-33194 | 10 | DVL | Sanitize | CVE-2022-33195 | 10 | DVL | Sanitize | CVE-2022-33204 | 10 | DVL | Sanitize | CVE-2022-33205 | 10 | DVL | Sanitize | CVE-2022-33206 | 10 | DVL | Sanitize | CVE-2022-33207 | 10 | DVL | Sanitize | CVE-2023-2564 | 10 | DVL | Sanitize | 10 | DVL | Sanitize | CWE-77 | (Missing Code/Erroneous Code, DVL Sanitize, Command Injection) |
| CVE-2022-31446 | 10 | DVL | Sanitize | CVE-2022-32449 | 10 | DVL | Sanitize | 10 | DVL | Sanitize | CWE-36 | (Erroneous Code, DVL Sanitize, File Injection) |
| 10 | DVL | Sanitize | CWE-29 | (Under Restrictive Policy, DVL Sanitize, File Injection) | |
| 10 | DVL | Sanitize | CWE-23 | (Under-Restrictive Policy, DVL Sanitize, File Injection) | |
| 10 | DVL | Sanitize | CWE-23 | (Under-Restrictive Policy, DVL Sanitize, File Injection) | |
| 10 | DVR | Verify | CWE-20 |
| |
| CVE-2020-6962 | 10 | DVR | Verify | CVE-2020-6963 | 10 | DVR | Verify | CVE-2020-8087 | 10 | DVR | Verify | CVE-2020-8445 | 10 | DVR | Verify | CVE-2021-1965 | 10 | DVR | Verify | CVE-2021-21985 | 10 | DVR | Verify | CVE-2021-25437 | 10 | DVR | Verify | CVE-2021-26606 | 10 | DVR | Verify | CVE-2021-26607 | 10 | DVR | Verify | CVE-2021-26622 | 10 | DVR | Verify | CVE-2021-26624 | 10 | DVR | Verify | CVE-2021-32974 | 10 | DVR | Verify | CVE-2021-33527 | 10 | DVR | Verify | CVE-2021-43033 | 10 | DVR | Verify | CVE-2021-44734 | 10 | DVR | Verify | CVE-2022-24086 | 10 | DVR | Verify | CVE-2022-24720 | 10 | DVR | Verify | CVE-2022-25163 | 10 | DVR | Verify | CVE-2022-27228 | 10 | DVR | Verify | CVE-2022-29499 | 10 | DVR | Verify | CVE-2022-29539 | 10 | DVR | Verify | CVE-2022-32534 | 10 | DVR | Verify | CVE-2020-15181 | 10 | DVL | Validate | CVE-2020-24647 | 10 | DVL | Validate | CVE-2020-24649 | 10 | DVL | Validate | CVE-2020-24679 | 10 | DVL | Validate | CVE-2020-25765 | 10 | DVL | Validate | CVE-2020-25787 | 10 | DVL | Validate | CVE-2020-3847 | 10 | DVL | Validate | CVE-2020-6962 | 10 | DVL | Validate | CVE-2020-6963 | 10 | DVL | Validate | CVE-2020-8087 | 10 | DVL | Validate | CVE-2020-8445 | 10 | DVL | Validate | CVE-2021-1965 | 10 | DVL | Validate | CVE-2021-21985 | 10 | DVL | Validate | CVE-2021-25437 | 10 | DVL | Validate | CVE-2021-26606 | 10 | DVL | Validate | CVE-2021-26607 | 10 | DVL | Validate | CVE-2021-26622 | 10 | DVL | Validate | CVE-2021-26624 | 10 | DVL | Validate | CVE-2021-32974 | 10 | DVL | Validate | CVE-2021-33527 | 10 | DVL | Validate | CVE-2021-43033 | 10 | DVL | Validate | CVE-2021-44734 | 10 | DVL | Validate | CVE-2022-24086 | 10 | DVL | Validate | CVE-2022-24720 | 10 | DVL | Validate | CVE-2022-25163 | 10 | DVL | Validate | CVE-2022-27228 | 10 | DVL | Validate | CVE-2022-29499 | 10 | DVL | Validate | CVE-2022-29539 | 10 | DVL | Validate | CVE-2022-32534 | 10 | DVL | Validate | 10 | DVR | Verify | CWE-129 | (Missing Code/Erroneous Code, DVR Verify, Wrong Value) |
| CVE-2021-1933 | 10 | DVR | Verify | CVE-2021-22333 | 10 | DVR | Verify | 10 | DVR | Verify | CWE-1284 | (Missing Code/Erroneous Code, DVR Verify, Wrong Value/Inconsistent Value) |
| CVE-2021-21951 | 10 | DVR | Verify | CVE-2021-21960 | 10 | DVR | Verify | CVE-2022-20699 | 10 | DVR | Verify |