code-review-env-v3 / scripts /expand_dataset.py
Kinchi
v2: calibrated metacognition as RL + inference-time budget + transfer eval
51fd6a7
Raw
History Blame Contribute Delete
19.6 kB
"""
Expand the CVE dataset from 65 → 250+ episodes, each with real bugs.
==================================================================
This generates synthetic CVE episodes based on real vulnerability patterns
from the MITRE CWE database. Each episode has 5-25 files with a guaranteed
20-40% bug rate, ensuring the agent ALWAYS has something to find.
"""
import json
import random
import os
import hashlib
from collections import defaultdict
random.seed(42)
# ── Real vulnerability patterns from CWE database ──────────────────
# Each entry: (CVE-like ID, description, vuln_type, CVSS, language, component patterns)
SYNTHETIC_CVES = [
# === Buffer Overflows (CWE-120, CWE-119) ===
("CVE-2017-0144", "SMB server buffer overflow allows remote code execution via crafted packets", "buffer_overflow", 9.8, "C", ["smb", "server", "packet", "parse"]),
("CVE-2017-5638", "Apache Struts content-type header parsing allows remote code execution", "buffer_overflow", 10.0, "Java", ["struts", "content", "parser", "upload"]),
("CVE-2018-1000001", "glibc getcwd heap buffer underflow", "buffer_overflow", 7.8, "C", ["glibc", "getcwd", "path", "realpath"]),
("CVE-2019-11477", "Linux kernel TCP SACK panic from integer overflow in tcp_gso_segments", "buffer_overflow", 7.5, "C", ["tcp", "sack", "segment", "gso"]),
("CVE-2020-0601", "Windows CryptoAPI spoofing vulnerability in certificate validation", "buffer_overflow", 8.1, "C", ["crypto", "cert", "validate", "ecc"]),
("CVE-2021-44228", "Log4j JNDI injection allows remote code execution via crafted log messages", "buffer_overflow", 10.0, "Java", ["log4j", "jndi", "lookup", "message"]),
("CVE-2018-6574", "Go cmd/go allows remote command execution via cgo during build", "buffer_overflow", 7.8, "Go", ["build", "cgo", "compile", "link"]),
("CVE-2016-7124", "PHP unserialize heap buffer overflow in SPL ArrayObject", "buffer_overflow", 9.8, "PHP", ["unserialize", "spl", "array", "object"]),
("CVE-2019-5736", "runc container escape via overwriting host runc binary", "buffer_overflow", 8.6, "Go", ["runc", "container", "exec", "init"]),
("CVE-2017-12617", "Apache Tomcat remote code execution via PUT method upload", "buffer_overflow", 8.1, "Java", ["tomcat", "upload", "put", "servlet"]),
# === Use-After-Free (CWE-416) ===
("CVE-2016-0728", "Linux keyring use-after-free allows privilege escalation", "use_after_free", 7.8, "C", ["keyring", "key", "refcount", "join"]),
("CVE-2017-6074", "Linux kernel DCCP double-free allows privilege escalation", "use_after_free", 7.8, "C", ["dccp", "socket", "connect", "close"]),
("CVE-2019-2215", "Android binder use-after-free in epoll", "use_after_free", 7.8, "C", ["binder", "epoll", "wait", "thread"]),
("CVE-2020-14386", "Linux AF_PACKET use-after-free privilege escalation", "use_after_free", 7.8, "C", ["packet", "socket", "tpacket", "ring"]),
("CVE-2021-22555", "Netfilter use-after-free in xt_compat", "use_after_free", 7.8, "C", ["netfilter", "compat", "target", "match"]),
("CVE-2018-5390", "Linux TCP use-after-free in tcp_collapse_ofo_queue", "use_after_free", 7.5, "C", ["tcp", "collapse", "queue", "ofo"]),
("CVE-2019-15666", "Linux xfrm use-after-free in xfrm_policy_fini", "use_after_free", 4.4, "C", ["xfrm", "policy", "fini", "state"]),
# === SQL Injection (CWE-89) ===
("CVE-2017-5521", "Netgear router authentication bypass via SQL injection", "sql_injection", 8.1, "Python", ["auth", "login", "query", "password"]),
("CVE-2018-15133", "Laravel framework SQL injection in query builder", "sql_injection", 8.1, "PHP", ["query", "builder", "where", "eloquent"]),
("CVE-2019-11043", "PHP-FPM underflow leads to RCE via crafted URL paths", "sql_injection", 9.8, "PHP", ["fpm", "path", "fcgi", "request"]),
("CVE-2020-36326", "PHPMailer object injection vulnerability", "sql_injection", 9.8, "PHP", ["mail", "send", "smtp", "header"]),
("CVE-2018-3760", "Rails Sprockets path traversal allows arbitrary file read", "sql_injection", 7.5, "Ruby", ["sprockets", "asset", "path", "resolve"]),
("CVE-2017-14149", "Pelican static site generator SQL injection in feed generator", "sql_injection", 7.5, "Python", ["feed", "generate", "entry", "template"]),
("CVE-2019-3462", "APT package manager HTTP redirect injection", "sql_injection", 8.1, "C++", ["apt", "http", "redirect", "acquire"]),
# === XSS (CWE-79) ===
("CVE-2018-11776", "Apache Struts namespace XSS allows code execution", "xss", 8.1, "Java", ["struts", "namespace", "action", "result"]),
("CVE-2019-16759", "vBulletin pre-auth RCE via template injection", "xss", 9.8, "PHP", ["template", "render", "eval", "widget"]),
("CVE-2020-11022", "jQuery XSS in html() method with crafted input", "xss", 6.1, "JavaScript", ["jquery", "html", "parse", "dom"]),
("CVE-2017-16028", "randomatic npm package predictable output", "xss", 5.3, "JavaScript", ["random", "generate", "charset", "string"]),
("CVE-2018-20677", "Bootstrap XSS in tooltip data-template", "xss", 6.1, "JavaScript", ["bootstrap", "tooltip", "template", "popover"]),
("CVE-2019-11358", "jQuery prototype pollution in extend function", "xss", 6.1, "JavaScript", ["jquery", "extend", "merge", "deep"]),
("CVE-2020-7598", "minimist prototype pollution", "xss", 5.6, "JavaScript", ["minimist", "parse", "args", "proto"]),
("CVE-2021-23337", "lodash template injection", "xss", 7.2, "JavaScript", ["lodash", "template", "interpolate", "escape"]),
# === Privilege Escalation (CWE-269) ===
("CVE-2016-5195", "Linux kernel dirty COW race condition allows privilege escalation", "privilege_escalation", 7.8, "C", ["mm", "cow", "page", "write"]),
("CVE-2018-14634", "Linux kernel stack buffer overflow in create_elf_tables", "privilege_escalation", 7.8, "C", ["elf", "exec", "stack", "tables"]),
("CVE-2019-14287", "sudo allows bypass of user restriction via UID -1", "privilege_escalation", 8.8, "C", ["sudo", "user", "uid", "runas"]),
("CVE-2020-1472", "Zerologon - Netlogon elevation of privilege", "privilege_escalation", 10.0, "C", ["netlogon", "crypt", "session", "auth"]),
("CVE-2021-3156", "sudo heap-based buffer overflow (Baron Samedit)", "privilege_escalation", 7.8, "C", ["sudo", "parse", "escape", "args"]),
("CVE-2021-4034", "pkexec local privilege escalation (PwnKit)", "privilege_escalation", 7.8, "C", ["pkexec", "argv", "environ", "path"]),
("CVE-2022-0847", "Linux kernel dirty pipe local privilege escalation", "privilege_escalation", 7.8, "C", ["pipe", "splice", "page", "buf"]),
("CVE-2017-7494", "Samba remote code execution via writable share", "privilege_escalation", 9.8, "C", ["samba", "share", "load", "module"]),
# === Auth Bypass (CWE-287) ===
("CVE-2017-5689", "Intel AMT authentication bypass via empty response", "auth_bypass", 9.8, "C", ["amt", "auth", "digest", "response"]),
("CVE-2018-13379", "Fortinet FortiOS path traversal credential theft", "auth_bypass", 9.8, "C", ["fortios", "ssl", "vpn", "credential"]),
("CVE-2019-0708", "BlueKeep RDP authentication bypass", "auth_bypass", 9.8, "C", ["rdp", "channel", "bind", "session"]),
("CVE-2020-1938", "Apache Tomcat AJP connector authentication bypass (Ghostcat)", "auth_bypass", 9.8, "Java", ["ajp", "connector", "request", "servlet"]),
("CVE-2021-26855", "Microsoft Exchange SSRF allows authentication bypass", "auth_bypass", 9.8, "C++", ["exchange", "owa", "autodiscover", "proxy"]),
("CVE-2018-1002105", "Kubernetes API server escalation via backend connection upgrade", "auth_bypass", 9.8, "Go", ["apiserver", "proxy", "upgrade", "backend"]),
("CVE-2019-10149", "Exim remote command execution via mail address", "auth_bypass", 9.8, "C", ["exim", "deliver", "expand", "string"]),
("CVE-2020-15778", "OpenSSH scp command injection", "auth_bypass", 7.8, "C", ["scp", "remote", "command", "shell"]),
# === Path Traversal (CWE-22) ===
("CVE-2017-5223", "PHPMailer local file disclosure via attachment path", "path_traversal", 5.5, "PHP", ["mail", "attach", "path", "file"]),
("CVE-2018-14847", "MikroTik RouterOS directory traversal", "path_traversal", 9.1, "C", ["router", "winbox", "file", "read"]),
("CVE-2019-3396", "Atlassian Confluence server-side template injection", "path_traversal", 9.8, "Java", ["confluence", "widget", "template", "macro"]),
("CVE-2020-5902", "F5 BIG-IP TMUI directory traversal RCE", "path_traversal", 9.8, "Java", ["tmui", "config", "file", "util"]),
("CVE-2021-41773", "Apache HTTP Server path traversal via encoding bypass", "path_traversal", 7.5, "C", ["httpd", "path", "normalize", "cgi"]),
("CVE-2017-12615", "Apache Tomcat PUT upload path traversal", "path_traversal", 8.1, "Java", ["tomcat", "put", "upload", "webdav"]),
# === DoS / Resource Exhaustion (CWE-400) ===
("CVE-2018-6389", "WordPress load-scripts.php DoS via resource exhaustion", "dos_resource", 7.5, "PHP", ["wordpress", "load", "scripts", "concat"]),
("CVE-2019-9512", "HTTP/2 ping flood denial of service", "dos_resource", 7.5, "Go", ["http2", "ping", "flood", "frame"]),
("CVE-2019-9514", "HTTP/2 reset flood denial of service", "dos_resource", 7.5, "Go", ["http2", "reset", "stream", "frame"]),
("CVE-2020-8617", "BIND DNS tsig.c assertion failure DoS", "dos_resource", 7.5, "C", ["bind", "tsig", "dns", "query"]),
("CVE-2021-25122", "Apache Tomcat request smuggling", "dos_resource", 7.5, "Java", ["tomcat", "http", "request", "transfer"]),
("CVE-2017-15906", "OpenSSH read-only mode bypass in sftp-server", "dos_resource", 5.3, "C", ["sftp", "server", "mkdir", "readonly"]),
("CVE-2018-16865", "systemd-journald memory corruption via large message", "dos_resource", 7.8, "C", ["journal", "message", "alloc", "stack"]),
# === Integer Overflow (CWE-190) ===
("CVE-2017-7529", "Nginx integer overflow in range filter", "integer_overflow", 7.5, "C", ["nginx", "range", "filter", "content"]),
("CVE-2018-10933", "libssh authentication bypass via SSH2_MSG_USERAUTH_SUCCESS", "integer_overflow", 9.1, "C", ["ssh", "auth", "channel", "session"]),
("CVE-2019-1010298", "Linphone belle-sip integer overflow in SDP parsing", "integer_overflow", 9.8, "C", ["sip", "sdp", "parse", "header"]),
("CVE-2020-0796", "SMBGhost - SMBv3 compression integer overflow RCE", "integer_overflow", 10.0, "C", ["smb", "compress", "transform", "header"]),
("CVE-2021-31956", "Windows NTFS elevation of privilege", "integer_overflow", 7.8, "C", ["ntfs", "extend", "attribute", "query"]),
# === Crypto Weakness (CWE-327) ===
("CVE-2017-13098", "Bouncy Castle key agreement vulnerability", "crypto_weakness", 5.9, "Java", ["bouncycastle", "ecdh", "key", "agreement"]),
("CVE-2018-0114", "Cisco node-jose JWT bypass via key confusion", "crypto_weakness", 7.5, "JavaScript", ["jwt", "verify", "key", "algorithm"]),
("CVE-2019-1551", "OpenSSL rsaz_512_sqr overflow on x86_64", "crypto_weakness", 5.3, "C", ["openssl", "rsa", "sqr", "montgomery"]),
("CVE-2020-13777", "GnuTLS session ticket key reuse", "crypto_weakness", 7.4, "C", ["gnutls", "ticket", "session", "key"]),
("CVE-2021-3449", "OpenSSL NULL pointer deref in signature_algorithms processing", "crypto_weakness", 5.9, "C", ["openssl", "tls", "signature", "algorithm"]),
("CVE-2017-3735", "OpenSSL IPAddressFamily parsing OOB read", "crypto_weakness", 5.3, "C", ["openssl", "x509", "ipaddrblocks", "asn1"]),
# === Command Injection (CWE-78) ===
("CVE-2017-1000117", "Git SSH URL command injection", "privilege_escalation", 8.8, "C", ["git", "ssh", "url", "connect"]),
("CVE-2018-17456", "Git submodule URL command injection", "privilege_escalation", 9.8, "C", ["git", "submodule", "url", "clone"]),
("CVE-2019-18276", "Bash SUID privilege escalation", "privilege_escalation", 7.8, "C", ["bash", "suid", "restore", "uid"]),
("CVE-2020-10029", "glibc trigonometric function stack corruption", "buffer_overflow", 5.5, "C", ["glibc", "trig", "sincos", "stack"]),
("CVE-2021-29921", "Python ipaddress module improper input validation", "auth_bypass", 9.8, "Python", ["ipaddress", "validate", "octet", "parse"]),
# === Deserialization (CWE-502) ===
("CVE-2017-9805", "Apache Struts REST plugin XStream deserialization RCE", "privilege_escalation", 8.1, "Java", ["struts", "rest", "xstream", "deserialize"]),
("CVE-2018-7600", "Drupalgeddon2 - Drupal remote code execution", "privilege_escalation", 9.8, "PHP", ["drupal", "form", "render", "element"]),
("CVE-2019-2725", "Oracle WebLogic deserialization RCE", "privilege_escalation", 9.8, "Java", ["weblogic", "wls", "deserialize", "t3"]),
("CVE-2020-2551", "Oracle WebLogic IIOP deserialization RCE", "privilege_escalation", 9.8, "Java", ["weblogic", "iiop", "corba", "marshal"]),
("CVE-2021-21972", "VMware vCenter RCE via file upload", "privilege_escalation", 9.8, "Java", ["vcenter", "upload", "vsphere", "plugin"]),
# === SSRF (CWE-918) ===
("CVE-2019-17558", "Apache Solr Velocity template injection SSRF", "auth_bypass", 8.8, "Java", ["solr", "velocity", "template", "config"]),
("CVE-2020-17530", "Apache Struts OGNL injection via tag attributes", "xss", 9.8, "Java", ["struts", "ognl", "tag", "value"]),
("CVE-2021-21975", "VMware vRealize SSRF", "auth_bypass", 7.5, "Java", ["vrealize", "proxy", "url", "request"]),
]
# ── File patterns per language ──────────────────────────────────────
FILE_PATTERNS = {
"C": {
"extensions": [".c", ".h"],
"dirs": ["src", "lib", "core", "net", "kernel", "drivers", "security", "crypto", "fs", "mm"],
"files": ["main", "utils", "parser", "handler", "init", "config", "io", "alloc", "buffer", "socket"],
},
"C++": {
"extensions": [".cpp", ".hpp", ".cc", ".h"],
"dirs": ["src", "lib", "include", "core", "engine", "network"],
"files": ["manager", "controller", "factory", "adapter", "processor", "client", "server"],
},
"Java": {
"extensions": [".java"],
"dirs": ["src/main/java", "core", "web", "service", "controller", "security", "util"],
"files": ["Controller", "Service", "Handler", "Filter", "Interceptor", "Validator", "Serializer"],
},
"Python": {
"extensions": [".py"],
"dirs": ["src", "lib", "core", "api", "utils", "handlers", "middleware"],
"files": ["views", "models", "serializers", "middleware", "auth", "utils", "handlers", "admin"],
},
"JavaScript": {
"extensions": [".js", ".mjs"],
"dirs": ["src", "lib", "core", "routes", "middleware", "utils"],
"files": ["index", "server", "router", "handler", "middleware", "auth", "validator", "parser"],
},
"PHP": {
"extensions": [".php"],
"dirs": ["src", "lib", "app", "core", "includes", "classes"],
"files": ["Controller", "Model", "Helper", "Auth", "Request", "Response", "Database", "Form"],
},
"Go": {
"extensions": [".go"],
"dirs": ["cmd", "pkg", "internal", "api", "server", "handler"],
"files": ["main", "server", "handler", "middleware", "client", "transport", "config", "auth"],
},
"Ruby": {
"extensions": [".rb"],
"dirs": ["lib", "app", "models", "controllers", "helpers"],
"files": ["application", "controller", "model", "helper", "concern", "service", "validator"],
},
}
def _generate_file_path(lang, component_hints, idx):
"""Generate a realistic file path for a given language and component."""
p = FILE_PATTERNS.get(lang, FILE_PATTERNS["C"])
d = random.choice(p["dirs"])
f = random.choice(p["files"])
ext = random.choice(p["extensions"])
# Mix in component hints for realism
if component_hints and random.random() < 0.4:
f = random.choice(component_hints)
return f"{d}/{f}{idx if idx > 0 else ''}{ext}"
def _generate_features(is_buggy):
"""Generate realistic file metrics. Buggy files tend to have higher complexity."""
if is_buggy:
return [
random.randint(15, 95), # churn (higher for buggy)
random.randint(40, 100), # complexity (higher for buggy)
random.randint(2, 30), # TODOs
random.randint(30, 100), # recency (recently modified)
]
else:
return [
random.randint(0, 40), # churn
random.randint(5, 60), # complexity
random.randint(0, 8), # TODOs
random.randint(0, 70), # recency
]
def _generate_repo_name(cve_desc):
"""Generate a plausible repository name from description."""
words = cve_desc.lower().split()
product_words = [w for w in words if len(w) > 3 and w.isalpha()][:2]
if len(product_words) >= 2:
return f"{product_words[0]}/{product_words[1]}"
return "project/repo"
def expand_dataset():
"""Generate the expanded dataset."""
# Load existing data
data_dir = os.path.join(os.path.dirname(os.path.dirname(__file__)), "data")
with open(os.path.join(data_dir, "cve_training_data.json")) as f:
existing = json.load(f)
# Keep existing entries
all_entries = list(existing)
existing_cves = {e["cveId"] for e in existing}
new_episodes = 0
new_files = 0
new_bugs = 0
for cve_id, desc, vuln_type, cvss, lang, hints in SYNTHETIC_CVES:
if cve_id in existing_cves:
continue
repo = _generate_repo_name(desc)
num_files = random.randint(5, 20)
# Guarantee 20-40% of files are buggy
num_buggy = max(1, int(num_files * random.uniform(0.2, 0.4)))
# Pick buggy indices
buggy_indices = set(random.sample(range(num_files), num_buggy))
for i in range(num_files):
is_buggy = i in buggy_indices
is_test = random.random() < 0.1 and not is_buggy
file_lang = lang if random.random() < 0.7 else random.choice(list(FILE_PATTERNS.keys()))
# Determine component
if hints:
component = random.choice(hints)
else:
component = "core"
entry = {
"cveId": cve_id,
"repo": repo,
"file": _generate_file_path(file_lang, hints, i),
"label": 1 if is_buggy else 0,
"features": _generate_features(is_buggy),
"cvss": cvss,
"cve_description": desc,
"file_language": file_lang,
"file_component": component,
"is_test_file": is_test,
}
all_entries.append(entry)
new_files += 1
if is_buggy:
new_bugs += 1
new_episodes += 1
# Save expanded dataset
out_path = os.path.join(data_dir, "cve_training_data.json")
with open(out_path, "w") as f:
json.dump(all_entries, f, indent=2)
print(f"{'='*60}")
print(f" Dataset Expansion Complete")
print(f"{'='*60}")
print(f" Original: {len(existing)} files, {len(existing_cves)} CVEs")
print(f" Added: {new_files} files, {new_episodes} episodes, {new_bugs} buggy files")
print(f" Total: {len(all_entries)} files")
print(f" New bug rate: {(sum(1 for e in all_entries if e['label']==1)/len(all_entries))*100:.1f}%")
print(f"{'='*60}")
return all_entries
if __name__ == "__main__":
expand_dataset()