OVAL Supporters — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

The capabilities below support and/or include OVAL where possible.

Extensible Configuration Checklist Description Format (XCCDF)

XCCDF was created by the U.S. National Security Agency (NSA) and National Institute of Standards and Technology (NIST) to be a specification language for providing a "uniform foundation for expression of security checklists, benchmarks, and other configuration guidance [to] foster more widespread application of good security practices." The default configuration checking technology for XCCDF is OVAL.

Common Announcement Interchange Format (CAIF)

CAIF is an XML-based format created by RUS-CERT at the University of Stuttgart, Germany, "store and exchange security announcements in a normalized way. It provides a basic but comprehensive set of elements designed to describe the main aspects of an issue related to security. The set of elements can easily be extended to reflect temporary, exotic, or new requirements in a per-document manner." CAIF documents are able to incorporate OVAL Definitions.

National Vulnerability Database (NVD)

The U.S. National Institute of Standards and Technology's (NIST) NVD includes OVAL-IDs as references and is searchable by OVAL-ID.

Open Source Vulnerability Database (OSVDB)

OSVDB includes OVAL-IDs as cross-references. OVAL892, OVAL886, and OVAL885 are included in a listing for OSVDB Entry 5260. Other OSVD entries also include OVAL-IDs.


SecuritySpace.com, E-Soft, Inc.'s vulnerability Web site includes OVAL-IDs as cross-references. OVAL1503, OVAL1530, OVAL2155, OVAL3179, OVAL1186, OVAL1943, OVAL3514, and OVAL956 are included in a listing for SecuritySpace 13641. Other SecuritySpace entries also include OVAL-IDs.


Sintelli includes OVAL-IDs as references in its vulnerability alert/notification service, Sintelli Alert; vulnerability alerting service, Sintelli SME; and in its Sintelli Vulnerability Database.

CVE List

MITRE Corporationís CVE List on the Common Vulnerabilities and Exposures (CVE) Web site includes OVAL-IDs as references. OVAL216, OVAL306, OVAL322, OVAL507, and OVAL515 are included in a listing for CVE-2004-0566. Other CVE names also include OVAL-IDs.

French Security Incident Response Team (FrSIRT)

FrSIRT issued a security advisory on February 2, 2006 that referenced OVAL670, OVAL677, OVAL1339, OVAL1493, OVAL1494, OVAL1514, OVAL1562, and OVAL1625. Numerous other FrSIRT security advisories also include OVAL-IDs.

Slovenian Computer Emergency Response Team (SI-CERT)

SI-CERT issued a security advisory for CVE name CVE-2004-0549 that included the following OVAL-IDs as references: OVAL1133, OVAL207, OVAL241, and OVAL519.

Back to top

Page Last Updated: January 18, 2011