OVAL Supporters

The capabilities below support and/or include OVAL where possible.

Security Content Automation Protocol (SCAP)

The U.S. National Institute of Standards and Technology’s (NIST) SCAP employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards (in addition to CVE, CCE, CPE, XCCDF, and CVSS) that SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.

Extensible Configuration Checklist Description Format (XCCDF)

XCCDF was created by the U.S. National Security Agency (NSA) and National Institute of Standards and Technology (NIST) to be a specification language for providing a "uniform foundation for expression of security checklists, benchmarks, and other configuration guidance [to] foster more widespread application of good security practices." The default configuration checking technology for XCCDF is OVAL.

Common Announcement Interchange Format (CAIF)

CAIF is an XML-based format created by RUS-CERT at the University of Stuttgart, Germany, "store and exchange security announcements in a normalized way. It provides a basic but comprehensive set of elements designed to describe the main aspects of an issue related to security. The set of elements can easily be extended to reflect temporary, exotic, or new requirements in a per-document manner." CAIF documents are able to incorporate OVAL Definitions.

National Vulnerability Database (NVD)

The U.S. National Institute of Standards and Technology’s (NIST) NVD includes OVAL-IDs as references and is searchable by OVAL-ID.

Open Source Vulnerability Database (OSVDB)

OSVDB includes OVAL-IDs as cross-references. OVAL892, OVAL886, and OVAL885 are included in a listing for OSVDB Entry 5260. Other OSVD entries also include OVAL-IDs.


SecuritySpace.com, E-Soft, Inc.’s vulnerability Web site includes OVAL-IDs as cross-references. OVAL1503, OVAL1530, OVAL2155, OVAL3179, OVAL1186, OVAL1943, OVAL3514, and OVAL956 are included in a listing for SecuritySpace 13641. Other SecuritySpace entries also include OVAL-IDs.

CVE List

MITRE Corporation’s CVE List on the Common Vulnerabilities and Exposures (CVE®) Web site includes OVAL-IDs as references. OVAL216, OVAL306, OVAL322, OVAL507, and OVAL515 are included in a listing for CVE-2004-0566. Other CVE names also include OVAL-IDs.

Red Hat Errata

The Red Hat, Inc. repository of OVAL content consists of OVAL Patch Definitions that correspond to Red Hat Errata security advisories.

French Security Incident Response Team (FrSIRT)

FrSIRT issued a security advisory on February 2, 2006 that referenced OVAL670, OVAL677, OVAL1339, OVAL1493, OVAL1494, OVAL1514, OVAL1562, and OVAL1625. Numerous other FrSIRT security advisories also include OVAL-IDs.

Slovenian Computer Emergency Response Team (SI-CERT)

SI-CERT issued a security advisory for CVE name CVE-2004-0549 that included the following OVAL-IDs as references: OVAL1133, OVAL207, OVAL241, and OVAL519.

Back to top

Page Last Updated: January 12, 2011