iris-sast · IcebladeLabs · Dec 5, 2025 · Nov 12, 2025 · Nov 29, 2025 · Dec 4, 2025
diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@
 ⚠️ Code and data for the [ICLR 2025 Paper](https://arxiv.org/pdf/2405.17238) can be found in the v1 branch, license and citation below.
 
 ## 📰 News
+* **[Nov. 29, 2025]**: Added a dataset with manually extracted source and sinks for the vulnerabilities in CodeQL format for 50 CVEs.
 * **[Nov. 24, 2025]**: Updated queries to version 1.8.1 to work with CodeQL 2.23.2.
 * **[Nov. 24, 2025]**: Updated the Docker integration in the main IRIS pipeline so that the container images include the project dependencies. The updated images can be found in [IRIS Docker Hub](https://hub.docker.com/r/irissast/cwe-bench-java-containers-v2). The instructions to use the Docker integration can be found in the [**Using Docker containers with IRIS**](#using-docker-containers-with-iris) section below. 
 * **[Sep. 24, 2025]**: Added Docker integration for the main IRIS pipeline, released images for 189 CWE-Bench-Java CVEs on the [IRIS Docker Hub](https://hub.docker.com/r/irissast/cwe-bench-java-containers).
@@ -44,6 +45,10 @@ The table below summarizes the number of CVEs in our dataset grouped by CWE cate
 | CWE-400 | 5 |
 | Other CWEs (36 total) | 51 | 
 
+## Manually Curated Source/Sink Annotations
+
+For 50 CVEs we manually extracted source and sinks for the vulnerabilities and marked them in the CodeQL format. We also provide results for LLMs ability to detect those source/sink pairs. We collected the associated CodeQL-style descriptors and metadata, including file paths, signatures, and line ranges, and stored them in a CSV file.
+
 ## 🚀 Set Up
 ### Using Docker (Recommended)
 ```bash