SecureQualitas: A Security Corpus of Real Java']Java Applications

The preventive approach of software security is the basis of what is referred to as secure by design. The principle is to avoid vulnerabilities as soon as the system is designed. Several research work are aimed to this objective. Most of them rely on empirical studies which need a realistic corpus. This corpus holds applications with different vulnerabilities and others without any known vulnerability. To the best of our knowledge, such a security corpus does not exist. In this paper, we present a novel approach based on an automatic annotation process to build a security corpus for real Java applications. Our approach takes advantage of several existing code scanners in order to annotate the corpus. We applied our process of vulnerability annotation on a well-known corpus, namely Qualitas Corpus, from the software engineering research community. We provide the resulting security corpus, namely SecureQualitas, to the research community. The experiments we conducted demonstrate that our approach gives better results than the scanners taken alone.