Bug-Injector

Bug-Injector generates test cases to stress-test DevSecOps pipelines. It works by injecting known bug templates into real-world code, and seamlessly weaving the bug into the surrounding code. Bug-Injector can be used to generate, on demand, test cases for a particular type of bug in a particular host program. Every test case comes with an input that allows the injected bug to manifest.

In contrast with cyber defense benchmarks created through other means, Bug-Injector test cases are realistic, come with ground truth and a triggering input for each bug, and can be generated on demand in large quantities. They are also not biased towards or against any specific bug finding techniques.

Bug Injector has been transitioned to the NIST Software Assurance Metrics and Tool Evaluation (SAMATE) group, who used it in practice as part of their SATE VI (Static Analysis Tool Exposition) event. For more information, see our paper published in the Source Code Analysis and Manipulation workshop.