OVAL Repository Overview

Introduction

The OVAL Repository is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate "OVAL Definitions." OVAL Definitions are standardized, machine-readable tests written in the Open Vulnerability and Assessment Language (OVAL®) that check computer systems for the presence of software vulnerabilities, configuration issues, programs, and patches. OVAL Definitions, which are free to use and implement in information security products and services, are available for most major platforms.

Members of the community contribute definitions by posting them to the OVAL Repository Forum email discussion list, where the OVAL Team and other members of the community review and discuss them. See the OVAL Repository main page to review or download all OVAL Definitions posted to date.

The OVAL Repository is registered as "Officially CVE-Compatible" by the Common Vulnerabilities and Exposures (CVE®) project. For detailed information, see our Statement of CVE Compatibility.

Other Repositories of OVAL Content

Other Repositories in the community also host OVAL content, which can include OVAL System Characteristics files and OVAL Results files as well as definitions.

Back to top

OVAL Definitions

OVAL Definitions, which are written in Extensible Mark-up Language (XML), detect the presence of software vulnerabilities, configuration issues, programs, and patches in terms of system characteristics and configuration information, without requiring software exploit code.

By specifying logical conditions on the values of system characteristics and configuration attributes, OVAL Definitions characterize exactly which systems are susceptible to or have a given vulnerability, whether the configuration settings of a system meets security policies, and whether particular patches are appropriate for a system. System characteristics include operating system (OS) installed, settings in the OS, software applications installed, and settings in applications, while configuration attributes include registry key settings, file system attributes, and configuration files.

There are four main classes of OVAL Definitions:

OVAL Vulnerability DefinitionsTests that determine the presence of vulnerabilities on systems.
OVAL Compliance DefinitionsTests that determine whether the configuration settings of a system meets a security policy.
OVAL Inventory DefinitionsTests that whether a specific piece of software is installed on the system.
OVAL Patch DefinitionsTests that determine whether a particular patch is appropriate for a system.

A "Miscellaneous" class is also available for definitions that do not fall into any of the four main classes. OVAL Vulnerability Definitions are based primarily on Common Vulnerabilities and Exposures (CVE®), a dictionary of standardized identifiers and descriptions for publicly known information security vulnerabilities and exposures developed by The MITRE Corporation in cooperation with the international security community.

Each definition is distinguished by a unique OVAL Identifier (OVAL-ID). OVAL-IDs use the format "oval:Organization DNS Name:ID Type:ID Value" where organization DNS Name is of the form ‘org.mitre.oval’; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, oval:org.mitre.oval:def:1115. (Note that the OVAL-ID format extends across all of the globally reusable components in the OVAL Language — definitions, objects, states, tests, and variables.)

OVAL definitions are free to review or download from the OVAL Repository on the OVAL Web site.

Back to top

Information Included in an OVAL Definition

Each OVAL Definition includes metadata, a high-level summary, and the detailed test. Definition metadata provides the OVAL-ID, status of the definition (Draft, Interim, or Accepted), the CVE Identifier or other reference on which the definition (or definitions) is based, version of the OVAL Definition Schema that the definition works with, a brief description of the security issue covered in the definition, the main author, and a list of the significant contributors to the development of the definition.

The high-level summary includes the following: "Vulnerable software exists," which states the specific OS, the name of the file with the vulnerability in it, application version, and patch status; and "Vulnerable configuration," which indicates if the service is running or not, specific configuration settings, and workarounds. The detailed portion of definitions provides the logic for checking for the system characteristics (OS installed, settings in the OS, software applications installed, and settings in applications) to indicate that vulnerable software exists, and the configuration attributes (registry key values, file system attributes, and configuration files) to indicate that a vulnerable configuration exists.

Back to top

Writing and Submitting OVAL Definitions

The OVAL Definition Schema is the language framework for writing OVAL Definitions. Any member of the OVAL Community may submit OVAL Definitions. See the Submission Guidelines for instructions on how to write and submit OVAL Definitions.

Back to top

How the Community Participates

OVAL Definitions are written by members of the OVAL Community, which includes the OVAL Board, organizations with OVAL-Compatible information security products and services, and members of the OVAL Repository Forum email list.

The Repository Forum is a lightly moderated public discussion list for those interested in writing, submitting, and discussing new and previously posted definitions, as well as the vulnerabilities and configuration issues themselves that affect definition writing. See Stages of an OVAL Definition for a complete description of how definitions are created by the community and added to the Repository.

Join the Community

Free sign-up for the OVAL Repository Forum is available on the OVAL Web site.

Back to top

Page Last Updated: May 28, 2014