Statement of CVE Compatibility
OVAL Repository Declared CVE-Compatible
The MITRE Corporation has declared that the Open Vulnerability and Assessment Language (OVAL) Repository is "CVE-compatible." Detailed descriptions of CVE, CVE compatibility, and how the OVAL Repository is CVE-compatible are included below.
What Is "CVE"?
Common Vulnerabilities and Exposures (CVE®) is a list or dictionary that provides common names for publicly known information security vulnerabilities and exposures. CVE common names make it easier to share data across separate network security databases and tools that are CVE-compatible. CVE also provides a baseline for evaluating the coverage of an organization's security tools, including the security advisories it receives. CVE content is determined by the CVE Editorial Board, which is composed of experts from the international information security community. The MITRE Corporation maintains CVE and manages the CVE Editorial Board.
The OVAL Repository uses the publicly known vulnerabilities identified in CVE List as the basis for most of the OVAL Definitions. If discussions on the OVAL Community Forum result in information about new and previously unreported vulnerabilities, this information and any supporting references will be forwarded to the CVE Initiative for possible addition to the list.
What Does It Mean to Be "CVE-Compatible"?
"CVE-compatible" means that a tool, Web site, database, or other security product or service uses CVE names in a manner that allows it to be cross-referenced with other products that employ CVE names. CVE-compatible means:
- CVE SEARCHABLE - A user can search using a CVE name to find related information.
- CVE OUTPUT - Information is presented that includes the related CVE name(s).
- MAPPING - The repository owner has provided a mapping relative to a specific version of CVE, and has made a good faith effort to ensure accuracy of that mapping.
- DOCUMENTATION - The organization's standard documentation includes a description of CVE, CVE compatibility, and the details of how its customers can use the CVE-related functionality of its product or service.
See the CVE Web site for detailed information on how a Web site, tool, database, or other security product/service becomes compatible, and for a complete list of CVE-compatible products and services.
How OVAL Definitions Use CVE Names
OVAL vulnerability definitions are based on the publicly known vulnerabilities identified on the CVE List. CVE names (also called "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities. CVE names have "entry" or "candidate" status. Entry status indicates that the CVE name has been accepted to the CVE List while candidate status (also called "candidates," "candidate numbers," or "CANs") indicates that the name is under review for inclusion in the list.
Each CVE name includes the following:
- CVE identifier number (i.e., "CVE-1999-0067").
- Indication of "entry" or "candidate" status.
- Brief description of the security vulnerability or exposure.
- Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).
CVE names are used as references in the "CVE-ID" field in all OVAL Vulnerability Definitions stored in the Definitions Repository.
How the Repository OVAL Is CVE-Compatible
CVE names are used as the basis for all OVAL vulnerability definitions currently collected in the OVAL Reposittory. The OVAL Repository is CVE-compatible because it "uses CVE names in a manner that allows it to be cross-referenced with other products/services that employ CVE names." For each CVE vulnerability there is one or more definitions that measure the presence of that vulnerability on an end system. Vulnerability definitions are searchable by CVE name, and definitions called up for review include CVE names.
The OVAL Repository meets all four CVE compatibility requirements:
- CVE Searchable - The OVAL Repository provides the user with an Advanced Search capability that allows the user to search for all CVE based definitions or for a specific CVE name and retrieve the related OVAL definition or definitions.
- CVE Output - The OVAL Repository displayed for each OVAL definition includes the CVE name as well as the CVE description that maps to the definition.
- Mapping - Each new version of OVAL will identify the most recent CVE version that was used in updating the vulnerability definitions found on the OVAL Web site.
- Documentation - The way in which CVE is used in the OVAL Repository is documented on this page, on the Introduction page, and throughout the answers to the Frequently Asked Questions.
For More Information on CVE Compatibility
See the CVE Web site for detailed information on how a Web site, tool, database, or other security product or service becomes compatible, and for a complete list of CVE-compatible products and services
Page Last Updated: May 28, 2014