In [9]:
import pandas as pd

### 🤓  CVE-Details Data Exploration

This notebook explores the entire CVE-Details dataset. It gives an overview of the data from our perspective/goals; you can change this notebook for our own purpose easily. Let's load the dataset!

In [65]:
df = pd.read_csv('../../data/cve-details/raw-cve-details-data.csv')
df.head()

Unnamed: 0,cve_id,cve_href,cwe_id,vuln_type,publish_date,update_date,score,acces_level,access,complexity,authentication,confidentiality,integrity,availability,summary,refs
0,CVE-2001-0679,https://www.cvedetails.com/cve/CVE-2001-0679/,,Exec Code Overflow,1999-11-08,2017-12-19,10.0,,Remote,Low,Not required,Complete,Complete,Complete,A buffer overflow in InterScan VirusWall 3.23 ...,{'https://exchange.xforce.ibmcloud.com/vulnera...
1,CVE-2000-1206,https://www.cvedetails.com/cve/CVE-2000-1206/,,,1999-08-20,2021-06-06,5.0,,Remote,Low,Not required,Partial,,,"Vulnerability in Apache httpd before 1.3.11, w...",{'http://www.apacheweek.com/issues/00-01-07#st...
2,CVE-2000-0531,https://www.cvedetails.com/cve/CVE-2000-0531/,,DoS,1999-11-23,2017-12-19,2.1,,Local,Low,Not required,,,Partial,Linux gpm program allows local users to cause ...,{'https://exchange.xforce.ibmcloud.com/vulnera...
3,CVE-2000-0489,https://www.cvedetails.com/cve/CVE-2000-0489/,,DoS,1999-09-05,2017-10-10,2.1,,Local,Low,Not required,,,Partial,"FreeBSD, NetBSD, and OpenBSD allow an attacker...",{'http://www.securityfocus.com/templates/archi...
4,CVE-2000-0481,https://www.cvedetails.com/cve/CVE-2000-0481/,,DoS Overflow,1999-06-01,2017-10-10,5.0,,Remote,Low,Not required,,,Partial,Buffer overflow in KDE Kmail allows a remote a...,"{'http://www.securityfocus.com/bid/1380', 'htt..."


🧐 Alright, the table looks great! Some empty cells (expectable)... Let's look at the different columns:

In [66]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 160156 entries, 0 to 160155
Data columns (total 16 columns):
 #   Column           Non-Null Count   Dtype  
---  ------           --------------   -----  
 0   cve_id           160156 non-null  object 
 1   cve_href         160156 non-null  object 
 2   cwe_id           117196 non-null  object 
 3   vuln_type        115841 non-null  object 
 4   publish_date     160156 non-null  object 
 5   update_date      160156 non-null  object 
 6   score            160156 non-null  float64
 7   acces_level      160156 non-null  object 
 8   access           160156 non-null  object 
 9   complexity       160156 non-null  object 
 10  authentication   160156 non-null  object 
 11  confidentiality  160156 non-null  object 
 12  integrity        160156 non-null  object 
 13  availability     160156 non-null  object 
 14  summary          160156 non-null  object 
 15  refs             160156 non-null  object 
dtypes: float64(1), object(15)
memory usage

We don't need the metrics related with systems availability, confidentiality and integrity; access complexity; authentication; and, accessability. Therefore, we will not consider these columns in the further analysis:

In [67]:
df = df.drop(columns=['acces_level', 'access', 'complexity', 'authentication', 'confidentiality', 'integrity', 'availability'])

In [68]:
df.info()

<class 'pandas.core.frame.DataFrame'>
RangeIndex: 160156 entries, 0 to 160155
Data columns (total 9 columns):
 #   Column        Non-Null Count   Dtype  
---  ------        --------------   -----  
 0   cve_id        160156 non-null  object 
 1   cve_href      160156 non-null  object 
 2   cwe_id        117196 non-null  object 
 3   vuln_type     115841 non-null  object 
 4   publish_date  160156 non-null  object 
 5   update_date   160156 non-null  object 
 6   score         160156 non-null  float64
 7   summary       160156 non-null  object 
 8   refs          160156 non-null  object 
dtypes: float64(1), object(8)
memory usage: 11.0+ MB


In [69]:
df.head()

Unnamed: 0,cve_id,cve_href,cwe_id,vuln_type,publish_date,update_date,score,summary,refs
0,CVE-2001-0679,https://www.cvedetails.com/cve/CVE-2001-0679/,,Exec Code Overflow,1999-11-08,2017-12-19,10.0,A buffer overflow in InterScan VirusWall 3.23 ...,{'https://exchange.xforce.ibmcloud.com/vulnera...
1,CVE-2000-1206,https://www.cvedetails.com/cve/CVE-2000-1206/,,,1999-08-20,2021-06-06,5.0,"Vulnerability in Apache httpd before 1.3.11, w...",{'http://www.apacheweek.com/issues/00-01-07#st...
2,CVE-2000-0531,https://www.cvedetails.com/cve/CVE-2000-0531/,,DoS,1999-11-23,2017-12-19,2.1,Linux gpm program allows local users to cause ...,{'https://exchange.xforce.ibmcloud.com/vulnera...
3,CVE-2000-0489,https://www.cvedetails.com/cve/CVE-2000-0489/,,DoS,1999-09-05,2017-10-10,2.1,"FreeBSD, NetBSD, and OpenBSD allow an attacker...",{'http://www.securityfocus.com/templates/archi...
4,CVE-2000-0481,https://www.cvedetails.com/cve/CVE-2000-0481/,,DoS Overflow,1999-06-01,2017-10-10,5.0,Buffer overflow in KDE Kmail allows a remote a...,"{'http://www.securityfocus.com/bid/1380', 'htt..."


OK, looks better; less columns and noise. First, let's check how many entries do not have a CWE assigned (i.e., how many vulnerabilities are included in a weakness group)?

In [70]:
count_cwes = df[df['cwe_id'].notnull()].shape[0]
count_cwes

117196

In [71]:
f"{(count_cwes / len(df)) * 100:.1f}%"

'73.2%'

🎉 117196 out of 160156 are classified with a CWE (73.2%); now, let's verify how many entries/CVEs do not have references:

In [72]:
count_refs = df[~df['refs'].notnull()].shape[0]

In [73]:
f"{(count_refs / len(df)) * 100:.1f}%"

'0.0%'

👽 0% of the dataset is missing references; this means 100% of the CVEs include at least one reference. YEAY! OK, now, let's look at those references in more detail. CVEs references can have links to source code hosting websites (such as GitHub, Bitbucket, Gitlab, etc), bug trackers, reports, news, etc. Let's start by searching for commits:

In [104]:
import re

commit_refs = []
for idx, row in df.iterrows():
    refs = eval(row['refs'])
    for ref in refs:
        found = re.search(r'(/commit/|/commits/)', ref)
        if found:
            commit_refs.append(ref)
f"{len(commit_refs)} references to commits were found."

'10117 references to commits were found.'

Ok, now, let's look into where these commits are lodged. We know at least three places: `github`, `bitbucket`, `gitlab` and `git`.

In [105]:
def add_commit(df, ref, host):
    return df.append({'ref': ref, 'host': host}, ignore_index=True)

df_commits = pd.DataFrame()
for commit in commit_refs:
    if 'gitlab' in commit:
        df_commits = add_commit(df_commits, commit, 'gitlab')
    elif 'bitbucket' in commit:
        df_commits = add_commit(df_commits, commit, 'bitbucket')
    elif 'github' in commit:
        df_commits = add_commit(df_commits, commit, 'github')
    elif 'git' in commit:
        df_commits = add_commit(df_commits, commit, 'git')
    else:
        df_commits = add_commit(df_commits, commit, 'other')
df_commits        

Unnamed: 0,ref,host
0,https://github.com/KDE/kde1-kdebase/commit/049...,github
1,http://lists.mysql.com/commits/7918,other
2,http://lists.mysql.com/commits/5927,other
3,https://cgit.freedesktop.org/gstreamer/gst-plu...,git
4,https://git.gnome.org/browse/gimp/commit/?id=3...,git
...,...,...
10112,https://github.com/tribe29/checkmk/commit/c00f...,github
10113,https://github.com/LLK/scratch-svg-renderer/co...,github
10114,https://github.com/gpac/gpac/commit/8e585e623b...,github
10115,https://github.com/NLnetLabs/ldns/commit/15d96...,github


In [107]:
df_commits['host'].value_counts()

github       7672
git          1795
other         458
gitlab        161
bitbucket      31
Name: host, dtype: int64

In [116]:
# find references to source code hosting websites
for idx, row in df.iterrows():
    refs, code_refs = eval(row['refs']), []
    for ref in refs:
        found = re.search(r'(github|bitbucket|gitlab|git).*(/commit/|/commits/)', ref)
        if found:
            code_refs.append(ref)
    if len(code_refs) > 0:
        df.at[idx, 'code_refs'] = set(code_refs)

In [117]:
f"🎉 {df[df['code_refs'].notnull()].shape[0]} entries have references to souce code hosting websites such as github, bitbucket and gitlab."

'🎉 7825 entries have references to souce code hosting websites such as github, bitbucket and gitlab.'

OK, cool; several entries found. Let's now drop the rows with nan cells for code_refs:

In [118]:
df = df.dropna(subset=['code_refs'])
df.shape

(7825, 10)