Version 5.9 (Archived)

This page provides information on the proposed changes to the OVAL Language. All information about the new version is included in this centralized location. The major highlights of the release so far are listed below:

  • This release will address a defect in the version 5.7 and version 5.8 schema. No other changes are planned for this release.

All of the above items remain open for discussion and any comments or feedback is greatly apppreciated. For a complete listing of the release contents see the New in Version 5.9 section. More information about the OVAL Language review process can be found here.

Test Listing

A complete listing of the tests available in this release can be found here.

Downloads

Includes downloads for the Version 5.9 Definition Schema, System Characteristics Schema, Results Schema, and Element Dictionaries.

KEY
Complete Schema - has all documentation embedded and the Schematron mark-up.
Minimal Schema - includes the raw xml schema only.
Schematron - a schema that can provide additional validation of OVAL V5 documents.
Documentation html - element dictionaries, which users can elect to view in a browser or save.
All files zip - all files zipped together to allow for one simple download.
xsd/sch - a user can either right click to download the file or left click to open the file in their default viewer.
Deprecation Listing - a list of all deprecated language constructs.

OVAL Definition Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
Independent xsd xsd html - html
Apache xsd xsd html - html
Apple Macintosh xsd xsd html - -
Cisco CatOS xsd xsd html - html
Cisco IOS xsd xsd html - html
Cisco PixOS xsd xsd html - -
FreeBSD xsd xsd html - -
HP-UX xsd xsd html - html
IBM AIX xsd xsd html - -
Linux xsd xsd html - -
Microsoft Windows xsd xsd html - html
SharePoint xsd xsd html - -
Sun Solaris xsd xsd html - html
UNIX xsd xsd html - html
Vmware ESX xsd xsd html - html
 

OVAL System Characteristics Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
Independent xsd xsd html - html
Apache xsd xsd html - html
Apple Macintosh xsd xsd html - -
Cisco CatOS xsd xsd html - html
Cisco IOS xsd xsd html - html
Cisco PixOS xsd xsd html - -
FreeBSD xsd xsd html - -
HP-UX xsd xsd html - -
IBM AIX xsd xsd html - -
Linux xsd xsd html - -
Microsoft Windows xsd xsd html - html
SharePoint xsd xsd html - -
Sun Solaris xsd xsd html - -
UNIX xsd xsd html - -
Vmware ESX xsd xsd html - html
 

OVAL Results Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
 

OVAL Variables Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
 

OVAL Directives Schema Downloads

File Name Complete Schema Minimal Schema Documentation Schematron Deprecation Listing
All Files zip zip zip zip | sch -
Core xsd xsd html - -
Common xsd xsd html - html
Results xsd xsd html - -
 

Example XML Stylesheets

File Name Description
results_to_html.xsl The results_to_html stylesheet converts an OVAL Results document into a more readable html format.
minimal_schema.xsl The minimal_schema stylesheet removes all annotation elements from the OVAL Schema leaving only the minimal schema.
element_dictionary.xsl The element_dictionary stylesheet creates documentation files from the OVAL Schema.
reference_mapping.xsl The reference_mapping stylesheet creates a map between each OVAL Definition in a document and a specified reference source.
Back to top

New in Version 5.9

Version 5.9 of the Official OVAL Schema is a direct result of feedback from the OVAL Community. This will be a minor version change and may require some new development by tools that support earlier versions of the Language. The changes pending to the different schemas are outlined below. "Open" status means the item is under consideration or being worked upon and "Closed" status means that the item has been incorporated and work on it is completed. For full deatils on a particular item please expand the item by clicking the + icon in the left column.

Tracker items in this version include:

ID Title Status Date Opened Resolution
28515 Clarify documentation of oval-def:object element Closed 2010-11-24 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2010-11-24 00:00:54
Details:
Documentation of the oval-def:object element should be updated to state that sufficient object entities must be defined for any object such that it is possible to uniquely identify an item.
Follow-ups:
n/a
28929 invalid restriction of complex type with complex content Closed 2011-01-13 Fixed
Priority: High | Category: n/a | Date Closed: 2011-01-13 12:34:54
Details:
In version 5.7 the record datatype was introduced. In creating this new datatype the schema definition of the base entity types was refactored to allow for complex content within an entity. The goal was to allow for either a defined set of child element or simple content with in an entity. In version 5.7 this was achieved by creating one base entity type and then extending or restricting it as needed to create all other entity types. This approach introduced an invalid restriction of a complex type with complex content by a complex type with simple content.

The solution to this issue in the version 5.9 draft 1 is to create two distinct base entity types. One will be extended by all entities with simple content and the other will be extended by all entity types with complex content. This approach addresses the schema defect, helps better organize the definitions of the attributes on an entity, and should lend itself well to further development of the language.

For more information please refer to the developer list archive on this topic:
http://making-security-measurable.1364806.n2.nabble.com/Output-validation-errors-illegal-derivation-of-anyType-tp5608821p5608821.html
Follow-ups:
n/a
29004 prevent use of empty filename entities when not using xsi:nil='true' or var_ref Closed 2011-01-24 Fixed
Priority: Medium High | Category: Definition Schemas | Date Closed: 2011-01-24 01:00:46
Details:
the filename entity must not be empty unless either the xsi:nil attribute is set to true or a var_ref is used on the entity. This issue applies to all instances of the filename entity found in definition schemas as of version 5.8.

A Schematron rule will be added to enforce this restriction.

NOTE: If a complete file path is available, the filepath entity should be used.

Follow-ups:
n/a
29016 invalid use of xpath2.0 function in oval-results schema Closed 2011-01-25 Fixed
Priority: High | Category: Result Schemas | Date Closed: 2011-01-25 13:45:40
Details:
As of version 5.8, the Scheamtron rules used to enforce the oval-results directives use the exists() function. The exists() function is an xpath 2.0 function. OVAL uses xpath 1.0. The function can simply be removed since it is used to do a boolean test on a node set. The node set can be treated as a boolean without this function.
Follow-ups:
n/a
27859 clarify the ambiguity in the EntityBaseType documentation Closed 2010-10-04 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-01-12 13:04:55
Details:
Please see the following oval-developer-list post for more information.

http://making-security-measurable.1364806.n2.nabble.com/OVAL-5-x-documentation-inconsistency-tp5460954p5598777.html
Follow-ups:
n/a
27994 align the win-sc:activedirectory_item, win-sc:activedirectory57_item, ind-sc:ldap_item, and win-sc:ldap57_item with the documentation in their respective objects Closed 2010-10-13 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2011-01-12 14:19:54
Details:
The win-sc:activedirectory_item, win-sc:activedirectory57_item, ind-sc:ldap_item, and ind-sc:ldap57_item contain old documentation that should have been updated in Version 5.6 along with their respective objects as described in the following oval-developer-list post.

http://n2.nabble.com/Proposal-to-Modify-the-win-def%3Aactivedirectory_test-and-the-ind-def%3Aldap_test-tp3351022ef20093.html
Follow-ups:
n/a
28567 macos-def:inetlisteningservers_object does not uniquely identify an item Closed 2010-11-30 Duplicate
Priority: Medium | Category: n/a | Date Closed: 2010-12-05 17:10:42
Details:
The macos-def:inetlisteningservers_object does not uniquely identify an item because multiple instances of a listening application can run on different addresses, ports, and protocols resulting in multiple items with the same program name.  As a result, to uniquely identify an item, a new test will need to be created.

Also, this was previously an issue with the linux-def:inetlisteningservers_object and the original post can be seen at the following link.

http://making-security-measurable.1364806.n2.nabble.com/inetd-and-inetlisteningservers-test-td22762.html
Follow-ups:
n/a
28627 update macos-def:accountinfo_test documentation Closed 2010-12-05 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-01-12 14:41:28
Details:
The current macos-def:accountinfo_test documentation mentions that niutil(1) can be used to retrieve the information for the test. However, as of Mac OS 10.5, niutil(1) is no longer available and dscl(1) should be used instead. We should update the documentation appropriately.

Directory Service Release Notes (Mac OSX Server 10.5)
http://developer.apple.com/library/mac/#releasenotes/MacOSXServer/RN-DirectoryServices/

niutil(1) Man Page
http://developer.apple.com/library/mac/#DOCUMENTATION/Darwin/Reference/ManPages/10.4-intel/man1/niutil.1.html

dscl(1) Man Page
http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man1/dscl.1.html

The following can be used to retrieve the required information using dscl(1).

List all users
	dscl . -list /Users
	
Read attribute about a user
	dscl . -read /Users/<username> passwd uid gid realname home shell 
Follow-ups:
n/a
28628 fix the documentation in the sol-def:patch_object and the sol-def:patch54_object Closed 2010-12-05 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-01-12 16:01:05
Details:
The documentation for the base and version entities in the sol-def:patch54_object is exactly the same. The same documentation is also used for the base entity in the sol-def:patch_object.

"Patches are identified by unique alphanumeric strings, with the patch base code first, a hyphen, and a number that represents the patch revision number."

This documentation does not explicitly tell the reader what values should be used for the entities. This should be clarified similar to the base and version entity documentation in the patch_state which says the following.

base entity
"The base entity reresents a patch base code found before the hyphen."

version entity
"The version entity represents a patch version number found after the hyphen"

Also, the base and version entities in the patch_item should be documented as it is currently undocumented.
Follow-ups:
n/a
28702 update the documentation for the sol-def:patch54_object/sol-def:supersedence behavior Closed 2010-12-13 Fixed
Priority: Medium | Category: Definition Schemas | Date Closed: 2011-01-12 16:01:24
Details:
The documentation associated with the sol-def:patch54_object/sol-def:supersedence behavior should be updated to include a definition of what it means for one patch to supersede another.

According to Solaris documentation, a patch can be superseded in two ways:

1) Implicitly - This type of supersedence occurs when a new revision of a patch is released (i.e. patch 12345-02 supersedes patch 12345-01).

2) Explicitly - This type of supersedence occurs when one patch contains the complete functionality of another patch.

Please see Section 'Patch Accumulation and Obsolescence (SUNW_OBSOLETES)' of http://www.sun.com/blueprints/0205/819-1002.pdf for more information.
Follow-ups:
n/a
28793 fix the documentation in the ind-sc:ldap_item/value entity and the ind-sc:ldap57_item/value entity Closed 2010-12-29 Fixed
Priority: Medium | Category: System Characteristics Schemas | Date Closed: 2011-01-12 12:20:30
Details:
The documentation in the ind-sc:ldap_item/value entity should be switched with the documentation in the ind-sc:ldap57_item/value entity as the ind-sc:ldap_item/value entity documentation currently contains documentation associated with the record datatype which is incorrect.
Follow-ups:
n/a
29015 macos-def:pwpolicy_object Breaks Backwards Compatibility in 5.7 and 5.8 Closed 2011-01-25 Fixed
Priority: Medium | Category: n/a | Date Closed: 2011-01-25 12:08:40
Details:
Please see the following oval-developer-list post for more information.

http://making-security-measurable.1364806.n2.nabble.com/macos-def-pwpolicy-object-Breaks-Backwards-Compatibility-in-5-7-and-5-8-tp5915193p5915193.html
Follow-ups:
n/a
Back to top

Timeline for Version 5.9

PLANNING DRAFT RELEASE CANDIDATE OFFICIAL
15 September 2010 12 January 2011 2 February 2011 22 February 2011
Back to top

Status Reports on Version 5.9

Status updates are included below. You may also review the OVAL Developer’s Forum Archives for discussions about Version 5.9.

[2011-02-22]

Version 5.9 has been officially released. Many thanks to all in the community who helped with this minor release.

[2011-02-02]

Version 5.9 Release Candidate 1 is now available for community review and comment. As a reminder a release candidate signifies that the proposed OVAL Language revision has reached a level of consensus within the OVAL Community, and the OVAL Moderator has verified that the language is valid. In the release candidate stage, the language remains frozen for a period of time determined by the OVAL Board. It is during this stage that vendors and tool developers should update their tools with the knowledge that the schema will remain stable. Subsequent release candidates may be released if a serious problem is discovered in the proposed language. This release candidate represents a complete implementation of all planned changes for Version 5.9. Thank you to the SPAWAR team and everyone else for your time and effort in testing the early drafts of this release.

[2011-01-25]

Version 5.9 Draft 3 is now available for community review and comment. This third draft removes an improper use of the xpath 2.0 exists() function, corrects the mac-os:pwpolicy_object, adds a Schematron rule to ensure proper use of the filename entity, and finalizes the changes to the entity type structures for the record datatype.

[2011-01-13]

Version 5.9 Draft 2 is now available for community review and comment. This second draft corrects the version number that was used in draft 1.

[2011-01-12]

Version 5.9 Draft 1 is now available for community review and comment. This first draft includes a significant refactoring of the XML Schema definition of the record datatype in the oval-system-characteristics-schema and the oval-definitions-schema. This will address an invalid XML Schema construct that was reported by the community. At this time this release will not address any other issues.

[2010-09-15]

Version 5.9 is currently in the planning stage. If you have any suggestions for changes that should be included, please send them to the OVAL Community.

Back to top

Page Last Updated: December 12, 2011