Open Vulnerability and Assessment Language (OVAL)
Offical Language Release Repository Downloads News — November 5, 2009 Search
link to OVAL home page
 OVAL Repository > About > Submit Content

Submit Content

Process

Submissions of OVAL vulnerability, compliance, inventory, and patch definitions may be emailed to MITRE in the proper format by members of the security community who have registered for the OVAL Repsitory Forum. All submissions will be reviewed by the OVAL Repository team prior to being posted on the OVAL Repository Web site for further community review.

To submit an OVAL definition:

  1. Review the official OVAL Definition Schema.
  2. Follow the instructions for writing the definition per the Submission Guidelines below.
  3. OVAL Repsitory Forum members should email the draft to oval-discussion-list@lists.mitre.org.

Those wishing to submit sensitive information may send it directly to oval@mitre.org.

General Guidelines

The guidelines below apply to all submissions to the OVAL Repository.

  • Before submitting any content to the OVAL Repository review the Authoring Style Guide.
  • PLEASE DO NOT MODIFY THE VERSION OF EXISTING ITEMS IN THE OVAL REPOSITORY.
  • Validate your content before submitting it:
    • Use the OVAL Repository Metadata Schema to verify that your XML syntax is correct.
    • Run the current oval-definitions-schematron rules and ensure that there are no validation errors.
  • Seperate new content submissions from content modifications.
    • If a new item needs to reference an existing item with modifications the existing, item should be modified and submitted first.

Submitting New Content

The guidelines below include suggestions and tips for creating new OVAL definitions.

  1. Review existing OVAL definitions in the OVAL Repository to ensure one does not already exist for the software vulnerability, configuration issue, program or patch on which you are working.
  2. Use an existing OVAL Definition as a template. Attempt to locate an existing OVAL Definition for the platform as the basis for creating your definition.
  3. Create the definition element:
    • Set the class of the new definition appropriately.
    • Set the version to 0. (The OVAL Repository manages versions. PLEASE DO NOT MODIFY THE VERSION OF EXISTING ITEMS IN THE OVAL REPOSITORY.)
    • Set the class of the new definition appropriately.
    • Assign a definition id in a temporary namespace. Once the definition is added to the OVAL Repository it will be assigned an id in the OVAL Repository namespace.
  4. Complete the "metatdata" section of the definition which should include the following:
    • Create a user friendly title for the definition.
    • Identify the affected families, platforms, and products. Use an existing definition as a guide.
    • Add a reference to an existing CVE, CPE, or CCE if possible. Patch definitions should have a VENDOR reference.
    • Add a detailed description of the issue that the definition describes. Definitions with CVE references should use the CVE description.
    • Optionally add a created date to the oval_repository/dates element.
    • Optionally add the affected_cpe_list to the oval_repository element. This is the list of CPE names that are affected by the issue that the definition describes.
  5. Complete the "criteria" section of the definition which may include the following:
    • operating system version
    • name of the file with the vulnerability in it
    • application version
    • patch status
    • indication if the service is running or not
    • specific configuration settings
    • other workarounds
  6. Submit your definition(s) following the instructions above.

Submitting Content Modifications

The guidelines below describe the how content modifications should be submitted to the OVAL Repository.

  • Submit only the items you edit. If you edit a state submit only that state and its dependencies.
    • Please do not submit all definitions that use the edited item.
  • PLEASE DO NOT MODIFY THE VERSION OF EXISTING ITEMS IN THE OVAL REPOSITORY.
  • Submit your definition(s) following the instructions above.

Assigning New Ids

The OVAL Repository uses the org.mitre.oval id namespace for all of its community contributed content. New ids are assigned randomly from a pool that is managed by the OVAL Repository. When submitting new content to the OVAL Repository all new items (definitions, test, objects, states, & variables) should be assigned temporary ids. Once a new submission is reviewed and imported into the OVAL Repository official ids will be assigned. Temporary ids should be created in a namespace other than the org.mitre.oval id namespace.

Page Last Updated: August 21, 2009
Top Contributor Awards
OVAL is CVE Compatible

 

OVAL is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

The OVAL Web site is hosted by The MITRE Corporation.

Copyright 2002-2009, The MITRE Corporation. All rights reserved. OVAL and the OVAL logo are registered trademarks of The MITRE Corporation.

Contact oval@mitre.org for more information.
Privacy policy
Terms of use