This is a non-IMPACT record, meaning that access to the data is not controlled by IMPACT. For access, see the directions below.

This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.


Software Assurance Reference Dataset
External Dataset
External Data Source
National Institute of Standards and Technology
55 (lowest rank is 55)

Category & Restrictions

cyber defense


The Software Assurance Reference Dataset (SARD) is a growing collection of over 170 000 programs with precisely located bugs.

The programs are in C, C++, Java, PHP, and C# and cover more than 150 classes of weaknesses, such as SQL injection, cross-site scripting (XSS), buffer overflow, and use of a broken cryptographic algorithm. Most are automatically generated synthetic programs, each a few pages of code long, but there are also over 7000 full-sized applications. In addition, SARD has production code and has hundreds of cases written by hand. The code is typical quality. It is neither pristine nor obfuscated. Many cases have corresponding "good" cases, in which weaknesses are fixed, to test for false positives. The SARD web interface allows users to browse test cases and test suites or search for test cases by programming language, weakness type, file name, size, words in the description, and several other criteria. The user can select and download any or all of the resulting cases. Each test case has metadata to describe it. Most bugs or weaknesses are recorded in metadata. Weaknesses are classified using the Common Weakness Enumeration (CWE) ID and name. We plan to add their Bugs Framework (BF) class and attributes.

Additional Details

metadata, virtual reality, web security exploits, buffer overflow, software, computer memory, statistical classification, interface, business intelligence, external data source, hacking, software assurance reference dataset, 1298, cross site scripting, data protection, cryptosystem, sql injection, reference data, common weakness enumeration, ciphertext, injection exploits, inferlink corporation, false positives and false negatives, technical communication, user interface, digital media, exploit