About the OVAL Repository

The OVAL Repository is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL Definitions. Other repositories in the community also host OVAL content, which can include OVAL System Characteristics files and OVAL Results files as well as definitions.

OVAL definitions are standardized, machine-readable tests written in the Open Vulnerability and Assessment Language (OVAL®) that check computer systems for the presence of software vulnerabilities, configuration issues, programs, and patches. OVAL definitions, which are free to use and implement in information security products and services, are written in Extensible Mark-up Language (XML) and are available for most major platforms. See the OVAL Repository main page to review or download all OVAL definitions posted to date.

OVAL Definitions

OVAL definitions detect the presence of software vulnerabilities, configuration issues, programs, and patches in terms of system characteristics and configuration information, without requiring software exploit code. By specifying logical conditions on the values of system characteristics and configuration attributes, OVAL definitions characterize exactly which systems are susceptible to or have a given vulnerability, whether the configuration settings of a system meets security policies, and whether particular patches are appropriate for a system. System characteristics include operating system (OS) installed, settings in the OS, software applications installed, and settings in applications, while configuration attributes include registry key settings, file system attributes, and configuration files.

There are four main classes of OVAL definitions:

A "Miscellaneous" class is also available for definitions that do not fall into any of the four main classes. OVAL vulnerability definitions are based primarily on Common Vulnerabilities and Exposures (CVE®), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures developed by The MITRE Corporation in cooperation with the international security community.

Each definition is distinguished by a unique OVAL Identifier (OVAL-ID). OVAL-IDs use the format "oval:Organization DNS Name:ID Type:ID Value" where organization DNS Name is of the form 'org.mitre.oval'; ID Type denotes the entity to which the ID is being applied (and can be one of the following values: def - Definition, obj - Object, ste - State, tst - Test, or var - Variable); and ID Value is an integer that is unique to the DNS name and ID Type pair that precedes it. For example, oval:org.mitre.oval:def:1115. (Note that the OVAL-ID format extends across all of the globally reusable components in the OVAL Language - definitions, objects, states, tests, and variables.)

OVAL definitions are free to review or download from the OVAL Repository on the OVAL Web site.

Community Participation

OVAL definitions are written by MITRE's OVAL Team and by members of the OVAL Community, which includes the OVAL Board, organizations with OVAL-Compatible information security products and services, and members of the OVAL Community Forum email list.

The Community Forum is a lightly moderated public discussion list for those interested in writing, submitting, and discussing new and previously posted definitions, as well as the vulnerabilities and configuration issues themselves that affect definition writing. See Stages of an OVAL Definition for a complete description of how definitions are created by the community and added to the Repository.

Join the Community

Free sign-up for the OVAL Community Forum is available on the OVAL Web site.

Information Included in an OVAL Definition

Each OVAL definition includes metadata, a high-level summary, and the detailed test. Definition metadata provides the OVAL-ID, status of the definition (Draft, Interim, or Accepted), the CVE name or other reference on which the definition (or definitions) is based, version of the OVAL Definition Schema that the definition works with, a brief description of the security issue covered in the definition, the main author, and a list of the significant contributors to the development of the definition.

The high-level summary includes the following: "Vulnerable software exists," which states the specific OS, the name of the file with the vulnerability in it, application version, and patch status; and "Vulnerable configuration," which indicates if the service is running or not, specific configuration settings, and workarounds. The detailed portion of definitions provides the logic for checking for the system characteristics (OS installed, settings in the OS, software applications installed, and settings in applications) to indicate that vulnerable software exists, and the configuration attributes (registry key values, file system attributes, and configuration files) to indicate that a vulnerable configuration exists.

Writing and Submitting OVAL Definitions

The OVAL Definition Schema is the language framework for writing OVAL definitions. Any member of the OVAL Community may submit OVAL definitions. See the Submission Guidelines for instructions on how to write and submit OVAL definitions.

Page Last Updated: March 06, 2008