OVAL Authoring Style Checker
This set of Schematron rules was developed to check OVAL Definitions documents for compliance with OVAL Repository style guide (http://oval.mitre.org/repository/about/style.html). Both the style guide and these rules are intended to evolve over time. This set of rules is also likely to
be generally useful in improving the quality of OVAL Definitions.
Attribute negate should not be included when element is not negated.
Attribute negate should not be included when element is not negated.
Attribute negate should not be included when element is not negated.
- New submissions must have a version of '0' and a status of 'INITIAL SUBMISSION.
- Patch based OVAL Definitions should include only a single reference to a binary patch name with the source set to VENDOR.
- Vulnerability based OVAL definitions include only a single CVE reference. Other references can be derived from the CVE reference.
Warning: - Vulnerability based OVAL definitions should include a CVE reference.
- Vulnerability based on OVAL definitions must have a CVE ref_id that conforms to the CVE identifier format.
- Vulnerability based on OVAL definitions must have a CVE ref_url starting with 'http(s)://'
- Reference url ()
must contain the relevant reference ID ().
- Inventory OVAL definitions must include only a single CPE reference.
- Inventory OVAL definitions must start with 'cpe:/[aoh]'
- Inventory OVAL definitions should not contain ref_url
Warning: - Inventory OVAL definitions should include a CPE when possible.
- Compliance based OVAL definitions include only a single CCE reference. Other references can be derived from the CCE reference.
- Compliance based OVAL definitions must include a CCE reference.
- Compliance based OVAL definitions must match the pattern 'CCE-\d\d*-\d'
- Compliance based on OVAL definitions must have a CVE ref_url starting with 'http(s)://'
- the value "" found in platform element as part of the affected element is not a valid Windows platform.
- The check_existence attribute must always be included in tests.
- Attribute operation should only be set when it's not the default value ('equals') to improve readability.
- Attribute datatype should only be set when it's not the default value ('string') to improve readability.
Warning: - Regular expressions should start with ^ to avoid matching to more than the desired strings.
Warning: - Regular expressions should end with a $ to avoid matching to more than the desired strings.
- Attribute operator should only be set when it's not the default value ('AND') to improve readability.
- Attribute operation should only be set when it's not the default value ('equals') to improve readability.
- Attribute datatype should only be set when it's not the default value ('string') to improve readability.
Warning: - Regular expressions should start with ^ to avoid matching to more than the desired strings.
Warning: - Regular expressions should end with a $ to avoid matching to more than the desired strings.
Warning: - Missing possible_value in external variable element. External variables should make use of possible_value and possible_restriction elements to tightly restrict the allowable set of input values.
Warning: - Missing possible_restriction in external variable element. External variables should make use of possible_value and possible_restriction elements to tightly restrict the allowable set of input values.