Hi Omar

forgive my ignorance but should - cisco-sa-20160916-ikev1 be found within the oval API. considering it's both created after 2010 and a high cisco vulnerability. Oval looks great, would be keen to use!!

HI Aidan,

We just published the OVAL definition for that vulnerability today. It is posted at the OVAL Repository

and should also be available via the API.

Thank you!

OMar

Hey Omar. Thanks for the reply.

Will vulnerabilities be posted on the oval repository immediately after they’re found in the future? Or is it better to go with the CVSR api, as that appears to be showing all vulnerabilities at the time of posting.

Thanks for your help.

Aidan

<http://www.vodafone.co.nz/>

Aidan Houlihan

Discover Graduate

Graduate Programme

Vodafone New Zealand Ltd.

Mobile: +64 27 391 2468

Email: aidan.houlihan@vodafone.com

Lambton House, 160 Lambton Quay, Wellington, New Zealand

vodafone.co.nz <http://www.vodafone.co.nz>

This message and any files or documents attached are confidential and may also be legally privileged, protected from disclosure and/or protected by other legal rules. It is intended only for the individual or entity named. If you are not the named addressee or you have received this email in error, please inform the sender immediately, delete it from your system and do not copy or disclose it or its contents or use it for any purpose. Thank you. Please also note that transmission cannot be guaranteed to be secure or error-free.

Hi Aidan,

There are a few differences on the benefits between an OVAL definition and CVRF files:

• CVRF files are indeed available for all published vulnerabilities at the moment of publication. They are automatically generated when an advisory is published.
• OVAL definitions are supported for IOS and IOS-XE high and critical vulnerabilities and they include affected versions and configuration checks. The OVAL standard is designed to do a full assessment of an impact of a vulnerability.
• CVRF files do not include configuration checks and complete coverage of all versions affected by a given vulnerability. CVRF was not originally designed as OVAL, it is basically just an XML representation of the advisory and it currently has some limitations for remediation assessment and product family. Just as an FYI, the CVRF standard will go over a major update very soon and it is being transitioned from ICASI to the OASIS (https://www.oasis-open.org/) standards body, as we speak. A new technical committee will be created within the next couple of months to enhance the standard and include better support for product and version enumeration. More details to come soon.