π€ AI Summary
This work addresses the lack of security verification datasets that jointly cover requirements, architecture, and code artifacts with fine-grained security annotations. To bridge this gap, the authors introduce EVerest, a novel dataset derived from an open-source electric vehicle charging station software stack, which integrates security requirements, architectural models, source code, and natural language documentation. Through manual extraction, fine-grained annotation, traceability link establishment, and security categorization, EVerest provides the first end-to-end security labeling across these three artifact layers. The dataset comprises 84 security requirements and 1,445 annotated security elements, along with complete supporting artifacts. It has already been applied to identify and remediate real-world CWE vulnerabilities and supports research in security requirement classification, architectural traceability, and code-level verification.
π Abstract
End-to-end security verification, from requirements through architecture to code, requires datasets that span all three artifact types with fine-grained security labels. No existing dataset provides this combination. We present the EVerest dataset, a multi-artifact resource based on EVerest, an industry-driven open-source software stack for electric vehicle charging stations. The dataset includes 84 manually elicited security requirements annotated with security objectives, 1,445 fine-grained security elements (components, entities, data, data flows, states, etc.), acceptance windows, coreferences, and architectural trace links, as well as the EVerest software architecture model, source code, and natural language documentation. It enables research on security requirements classification, named entity recognition, architectural trace linking, and design-time or code-level security verification. During dataset creation, a real security weakness (CWE-1295) was identified, disclosed to the project maintainers, and subsequently fixed. The dataset is publicly available. A short video is available at https://youtu.be/pnn1uqpomvQ.