Submit an OVAL Definition
Members of the information security community may submit properly formatted OVAL Vulnerability, Compliance, Inventory, and Patch Definitions to the OVAL Repository Forum, where they are reviewed by the OVAL Moderator before being put into the OVAL Repository for use by the community.
Before submitting any content to the OVAL Repository, please review the following resources:
- Review existing OVAL Definitions in the OVAL Repository to ensure one does not already exist for the software vulnerability, configuration issue, program, or patch you are working on.
- Set the version to 0 on all new definitions, tests, objects, states, and variables. The version will be incremented to 1 when the item is uploaded to the repository. The OVAL Repository manages versions. PLEASE DO NOT MODIFY THE VERSION OF EXISTING ITEMS IN THE OVAL REPOSITORY.
- For new definitions, assign a definition ID in a temporary namespace (e.g., org.your_organization.oval). Once the definition is added to the OVAL Repository it will be assigned an ID in the OVAL Repository namespace (org.mitre.oval) by the OVAL Moderator. PLEASE DO NOT ISSUE NEW IDS IN THE OVAL REPOSITORY NAMESPACE.
- Submit only the items you edit. If you edit a state, submit only that state and its dependencies. Please do not submit all definitions that use the edited item.
- Do not modify the version of the items you edit. The OVAL Repository manages versions. PLEASE DO NOT MODIFY THE VERSION OF EXISTING ITEMS IN THE OVAL REPOSITORY.
Please perform the following checks to ensure that the content being submitted is in the proper format.
- Validate the file to ensure that it is a valid OVAL document.
- Run the current OVAL Schematron rules (oval-definitions-schematron.sch) to ensure the document complies with the official OVAL Definition Schema.
- Check against the OVAL Repository Metadata Schema (oval-repository-metadata-schema.xsd) to verify that the repository element is formatted correctly.
- Run the OVAL Authoring Style Checker (oval-authoring-style-checker.sch) to check if the document follows the Authoring Style Guide.
- Correct any errors returned by the preceding tests.
How to Submit
- Draft an email that includes the following information:
- The IDs of all modified items with a descriptive comment for each modification
- A description of all new content.
- Send the email to the OVAL Repository Forum and include the submission as an XML attachment. Note that you must be a member of the OVAL Repository Forum to post.
- Those wishing to submit sensitive information may send it directly to email@example.com.
Assigning of IDs
The OVAL Repository uses the org.mitre.oval ID namespace for all of its community contributed content. New IDs are assigned randomly from a pool that is managed by the OVAL Repository. When submitting new content to the OVAL Repository, all new items (definitions, tests, objects, states, and variables) should be assigned temporary IDs in a temporary namespace (e.g., org.your_organization.oval). Once a new submission is reviewed and imported into the OVAL Repository, official IDs in the OVAL Repository namespace (oval.mitre.org) will be assigned by the OVAL Moderator.