Internet Engineering Task Force H. Booth
Internet-Draft National Institute of Standards
Intended status: Informational and Technology
Expires: April 18, 2013 October 15, 2012
Software Vulnerability Data Model and Data Exchange Format
draft-booth-sacm-vuln-model-00
Abstract
This Internet-Draft describes the Vulnerability Data Model (VDM)
version 1.0, a vendor neutral data model for expressing data and
metadata for individual vulnerabilities, and an XML format that can
be used to exchange vulnerability data model information. VDM
provides standard fields, formats and vocabularies that can be used
to transmit information about software vulnerabilities between
entities in an interoperable manner. VDM is suited for a wide
variety of use cases, and provides extension points to facilitate
additional use cases.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Booth Expires April 18, 2013 [Page 1]
Internet-Draft Vulnerability Data Model October 2012
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Purpose and Scope . . . . . . . . . . . . . . . . . . . . 5
1.2. Audience . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Document Structure . . . . . . . . . . . . . . . . . . . . 6
2. Document Conventions . . . . . . . . . . . . . . . . . . . . . 7
3. Terms and Abbreviations . . . . . . . . . . . . . . . . . . . 8
3.1. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Relationship to Existing Standards and Specifications . . . . 9
5. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1. Capability Conformance . . . . . . . . . . . . . . . . . . 9
5.2. Content Conformance . . . . . . . . . . . . . . . . . . . 10
6. Vulnerability Data Model Overview and Key Concepts . . . . . . 10
7. Data Model Description . . . . . . . . . . . . . . . . . . . . 11
7.1. XML Data Model Introduction . . . . . . . . . . . . . . . 11
7.2. XML Data Model Requirements . . . . . . . . . . . . . . . 11
7.2.1. Metadata Core . . . . . . . . . . . . . . . . . . . . 12
7.2.1.1. dottedVersionType . . . . . . . . . . . . . . . . 12
7.2.1.2. entityStatusEnumerationType . . . . . . . . . . . 13
7.2.1.3. recordStatusEnumType . . . . . . . . . . . . . . . 13
7.2.1.4. statusHistoryType . . . . . . . . . . . . . . . . 14
7.2.1.5. recordType . . . . . . . . . . . . . . . . . . . . 14
7.2.1.6. mutableRecordType . . . . . . . . . . . . . . . . 15
7.2.1.7. localeTextType . . . . . . . . . . . . . . . . . . 15
7.2.1.8. localeNotesType . . . . . . . . . . . . . . . . . 16
7.2.1.9. referenceItemType . . . . . . . . . . . . . . . . 16
7.2.1.10. referenceType . . . . . . . . . . . . . . . . . . 17
7.2.1.11. referencesType . . . . . . . . . . . . . . . . . . 17
7.2.1.12. generatorType . . . . . . . . . . . . . . . . . . 17
7.2.1.13. application-info . . . . . . . . . . . . . . . . . 19
7.2.2. SCAP Core . . . . . . . . . . . . . . . . . . . . . . 19
7.2.2.1. checkReferenceType . . . . . . . . . . . . . . . . 19
7.2.2.2. checkSearchType . . . . . . . . . . . . . . . . . 20
7.2.2.3. searchableCpeReferencesType . . . . . . . . . . . 20
7.2.2.4. controlMappingsType . . . . . . . . . . . . . . . 20
7.2.2.5. controlMappingType . . . . . . . . . . . . . . . . 21
7.2.2.6. mappingInstanceType . . . . . . . . . . . . . . . 21
7.2.2.7. assessmentMethodType . . . . . . . . . . . . . . . 21
7.2.2.8. cpeNamePatternType . . . . . . . . . . . . . . . . 22
7.2.2.9. cpeSearchableNamePatternType . . . . . . . . . . . 22
Booth Expires April 18, 2013 [Page 2]
Internet-Draft Vulnerability Data Model October 2012
7.2.2.10. cpeComponentPatternType . . . . . . . . . . . . . 23
7.2.2.11. cpePartComponentPatternType . . . . . . . . . . . 23
7.2.2.12. cweNamePatternType . . . . . . . . . . . . . . . . 23
7.2.3. CVSS v2 . . . . . . . . . . . . . . . . . . . . . . . 23
7.2.3.1. ciaRequirementEnumType . . . . . . . . . . . . . . 23
7.2.3.2. collateralDamagePotentialEnumType . . . . . . . . 23
7.2.3.3. targetDistributionEnumType . . . . . . . . . . . . 23
7.2.3.4. ciaEnumType . . . . . . . . . . . . . . . . . . . 24
7.2.3.5. authenticationEnumType . . . . . . . . . . . . . . 24
7.2.3.6. remediationLevelEnumType . . . . . . . . . . . . . 24
7.2.3.7. confidenceEnumType . . . . . . . . . . . . . . . . 24
7.2.3.8. exploitabilityEnumType . . . . . . . . . . . . . . 24
7.2.3.9. zeroToTenDecimalType . . . . . . . . . . . . . . . 24
7.2.3.10. accessComplexityEnumType . . . . . . . . . . . . . 25
7.2.3.11. accessVectorEnumType . . . . . . . . . . . . . . . 25
7.2.3.12. accessComplexityType . . . . . . . . . . . . . . . 25
7.2.3.13. accessVectorType . . . . . . . . . . . . . . . . . 25
7.2.3.14. ciaRequirementType . . . . . . . . . . . . . . . . 26
7.2.3.15. collateralDamagePotentialType . . . . . . . . . . 26
7.2.3.16. targetDistributionType . . . . . . . . . . . . . . 26
7.2.3.17. ciaType . . . . . . . . . . . . . . . . . . . . . 27
7.2.3.18. authenticationType . . . . . . . . . . . . . . . . 27
7.2.3.19. remediationLevelType . . . . . . . . . . . . . . . 28
7.2.3.20. confidenceType . . . . . . . . . . . . . . . . . . 28
7.2.3.21. exploitabilityType . . . . . . . . . . . . . . . . 28
7.2.3.22. cvssType . . . . . . . . . . . . . . . . . . . . . 29
7.2.3.23. cvssImpactType . . . . . . . . . . . . . . . . . . 29
7.2.3.24. cvssImpactBaseType . . . . . . . . . . . . . . . . 29
7.2.3.25. cvssImpactTemporalType . . . . . . . . . . . . . . 30
7.2.3.26. cvssImpactEnvironmentalType . . . . . . . . . . . 30
7.2.3.27. metricsType . . . . . . . . . . . . . . . . . . . 30
7.2.3.28. baseMetricsType . . . . . . . . . . . . . . . . . 31
7.2.3.29. environmentalMetricsType . . . . . . . . . . . . . 32
7.2.3.30. temporalMetricsType . . . . . . . . . . . . . . . 33
7.2.4. Vulnerability Data Model XML . . . . . . . . . . . . . 33
7.2.4.1. vulnerabilityType . . . . . . . . . . . . . . . . 34
7.2.4.2. vulnerabilityIdType . . . . . . . . . . . . . . . 36
7.2.4.3. metadataType . . . . . . . . . . . . . . . . . . . 36
7.2.4.4. targetedTextType . . . . . . . . . . . . . . . . . 37
7.2.4.5. textTargetInformationType . . . . . . . . . . . . 38
7.2.4.6. extendedLifecycleEventType . . . . . . . . . . . . 38
7.2.4.7. vulnerabilityReferencesType . . . . . . . . . . . 38
7.2.4.8. vulnerableSoftwareType . . . . . . . . . . . . . . 39
7.2.4.9. vulnerableConfigurationType . . . . . . . . . . . 39
7.2.4.10. vulnerabilityReferenceType . . . . . . . . . . . . 40
7.2.4.11. impactType . . . . . . . . . . . . . . . . . . . . 41
7.2.4.12. cvss2ImpactType . . . . . . . . . . . . . . . . . 42
7.2.4.13. deprecationType . . . . . . . . . . . . . . . . . 42
Booth Expires April 18, 2013 [Page 3]
Internet-Draft Vulnerability Data Model October 2012
7.2.4.14. supersessionType . . . . . . . . . . . . . . . . . 43
7.2.4.15. cweReferenceType . . . . . . . . . . . . . . . . . 44
8. Controlled Vocabularies . . . . . . . . . . . . . . . . . . . 44
8.1. event-type . . . . . . . . . . . . . . . . . . . . . . . . 44
8.2. intended-uses . . . . . . . . . . . . . . . . . . . . . . 45
8.3. content-type . . . . . . . . . . . . . . . . . . . . . . . 47
8.4. reference-type . . . . . . . . . . . . . . . . . . . . . . 47
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 48
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48
11. Security Considerations . . . . . . . . . . . . . . . . . . . 48
12. Normative References . . . . . . . . . . . . . . . . . . . . . 49
Appendix A. Use Cases . . . . . . . . . . . . . . . . . . . . . . 49
A.1. OEM Vendor Statements . . . . . . . . . . . . . . . . . . 50
A.2. Security Researchers . . . . . . . . . . . . . . . . . . . 50
A.3. System Design and Planning . . . . . . . . . . . . . . . . 50
A.4. Assessment Content Authoring . . . . . . . . . . . . . . . 51
A.5. Certification and Accreditation . . . . . . . . . . . . . 51
Appendix B. VDM Examples . . . . . . . . . . . . . . . . . . . . 52
B.1. Sample 1 . . . . . . . . . . . . . . . . . . . . . . . . . 53
B.2. Sample 2 . . . . . . . . . . . . . . . . . . . . . . . . . 54
B.3. Sample 3 . . . . . . . . . . . . . . . . . . . . . . . . . 55
B.4. Sample 4 . . . . . . . . . . . . . . . . . . . . . . . . . 58
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 60
Booth Expires April 18, 2013 [Page 4]
Internet-Draft Vulnerability Data Model October 2012
1. Introduction
A vulnerability may be defined as an error, flaw, or mistake in
computer software that permits or causes an unintended behavior to
occur. As an example, the Common Vulnerabilities and Exposure (CVE)
dictionary provides a list of known vulnerabilities. Since the
unintended behavior of a vulnerability often has computer security
implications, exchanging vulnerability information to understand the
impact of a vulnerability to an enterprise, and to prioritize
remediation is often desirable.
Sharing vulnerability information among individuals, products, and
organizations has been challenging because of a lack of standardized
vulnerability data fields, vocabularies, and formats. The National
Vulnerability Database (NVD) has been producing vulnerability
information for over ten years and this document documents and
improves upon the data feeds currently provided by the NVD to
establish the Vulnerability Data Model (VDM); a common basis upon
which to share vulnerability information. The Vulnerability Data
Model facilitates communication of vulnerability information by
enumerating common data fields and vocabularies useful for describing
individual vulnerabilities.
The vulnerability data model and associated exchange format are
intended for use by universal vulnerability data feeds, such as those
that would be produced by a vulnerability database or security
service provider for consuming organizations. Additionally, the
vulnerability date model exchange format incorporates extension
points to allow producer specific data to be incorporated into a data
feed which may be optionally processed by a consuming organization
that understands the producer specific data.
1.1. Purpose and Scope
This report defines the Vulnerability Data Model and XML data
exchange format. The report gives an introduction to VDM version
1.0, defines the vulnerability data model, and documents conformance
requirements to comply with VDM 1.0. The vulnerability data model
has been divided into four component models: vulnerability core, CVSS
version 2, metadata core, and SCAP core models. Other versions of
VDM are not addressed here. Future versions of VDM will be defined
in distinct revisions of this report, each clearly labeled with a
revision number and the appropriate VDM version number.
This report does not describe the queries, instructions, methods,
processes, or data required to produce a VDM document. This report
does not describe how to transform any specific data model or data
set into a VDM document. This report provides normative guidance
Booth Expires April 18, 2013 [Page 5]
Internet-Draft Vulnerability Data Model October 2012
relating to the production and consumption of the XML vulnerability
data model format. The appendices contain additional information
about how to use VDM.
1.2. Audience
This document is intended for individuals or organizations intending
to make use of the vulnerability data model to either produce or
consume vulnerability information. Possible uses of the
vulnerability data model may be as part of a product or service
delivery effort such as a vulnerability database or vulnerability
scanning tool, by vendors wishing to supply vulnerability information
to end users in a human readable format,, and by researchers
analyzing vulnerability information. Readers of this report should
already be familiar with basic vulnerability characteristics and
concepts.
1.3. Document Structure
The remainder of this document is organized into the following major
sections:
o Section 2 defines the document's conventions.
o Section 3 defines the terms used within this specification and
provides a list of common abbreviations.
o Section 4 describes how this specification relates to other
standards and specifications.
o Section 5 defines the conformance requirements for VDM.
o Section 6 provides an overview of the VDM data model constructs
and key concepts.
o Section 7 documents the VDM data model.
o Section 8 lists existing controlled vocabulary items.
o Section 9 provides acknowledgments for the document.
o Section 10 discusses IANA considerations.
o Section 11 discusses security considerations.
o Section 12 provides a list of normative references for the
document.
Booth Expires April 18, 2013 [Page 6]
Internet-Draft Vulnerability Data Model October 2012
o Appendix A describes use cases for VDM.
o Appendix B provides some VDM examples.
2. Document Conventions
Throughout this specification, when referencing a normative
reference, the name will be written between brackets, such as [XSD].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
XML elements [XML] are referred to using qualified names when they
are not in the VDM namespace. Elements with no prefix can be assumed
to be in the VDM namespace, unless otherwise noted. A qualified name
associates a named element with a namespace. The namespace
identifies the specific XML schema that defines (and consequently may
be used to validate) the syntax of the element instance. A qualified
name declares this schema to element association using the format
'prefix:element-name'. The association of prefix to namespace is
defined in the metadata of an XML document and varies from document
to document. In this specification, the conventional mappings listed
in Table 1 are used.
+--------+-----------------------------------+--------+-------------+
| Mappin | Namespace URI | Schema | Reference |
| gs | | | |
| Prefix | | | |
+--------+-----------------------------------+--------+-------------+
| cpe-la | http://cpe.mitre.org/language/2.0 | CPE | [CPE] |
| ng | | | |
| cvssv2 | http://scap.nist.gov/schema/cvss- | CVSS | [CVSSv2] |
| | v2/0.2 | v2 | |
| meta | http://scap.nist.gov/schema/metad | Metada | [METADATA-C |
| | ata-core/1.0 | ta | ORE] |
| | | Core | |
| scap-c | http://scap.nist.gov/schema/scap- | SCAP | [SCAP-CORE] |
| ore | core/1.0 | Core | |
| xsd | http://www.w3.org/2001/XMLSchema | XML | [XSD] |
| | | Schema | |
| xsi | http://www.w3.org/2001/XMLSchema- | XML | |
| | instance | Schema | |
| | | Instan | |
| | | ce | |
+--------+-----------------------------------+--------+-------------+
Booth Expires April 18, 2013 [Page 7]
Internet-Draft Vulnerability Data Model October 2012
Table 1: Conventional XML Mappings
3. Terms and Abbreviations
This section defines a set of common terms and abbreviations used
within this specification.
3.1. Terms
Vulnerability: An error, flaw, or mistake in computer software that
permits or causes an unintended behavior to occur.
Data Source: The origin of the vulnerability data.
3.2. Acronyms
CPE - Common Platform Enumeration
CVE - Common Vulnerabilities and Exposures
CVSS - Common Vulnerability Scoring System
CWE - Common Weakness Enumeration
IR - Interagency Report
IT - Information Technology
NIST - National Institute of Standards and Technology
OVAL - Open Vulnerability and Assessment Language
SCAP - Security Content Automation Protocol
SP - Special Publication
URI - Universal Resource Identifier
USGCB - United States Government Configuration Baseline
VDM - Vulnerability Data Model
W3C - World Wide Web Consortium
XCCDF - Extensible Configuration Checklist Description Format
XML - Extensible Markup Language
Booth Expires April 18, 2013 [Page 8]
Internet-Draft Vulnerability Data Model October 2012
XSD - XML Schema
XSLT - Extensible Stylesheet Language Transformations
4. Relationship to Existing Standards and Specifications
VDM's relationships to other selected specifications are described
below.
CPE - VDM leverages CPE to identify affected platforms and products.
Information about the CPE specification can be found at:
http://scap.nist.gov/specifications/cpe/.
5. Conformance
Developers and organizations may want to build products in
conformance with VDM to foster consistency and interoperability of
their own products. End-user organizations may wish to require
conformance with VDM in order to have a predictable defined format
that products and tools used within their environment will produce
and consume. In addition, products that conform to this
specification will be better able to interoperate and exchange
reporting information with other products that conform to VDM.
Products may want to claim conformance with this specification to
advertise their interoperability with other VDM compliant tools and
repositories, as well as to meet requirements set by other
specifications or organizations.
The following sections define the criteria for content and products
to claim conformance with this specification.
5.1. Capability Conformance
There are two types of VDM capabilities: producers and consumers. A
producer has the capability to generate VDM documents, while a
consumer has the capability to accept an existing VDM document and
process it. To claim conformance to one or more capabilities defined
within this specification the following requirements SHALL be adhered
to:
1. For producer capability, generate well-formed content as defined
in Section 5.2.
2. For consumer capability, accept and process well-formed content
as defined in Section 5.2.
Booth Expires April 18, 2013 [Page 9]
Internet-Draft Vulnerability Data Model October 2012
3. Make an explicit claim of conformance to this specification in
any documentation provided to end users.
5.2. Content Conformance
In order for a VDM document to be considered in compliance with this
specification, the report MUST adhere to the following requirements:
1. The VDM document SHALL conform to all of the normative guidance
provided in Section 7.
6. Vulnerability Data Model Overview and Key Concepts
This section provides an overview of the vulnerability data model
structure and design philosophy. The data model defines a format for
representing one or more collections of data. The following sections
introduce the key concepts of the vulnerability data model.
The vulnerability data model was designed in a modular fashion, with
multiple schemas developed to encourage composability and
reusability. Items with similar properties and uses are grouped into
the same namespace.
===============
|Vuln Data Model|
===============
|
|
|
+-----------------+----------------+
| | |
| | |
========= ============= ========
|SCAP Core|-----|Metadata Core| | CVSSv2 |
========= ============= ========
o Metadata Core: The metadata core schema provides elements that
store information about the record itself, as well as common types
that are used in other schemas. The metadata includes entities
for status history, text types, references, and document
generators.
o SCAP Core: The SCAP core schema provides types that represent
entities from additional SCAP specifications and schemas.
o CVSS v2: The CVSS v2 schema represents CVSS version 2 scores. The
information includes CVSS base metrics, environmental metrics and
Booth Expires April 18, 2013 [Page 10]
Internet-Draft Vulnerability Data Model October 2012
temporal metrics.
o Vulnerability Data Model: The vulnerability data model provides a
representation of the vulnerability information.
7. Data Model Description
This section describes the requirements for the vulnerability data
model manifested as Extensible Markup Language (XML). Section 7.1
provides a conceptual overview of the data model, while Section 7.2
examines the actual XML data model in detail.
7.1. XML Data Model Introduction
The vulnerability element is the root element of the Vulnerability
Data Model; it is of the vulnerabilityType type. It contains
identification, metadata, and additional information about an
individual Vulnerability in a vulnerability document.
7.2. XML Data Model Requirements
In order to comply with the VDM data model,
o The user MUST produce an XML vdm:vulnerability element consistent
with the data model described below.
o The XML element produced MUST validate against the XSD for
Vulnerability Data Model 1.0 listed at
http://scap.nist.gov/specifications/ . In situations where the
XSD does not match the documented model in this specification,
this document SHALL take precedence.
The following tables formalize the data model. The data contained in
the tables are requirements and MUST be interpreted as follows:
o The "Element Name" field indicates the name for the XML element
being described. Each element name has a namespace prefix
indicating the namespace to which the element belongs. See
Table 1 for a mapping of namespace prefixes to namespaces.
o The "Definition" field indicates the prose description of the
element. The definition field MAY contain requirement words as
indicated in [RFC2119].
o The "Properties" field is broken into four subfields:
Booth Expires April 18, 2013 [Page 11]
Internet-Draft Vulnerability Data Model October 2012
* The "Name" column indicates the name of a property that MAY or
MUST be included in the described element, in accordance with
the cardinality indicated in the "Count" field
* The "Type" column indicates the REQUIRED data type for the
value of the property. There are three categories of types:
literal, element, and special. A literal type will indicate
the type of literal as defined in [XSD]. An element type will
reference the name of another element that defines that
property. A special type is listed when the type is neither
literal nor element. The special type will indicate the nature
of permitted content, such as allowing any XML to be used.
* The "Count" column indicates the cardinality of the property
within the element. The property MUST be included in the
element in accordance with the cardinality. If a range is
given, and "n" is the upper-bound of the range, then the upper
limit is unbounded.
* The "Definition" column defines the property in the context of
the element. The definition MAY contain requirement words as
indicated in [RFC2119].
7.2.1. Metadata Core
The metadata core schema contains common data types and elements
intended to record information about record entities themselves
instead of the items represented by the record.
7.2.1.1. dottedVersionType
The dotted version type defines a format used to represent
incremental changes to an items content. It consists of up to 4
integer values, separated by the '.' character. General usage is to
increment a part based on the extent of the change, with the
rightmost part indicating insignificant changes, and the leftmost
part indicating major changes.
When comparing dottedVersionType values the following logic SHALL be
used: Assuming you have 2 dottedVersionType values A and B, each
value is to be split into its 4 components on the ' .' character. If
a value does not have all 4 components, the missing components will
be considered to have a value of 0 for comparison purposes. Once all
components have been extracted, A1 will be compared to B1. If A1 is
greater than B1 then A is greater than B. If A1 is less than B1 then
A is less than B. If A1 is equal to B1 then A2 is compared to B2
using the same logic, then A3 and B3 and finally A4 and B4. If all 4
parts of A are equal to all 4 corresponding parts of B then A is
Booth Expires April 18, 2013 [Page 12]
Internet-Draft Vulnerability Data Model October 2012
equal to B.
+-------------+-----------------------------------------------------+
| Type Name | dottedVersionType |
+-------------+-----------------------------------------------------+
| Definition | Defines a dotted version type of 1 - 4 dotted |
| | decimal parts. |
| Description | Values must match the following regular expression: |
| | \d+(\.\d+){0.3} |
+-------------+-----------------------------------------------------+
Table 2: dottedVersionType
7.2.1.2. entityStatusEnumerationType
The entityStatusEnumerationType provides a list of general status
types intended to be used with a wide variety of various entity
types.
+-------------+-----------------------------------------------------+
| Type Name | entityStatusEnumerationType |
+-------------+-----------------------------------------------------+
| Definition | An enumeration of various status types that may be |
| | used with various entities. |
| Description | The value must be one of the following: NEW - |
| | Indicates that the entity was created after some |
| | other event. This may be a specific date, or may be |
| | in relation to a lifecycle event of another entity. |
+-------------+-----------------------------------------------------+
Table 3: entityStatusEnumerationType
7.2.1.3. recordStatusEnumType
The recordStatusEnumType provides a list of status types that can be
used to indicate the state of a record or data entry.
+-------------+-----------------------------------------------------+
| Type Name | recordStatusEnumType |
+-------------+-----------------------------------------------------+
| Definition | An enumeration of possible record statuses based on |
| | the CPE dictionary lifecycle process. Reference the |
| | CPE dictionary lifecycle process. |
Booth Expires April 18, 2013 [Page 13]
Internet-Draft Vulnerability Data Model October 2012
| Description | Available enumeration values: NEW - A newly created |
| | record that has not undergone moderation. DRAFT - A |
| | record that has been reviewed by one or more |
| | moderators, but that has not completed the review |
| | process. FINAL - A record that has completed the |
| | moderation process. It is recommended that records |
| | with this status are the only records included in |
| | the data dictionary. REVISED - Indicates that a |
| | record that was once in the FINAL state has been |
| | updated. RETIRED - Used when a record was once in |
| | the FINAL state, but has been removed from the data |
| | dictionary. This is typical if the record is no |
| | longer in general use. REJECTED - This state |
| | indicates that record was rejected during the |
| | moderation process. Records with this state will |
| | never be posted to the data dictionary and should |
| | not be used. |
+-------------+-----------------------------------------------------+
Table 4: recordStatusEnumType
7.2.1.4. statusHistoryType
The statusHistoryType defines a data element that may be used to
track the status changes of an entity over time. It is a list of
date qualified status transitions. Extends meta-
core:recordStatusEnumType.
+------------------+---------+-------+-----------------------+
| Name | Type | Count | Definition |
+------------------+---------+-------+-----------------------+
| date (attribute) | xs:date | 1 | The date of the event |
| time (attribute) | xs:time | 0-1 | The time of the event |
+------------------+---------+-------+-----------------------+
Table 5: statusHistoryType Properties
7.2.1.5. recordType
The recordType defines a based type that may be extended by
additional types that utilize the CPE dictionary lifecycle.
Booth Expires April 18, 2013 [Page 14]
Internet-Draft Vulnerability Data Model October 2012
+----------------+----------------------+-------+-------------------+
| Name | Type | Count | Definition |
+----------------+----------------------+-------+-------------------+
| status | meta-core: | 1 | The status of the |
| (attribute) | recordStatusEnumType | | record |
| status-history | meta-core: | 1 | A date qualified |
| (element) | statusHistoryType | | list of status |
| | | | changes to a |
| | | | record |
+----------------+----------------------+-------+-------------------+
Table 6: recordType Properties
7.2.1.6. mutableRecordType
The mutableRecordType defines a record type that is intended to be
modified. It is based on the metadata recordType (it extends
recordType).
+------------------+---------------------------+-------+------------+
| Name | Type | Count | Definition |
+------------------+---------------------------+-------+------------+
| modification-dat | xs:dateTime | 1 | The |
| e (attribute) | | | date/time |
| | | | represent |
| | | | the last |
| | | | time that |
| | | | the record |
| | | | was |
| | | | modified |
| revision | meta-core:dottedVersionTy | 0-1 | The |
| (attribute) | pe | | version of |
| | | | the record |
+------------------+---------------------------+-------+------------+
Table 7: mutableRecordType Properties
7.2.1.7. localeTextType
The localeTextType defines a string based element that allows the
specification of a language. This type allows the xml:lang attribute
to associate a specific language with an element's string content.
The default value is 'en-US'. Extends xsd:string.
Booth Expires April 18, 2013 [Page 15]
Internet-Draft Vulnerability Data Model October 2012
+--------------+----------+-------+---------------------------------+
| Name | Type | Count | Definition |
+--------------+----------+-------+---------------------------------+
| lang | xml:lang | 0-1 | Specifies the language of the |
| (attribute) | | | text element. |
+--------------+----------+-------+---------------------------------+
Table 8: localeTextType Properties
7.2.1.8. localeNotesType
The localeNotesType defines a container that may contain one or more
metadata core localeTextType elements. It is intended to provide a
location for additional information to provide about an entity. This
type defines an element that consists of one or more child note
elements. It is assumed that each of these note elements is
representative of the same language as defined by its parent.
+------------+--------------------------+-------+-------------------+
| Name | Type | Count | Definition |
+------------+--------------------------+-------+-------------------+
| note | meta-core:localeTextType | 1-n | A note in a given |
| (element) | | | language. |
+------------+--------------------------+-------+-------------------+
Table 9: localeNotesType Properties
7.2.1.9. referenceItemType
The referenceItemType extends the metadata core localeTextType entity
to include an optional URI reference indicating the location of the
source material or to provide additional information or context.
This would normally be used to point to extra descriptive material,
the supplier's web site, or the platform documentation. It consists
of a piece of text (intended to be human-readable) and a URI
(intended to be a URL, and point to a real resource). Extends meta-
core:localeTextType
+------------------+-----------+-------+---------------+
| Name | Type | Count | Definition |
+------------------+-----------+-------+---------------+
| href (attribute) | xs:anyURI | 0-1 | URI reference |
+------------------+-----------+-------+---------------+
Table 10: referenceItemType Properties
Booth Expires April 18, 2013 [Page 16]
Internet-Draft Vulnerability Data Model October 2012
7.2.1.10. referenceType
The referenceType defines a container that may be used to hold one or
more metadata core referenceItemType entities.
+-----------+-----------------------------+-------+-----------------+
| Name | Type | Count | Definition |
+-----------+-----------------------------+-------+-----------------+
| item | meta-core:referenceItemType | 1-n | A collection of |
| (element) | | | one or more |
| | | | locale specific |
| | | | reference items |
+-----------+-----------------------------+-------+-----------------+
Table 11: referenceType Properties
7.2.1.11. referencesType
The referencesType defines a container that may hold one or more
metadata core referenceType entities.
+---------------+---------------------+-------+---------------------+
| Name | Type | Count | Definition |
+---------------+---------------------+-------+---------------------+
| reference | meta-core:reference | 1-n | A collection of |
| (element) | | | reference items |
+---------------+---------------------+-------+---------------------+
Table 12: referencesType Properties
7.2.1.12. generatorType
The generatorType defines an element that can be used to store
information about the compilation of a specific instance of output
containing vulnerability information. generatorType is an element
that is used to hold information about when a particular document was
compiled, what version of the schema was used, what tool compiled the
document and what version of that tool was used. Additional
generator information is also allowed although it is not part of the
official schema. Individual organizations can place generator
information that they feel are important and these will be skipped
during the validation. All that this schema really cares about is
that the stated generator information is there.
Booth Expires April 18, 2013 [Page 17]
Internet-Draft Vulnerability Data Model October 2012
+--------------+------------------------+-------+-------------------+
| Name | Type | Count | Definition |
+--------------+------------------------+-------+-------------------+
| product | scap-core:cpeNamePatte | 1 | The CPE name of |
| (element) | rnType | | the tool used to |
| | | | generate the file |
| schema_versi | meta-core:dottedVersio | 1 | The version of |
| on (element) | nType | | the schema that |
| | | | the document has |
| | | | been written |
| | | | against and that |
| | | | should be used |
| | | | for validation. |
| timestamp | xs:dateTime | 1 | When the |
| (element) | | | particular |
| | | | document was |
| | | | compiled. The |
| | | | format for the |
| | | | timestamp is |
| | | | yyyy-mm-ddThh:mm: |
| | | | ss. Note that the |
| | | | timestamp element |
| | | | does not specify |
| | | | item in the |
| | | | document was |
| | | | created or |
| | | | modified but |
| | | | rather when the |
| | | | actual XML |
| | | | document that |
| | | | contains the |
| | | | items was |
| | | | created. For |
| | | | example, a |
| | | | document might |
| | | | pull a bunch of |
| | | | existing items |
| | | | together, each of |
| | | | which having been |
| | | | created at some |
| | | | point in the |
| | | | past. The |
| | | | timestamp in this |
| | | | case would be |
| | | | when this |
| | | | combined document |
| | | | was created. |
Booth Expires April 18, 2013 [Page 18]
Internet-Draft Vulnerability Data Model October 2012
| application- | meta-core:application- | 0-n | An extensibility |
| info | info | | point. |
| (element) | | | |
+--------------+------------------------+-------+-------------------+
Table 13: generatorType Properties
7.2.1.13. application-info
The application-info elements provides an extensibility point,
allowing individual applications to include additional information in
the data model as needed.
+---------------------+------+-------+------------------------------+
| Name | Type | Count | Definition |
+---------------------+------+-------+------------------------------+
| ##other (attribute) | Any | 0-1 | Allows additional attributes |
| ##any (element) | Any | 0-n | Allows additional elements |
+---------------------+------+-------+------------------------------+
Table 14: application-info Properties
7.2.2. SCAP Core
SCAP Core defines various SCAP data types and id formats for use in
the vulnerability data model.
7.2.2.1. checkReferenceType
The checkReferenceType defines a method to represent a checking
system and check id to identify a method of detecting the presence of
the vulnerability on an asset. It is a data type for the check
element, a checking system specification specific URI, string
content, and an optional external file reference. The checking
system specification should be the URI for a particular version of
OVAL or a related system testing language, and the content will be an
identifier of a test written in that language. The external file
reference could be used to point to the file in which the content
test identifier is defined. The checkReferenceType extends the
checkSearchType.
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| href | xsd:anyURI | 1 | Identifies the file in which |
| (attribute) | | | the check exists |
+-------------+------------+-------+--------------------------------+
Booth Expires April 18, 2013 [Page 19]
Internet-Draft Vulnerability Data Model October 2012
Table 15: checkReferenceType Properties
7.2.2.2. checkSearchType
The checkSearchType defines a method to represent a searchable check
identifier that can be used to locate a check in a repository.
Identifies the id and checking system used
+--------------------+------------+-------+------------+
| Name | Type | Count | Definition |
+--------------------+------------+-------+------------+
| system (attribute) | xsd:anyURI | 1 | |
| name (attribute) | xsd:token | 0-1 | |
+--------------------+------------+-------+------------+
Table 16: checkSearchType Properties
7.2.2.3. searchableCpeReferencesType
Defines the representation of a CPE construct that may be used to
search a CPE data source for a particular set of CPEs.
+-------------------+---------------------------+------+------------+
| Name | Type | Coun | Definition |
| | | t | |
+-------------------+---------------------------+------+------------+
| cpe-name | cpeNamePatternType | 1-n | |
| (element) | | | |
| cpe-searchable-na | cpeSearchableNamePatternT | 1-n | |
| me (element) | ype | | |
+-------------------+---------------------------+------+------------+
Table 17: searchableCpeReferencesType Properties
7.2.2.4. controlMappingsType
The controlMappingsType defines a container that may be used to hold
one or more SCAP Core controlMappingType entities.
+-------------------------+--------------------+-------+------------+
| Name | Type | Count | Definition |
+-------------------------+--------------------+-------+------------+
| control-mapping | controlMappingType | 1-n | |
| (element) | | | |
+-------------------------+--------------------+-------+------------+
Table 18: controlMappingsType Properties
Booth Expires April 18, 2013 [Page 20]
Internet-Draft Vulnerability Data Model October 2012
7.2.2.5. controlMappingType
The controlMappingType defines a mapping of the vulnerability to a
control or requirement in a published security guidance document.
+------------------------+---------------------+-------+------------+
| Name | Type | Count | Definition |
+------------------------+---------------------+-------+------------+
| system-id (attribute) | xsd:anyURI | 1 | |
| source (attribute) | xsd:anyURI | 1 | |
| last-modified | xsd:dateTime | 1 | |
| (attribute) | | | |
| mapping (element) | mappingInstanceType | 0-n | |
+------------------------+---------------------+-------+------------+
Table 19: controlMappingType Properties
7.2.2.6. mappingInstanceType
The mappingInstanceType defines a format to identify an id in an
external system that specifies security requirements. Extends: xsd:
token
+-----------------------+--------------+-------+------------+
| Name | Type | Count | Definition |
+-----------------------+--------------+-------+------------+
| published (attribute) | xsd:dateTime | 1 | |
+-----------------------+--------------+-------+------------+
Table 20: mappingInstanceType Properties
7.2.2.7. assessmentMethodType
The assessmentMethodType denotes a scanner and required configuration
that is capable of detecting the referenced vulnerability. It may
also be an OVAL definition and omit scanner name. It identifies a
tool and any associated information about the tool, such as signature
versions, that indicate the tool is capable or properly detecting
and/or remediating the vulnerability or misconfiguration.
Booth Expires April 18, 2013 [Page 21]
Internet-Draft Vulnerability Data Model October 2012
+-------------------+--------------------+-------+------------------+
| Name | Type | Count | Definition |
+-------------------+--------------------+-------+------------------+
| assessment-check | checkReferenceType | 1 | Identifies a |
| (element) | | | check that can |
| | | | be used to |
| | | | detect the |
| | | | vulnerability or |
| | | | misconfiguration |
| assessment-engine | cpeNamePatternType | 0-n | The CPE name of |
| (element) | | | the scanning |
| | | | tool. A value |
| | | | must be supplied |
| | | | for this |
| | | | element. The CPE |
| | | | name can be used |
| | | | for a CPE from |
| | | | the NVD. The CPE |
| | | | title attribute |
| | | | can be used for |
| | | | internal naming |
| | | | conventions. (or |
| | | | both, if |
| | | | possible) |
+-------------------+--------------------+-------+------------------+
Table 21: assessmentMethodType Properties
7.2.2.8. cpeNamePatternType
The cpeNamePatternType defines a format for expressing a CPE name in
a vulnerability. A URN format is used with the id starting with the
word oval followed by a unique string, followed by the three letter
code 'def', and ending with an integer. Extends xsd:anyURI, with a
pattern restriction of '[c][pP][eE]:/
[AHOaho]?(:[A-Za-z0-9._\-~]*){0,6}'.
7.2.2.9. cpeSearchableNamePatternType
The cpeSearchableNamePatternType defines a format for presenting
searchable CPE names in vulnerability data sources. The URI escaped
code '%25' may be used to represent the character '%' which will be
interpreted as a wildcard. Extends xsd:anyURI with a pattern
restriction of '[c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9._\-~]*){0,6}'.
Booth Expires April 18, 2013 [Page 22]
Internet-Draft Vulnerability Data Model October 2012
7.2.2.10. cpeComponentPatternType
The cpeComponentPatternType defines the allowable values of a CPE
Component (the name pattern of a CPE component). Extends xsd:token
with a pattern restriction of '[A-Za-z0-9._\-~]*'.
7.2.2.11. cpePartComponentPatternType
The cpePartComponentPatternType defines the allowable value for a CPE
part component (the name pattern of a CPE part component). Extends
cpeComponentPatternType with a pattern restriction of '[hoaHOA]'.
7.2.2.12. cweNamePatternType
The cweNamePatternType defines the representation of a CWE identifier
in a vulnerability data source (the name pattern of the CWE part
component). Extends xsd:token with a pattern restriction of 'CWE-[1-
9]\d{0,5}'.
7.2.3. CVSS v2
CVSS v2 defines various CVSS scoring components and representations
that may be used in the vulnerability data model.
7.2.3.1. ciaRequirementEnumType
The ciaRequirementEnumType defines the allowed values for the
confidentiality, integrity and availability requirement components of
the environmental CVSS vector.
Allowed enumeration values: LOW, MEDIUM, HIGH, NOT_DEFINED
7.2.3.2. collateralDamagePotentialEnumType
The collateralDamagePotentialEnumType defines the allowed values for
the collateral damage potential component of the environmental CVSS
vector.
Allowed enumeration values: NONE, LOW, LOW_MEDIUM, MEDIUM_HIGH, HIGH,
NOT_DEFINED
7.2.3.3. targetDistributionEnumType
The targetDistributionEnumType defines the allowed values for the
target distribution component of the environmental CVSS vector.
Allowed enumeration values: NONE, LOW, MEDIUM, HIGH, NOT_DEFINED
Booth Expires April 18, 2013 [Page 23]
Internet-Draft Vulnerability Data Model October 2012
7.2.3.4. ciaEnumType
The ciaEnumType defines the allowed values for the confidentiality,
integrity and availability components of the base CVSS vector.
Allowed enumeration values: NONE, PARTIAL, COMPLETE
7.2.3.5. authenticationEnumType
The authenticationEnumType defines the allowed values for the
authentication component of the base CVSS vector.
Allowed enumeration values: MULTIPLE_INSTANCES, SINGLE_INSTANCE, NONE
7.2.3.6. remediationLevelEnumType
The remediationLevelEnumType defines the allowed values for the
remediation level component of the temporal CVSS vector.
Allowed enumeration values: OFFICIAL_FIX, TEMPORARY_FIX, WORKAROUND,
UNAVAILABLE, NOT_DEFINED
7.2.3.7. confidenceEnumType
The confidenceLevelEnumType defines the allowed values for the report
confidence component of the temporal CVSS vector.
Allowed enumeration values: UNCONFIRMED, UNCORROBORATED, CONFIRMED,
NOT_DEFINED
7.2.3.8. exploitabilityEnumType
The exploitabilityEnumType defines the allowed values for the
exploitability component of the temporal CVSS vector.
Allowed enumeration values: UNPROVEN, PROOF_OF_CONCEPT, FUNCTIONAL,
HIGH, NOT_DEFINED
7.2.3.9. zeroToTenDecimalType
The zeroToTenDecimalType defines a type that can be used to represent
values for 0.0 to 10.0 including 1 decimal value, as used in CVSS
scores. It extends xsd:decimal with a restriction that values must
be between 0.0 and 10.0
Booth Expires April 18, 2013 [Page 24]
Internet-Draft Vulnerability Data Model October 2012
7.2.3.10. accessComplexityEnumType
The accessComplexityEnumType defines the allowed values for the
access complexity component of the base CVSS vector.
Allowed enumeration values: HIGH, MEDIUM, LOW
7.2.3.11. accessVectorEnumType
The accessVectorEnumType defines the allowed values for the access
vector component of the base CVSS vector.
Allowed enumeration values: LOCAL, ADJACENT_NETWORK, NETWORK
7.2.3.12. accessComplexityType
The accessComplexityType defines representation of an access
complexity component in a CVSS score. Extends:
accessComplexityEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 22: accessComplexityType Properties
7.2.3.13. accessVectorType
The accessVectorType defines the representation of an access vector
component in a CVSS score. Extends: accessVectorEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 23: accessVectorType Properties
Booth Expires April 18, 2013 [Page 25]
Internet-Draft Vulnerability Data Model October 2012
7.2.3.14. ciaRequirementType
The ciaRequirementType defines the representation of a
confidentiality, integrity, or availability requirement in a CVSS
score. Extends: ciaRequirementEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 24: ciaRequirementType Properties
7.2.3.15. collateralDamagePotentialType
The collateralDamagePotentialType defines the representation of
collateral damage potential in a CVSS score. Extends:
collateralDamagePotentialEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 25: collateralDamagePotentialType Properties
7.2.3.16. targetDistributionType
The targetDistributionType defines the representation of a target
distribution value in a CVSS score. Extends:
targetDistributionEnumType
Booth Expires April 18, 2013 [Page 26]
Internet-Draft Vulnerability Data Model October 2012
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 26: targetDistributionType Properties
7.2.3.17. ciaType
The ciaType defines the representation of confidentiality, integrity
and availability impact values in a CVSS score. Extends: ciaEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 27: ciaType Properties
7.2.3.18. authenticationType
The authenticationType defines the representation of authentication
values in a CVSS score. Extends: authenticationEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 28: authenticationType Properties
Booth Expires April 18, 2013 [Page 27]
Internet-Draft Vulnerability Data Model October 2012
7.2.3.19. remediationLevelType
The remediationLevelType defines the representation of remediation
level in a CVSS score. Extends: remediationLevelEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 29: remediationLevelType Properties
7.2.3.20. confidenceType
The confidenceType defines the representation of report confidence
values in a CVSS score. Extends: confidenceEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 30: confidenceType Properties
7.2.3.21. exploitabilityType
The exploitabilityType defines the representation of exploitability
values in a CVSS score. Extends: exploitabilityEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Booth Expires April 18, 2013 [Page 28]
Internet-Draft Vulnerability Data Model October 2012
Table 31: exploitabilityType Properties
7.2.3.22. cvssType
The cvssType defines the representation of a complete CVSS v2 score,
including all three scores: base, temporal and environmental
+--------------------+-----------------------+-------+--------------+
| Name | Type | Count | Definition |
+--------------------+-----------------------+-------+--------------+
| base_metrics | baseMetricsType | 0-n | The base |
| (element) | | | CVSS score |
| environmental_metr | environmentalMetricsT | 0-n | The |
| ics (element) | ype | | environmenta |
| | | | l CVSS score |
| temporal_metrics | temporalMetricsType | 0-n | The temporal |
| (element) | | | CVSS score |
+--------------------+-----------------------+-------+--------------+
Table 32: cvssType Properties
7.2.3.23. cvssImpactType
The cvssImpactType defines a CVSS v2 score that requires at least a
base score component, since the other score types cannot be
calculated accurately without one.
+--------------------+-----------------------+-------+--------------+
| Name | Type | Count | Definition |
+--------------------+-----------------------+-------+--------------+
| base_metrics | baseMetricsType | 1 | The base |
| (element) | | | CVSS score |
| environmental_metr | environmentalMetricsT | 0-1 | The |
| ics (element) | ype | | environmenta |
| | | | l CVSS score |
| temporal_metrics | temporalMetricsType | 0-1 | The temporal |
| (element) | | | CVSS score |
+--------------------+-----------------------+-------+--------------+
Table 33: cvssImpactType Properties
7.2.3.24. cvssImpactBaseType
The cvssImpactBaseType defines a CVSS v2 base score component.
Booth Expires April 18, 2013 [Page 29]
Internet-Draft Vulnerability Data Model October 2012
+---------------------+-----------------+-------+-------------------+
| Name | Type | Count | Definition |
+---------------------+-----------------+-------+-------------------+
| base_metrics | baseMetricsType | 1 | A base score |
| (element) | | | component |
+---------------------+-----------------+-------+-------------------+
Table 34: cvssImpactBaseType Properties
7.2.3.25. cvssImpactTemporalType
The cvssImpactTemporalType defines a CVSS v2 temporal score
component. It extends cvssImpactBaseType.
+-------------------+---------------------+-------+-----------------+
| Name | Type | Count | Definition |
+-------------------+---------------------+-------+-----------------+
| temporal_metrics | temporalMetricsType | 1 | A temporal |
| (element) | | | score component |
+-------------------+---------------------+-------+-----------------+
Table 35: cvssImpactTemporalType Properties
7.2.3.26. cvssImpactEnvironmentalType
The cvssImpactEnvironmentalType is a derived type that defines a CVSS
v2 environmental score component. It extends cvssImpactTemporalType.
+--------------------+-----------------------+-------+--------------+
| Name | Type | Count | Definition |
+--------------------+-----------------------+-------+--------------+
| environmental_metr | environmentalMetricsT | 1 | An |
| ics (element) | ype | | environmenta |
| | | | l score |
| | | | component |
+--------------------+-----------------------+-------+--------------+
Table 36: cvssImpactEnvironmentalType Properties
7.2.3.27. metricsType
The metricsType defines an abstract type that present the common
attributes of all other metric types.
Booth Expires April 18, 2013 [Page 30]
Internet-Draft Vulnerability Data Model October 2012
+-----------------------+-------------+-------+---------------------+
| Name | Type | Count | Definition |
+-----------------------+-------------+-------+---------------------+
| upgraded-from-version | xsd:decimal | 0-1 | Indicates the |
| (attribute) | | | previous CVSS score |
| | | | version that this |
| | | | metric was upgraded |
| | | | from. |
+-----------------------+-------------+-------+---------------------+
Table 37: metricsType Properties
7.2.3.28. baseMetricsType
The baseMetricsType defines a derived metricsType that represents a
base CVSS v2 score component.
+-------------------+------------------+-------+--------------------+
| Name | Type | Count | Definition |
+-------------------+------------------+-------+--------------------+
| score (element) | zeroToTenDecimal | 0-1 | Base severity |
| | Type | | score assigned to |
| | | | a vulnerability by |
| | | | a source |
| exploit-subscore | zeroToTenDecimal | 0-1 | Base exploit |
| (element) | Type | | sub-score assigned |
| | | | to a vulnerability |
| | | | by a source |
| impact-subscore | zeroToTenDecimal | 0-1 | Base impact |
| (element) | Type | | sub-score assigned |
| | | | to a vulnerability |
| | | | by a source |
| access-vector | accessVectorType | 0-1 | |
| (element) | | | |
| access-complexity | accessComplexity | 0-1 | |
| (element) | Type | | |
| authentication | authenticationTy | 0-1 | |
| (element) | pe | | |
| confidentiality-i | ciaType | 0-1 | |
| mpact (element) | | | |
| integrity-impact | ciaType | 0-1 | |
| (element) | | | |
| availability-impa | ciaType | 0-1 | |
| ct (element) | | | |
Booth Expires April 18, 2013 [Page 31]
Internet-Draft Vulnerability Data Model October 2012
| source (element) | xsd:anyURI | 1 | Data source the |
| | | | vector was |
| | | | obtained from. |
| | | | Example: |
| | | | http://nvd.nist.go |
| | | | v or |
| | | | com.symantec.deeps |
| | | | ight |
| generated-on-date | xsd:dateTime | 0-1 | |
| time (element) | | | |
+-------------------+------------------+-------+--------------------+
Table 38: baseMetricsType Properties
7.2.3.29. environmentalMetricsType
The environmentalMetricsType defines a derived metricsType that
represents an environmental CVSS v2 score component.
+--------------------+---------------------+------+-----------------+
| Name | Type | Coun | Definition |
| | | t | |
+--------------------+---------------------+------+-----------------+
| score (element) | zeroToTenDecimalTyp | 0-1 | |
| | e | | |
| collateral-damage- | collateralDamagePot | 0-1 | |
| potential | entialType | | |
| (element) | | | |
| target-distributio | targetDistributionT | 0-1 | |
| n (element) | ype | | |
| confidentiality-re | ciaRequirementType | 0-1 | |
| quirement | | | |
| (element) | | | |
| integrity-requirem | ciaRequirementType | 0-1 | |
| ent (element) | | | |
| availability-requi | ciaRequirementType | 0-1 | |
| rement (element) | | | |
| source (element) | xsd:anyURI | 1 | Data source the |
| | | | vector was |
| | | | obtained from. |
| | | | Example: |
| | | | http://nvd.nist |
| | | | .gov or |
| | | | com.symantec.de |
| | | | epsight |
| generated-on-datet | xsd:dateTime | 0-1 | |
| ime (element) | | | |
+--------------------+---------------------+------+-----------------+
Booth Expires April 18, 2013 [Page 32]
Internet-Draft Vulnerability Data Model October 2012
Table 39: environmentalMetricsType Properties
7.2.3.30. temporalMetricsType
The temporalMetricsType defines a derived metricsType that represents
a temporal CVSS v2 score component.
+-------------------+------------------+------+---------------------+
| Name | Type | Coun | Definition |
| | | t | |
+-------------------+------------------+------+---------------------+
| score (element) | zeroToTenDecimal | 0-1 | The temporal score |
| | Type | | is the temporal |
| | | | multiplier times |
| | | | the base score. |
| temporal-multipli | xsd:decimal | 0-1 | The temporal |
| er (element) | | | multiplier is a |
| | | | number between zero |
| | | | and one. Reference |
| | | | the CVSS standard |
| | | | for computation. |
| exploitability | exploitabilityTy | 0-1 | |
| (element) | pe | | |
| remediation-level | remediationLevel | 0-1 | |
| (element) | Type | | |
| report-confidence | confidenceType | 0-1 | |
| (element) | | | |
| source (element) | xsd:anyURI | 1 | Data source the |
| | | | vector was obtained |
| | | | from. Example: |
| | | | http://nvd.nist.gov |
| | | | or |
| | | | com.symantec.deepsi |
| | | | ght |
| generated-on-date | xsd:dateTime | 0-1 | |
| time (element) | | | |
+-------------------+------------------+------+---------------------+
Table 40: temporalMetricsType Properties
7.2.4. Vulnerability Data Model XML
The vulnerability data model defines the various constructs that are
used to provide vulnerability information.
Booth Expires April 18, 2013 [Page 33]
Internet-Draft Vulnerability Data Model October 2012
7.2.4.1. vulnerabilityType
vulnerabilityType holds all of the information about a given
vulnerability.
+---------------------+-----------------------+------+--------------+
| Name | Type | Coun | Definition |
| | | t | |
+---------------------+-----------------------+------+--------------+
| vulnerability-id | vulnerabilityIdType | 1 | The unique |
| (element) | | | identifier |
| | | | for the |
| | | | vulnerabilit |
| | | | y in regards |
| | | | to this |
| | | | vulnerabilit |
| | | | y data |
| | | | source. |
| vulnerability-id-al | vulnerabilityIdType | 0-n | Additional |
| ias (element) | | | identifiers |
| | | | for the |
| | | | vulnerabilit |
| | | | y that |
| | | | represent it |
| | | | in other |
| | | | data |
| | | | sources. An |
| | | | example |
| | | | would be a |
| | | | CVE |
| | | | identifier. |
| record-metadata | metadataType | 0-1 | Additional |
| (element) | | | metadata |
| | | | about the |
| | | | record. |
| text (element) | targetedTextType | 1-n | Provides |
| | | | textual |
| | | | information |
| | | | about the |
| | | | vulnerabilit |
| | | | y. |
| event (element) | extendedLifecycleEven | 0-n | Identifies a |
| | tType | | significant |
| | | | event in the |
| | | | lifecycle of |
| | | | the entity. |
Booth Expires April 18, 2013 [Page 34]
Internet-Draft Vulnerability Data Model October 2012
| references | vulnerabilityReferenc | 0-1 | References |
| (element) | esType | | to |
| | | | additional |
| | | | information |
| | | | about the |
| | | | vulnerabilit |
| | | | y. |
| vulnerable-software | vulnerableSoftwareTyp | 0-1 | A list of |
| -list (element) | e | | CPE names |
| | | | correspondin |
| | | | g to the |
| | | | software |
| | | | versions |
| | | | that have |
| | | | this |
| | | | vulnerabilit |
| | | | y. |
| vulnerable-configur | vulnerableConfigurati | 0-n | A CPE |
| ation (element) | onType | | Language |
| | | | construct |
| | | | that |
| | | | identifies |
| | | | the |
| | | | conditions |
| | | | under which |
| | | | the |
| | | | vulnerabilit |
| | | | y exists. |
| | | | Only needed |
| | | | when the |
| | | | vulnerabilit |
| | | | y is |
| | | | situationall |
| | | | y |
| | | | exploitable. |
| impact (element) | cvss2ImpactType | 0-1 | Provides |
| | | | information |
| | | | about the |
| | | | severity of |
| | | | the |
| | | | vulnerabilit |
| | | | y. |
| cwe (element) | cweReferenceType | 0-n | Identifies |
| | | | the |
| | | | underlying |
| | | | cause of the |
| | | | vulnerabilit |
| | | | y. |
Booth Expires April 18, 2013 [Page 35]
Internet-Draft Vulnerability Data Model October 2012
| ##other (element) | xsd:any | 0-n | Provides an |
| | | | extension |
| | | | point for |
| | | | additional |
| | | | information. |
+---------------------+-----------------------+------+--------------+
Table 41: vulnerabilityType Properties
7.2.4.2. vulnerabilityIdType
vulnerabilityIdType is a type used to represent the ID of a
vulnerability. The combination of system and id must be globally
unique. Extends xsd:token (represents the id given to the
vulnerability record by the identified system provider).
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| system | xsd:string | 1 | The identification system used |
| (attribute) | | | to assign the associated id. |
+-------------+------------+-------+--------------------------------+
Table 42: vulnerabilityIdType Properties
7.2.4.3. metadataType
metadataType is a type used to represent the metadata associated with
the vulnerability.
+--------------+----------------------------+-------+---------------+
| Name | Type | Count | Definition |
+--------------+----------------------------+-------+---------------+
| event | extendedLifecycleEventType | 0-n | Records |
| (element) | | | lifecycle |
| | | | event |
| | | | information |
| | | | for the |
| | | | entity. |
Booth Expires April 18, 2013 [Page 36]
Internet-Draft Vulnerability Data Model October 2012
| deprecation | deprecationType | 0-1 | Information |
| (element) | | | used to |
| | | | indicate |
| | | | deprecation |
| | | | of a record. |
| | | | This element |
| | | | is only to be |
| | | | used if the |
| | | | record has |
| | | | been |
| | | | deprecated. |
| supersession | supersessionType | 0-1 | Information |
| (element) | | | used to |
| | | | indicate |
| | | | supersession |
| | | | relationships |
| | | | for a record. |
| | | | This element |
| | | | is only to be |
| | | | used if the |
| | | | record has |
| | | | been |
| | | | superseded or |
| | | | if the record |
| | | | has |
| | | | superseded |
| | | | another |
| | | | entry. |
+--------------+----------------------------+-------+---------------+
Table 43: metadataType Properties
7.2.4.4. targetedTextType
targetedTextType provides textual information about the
vulnerability. It extends meta:localeTextType.
+---------------+---------------------------+-------+---------------+
| Name | Type | Count | Definition |
+---------------+---------------------------+-------+---------------+
| intended-uses | textTargetInformationType | 0-n | Specifies the |
| (element) | | | potential |
| | | | target and |
| | | | use case |
| | | | combinations |
| | | | where this |
| | | | text may be |
| | | | appropriate. |
Booth Expires April 18, 2013 [Page 37]
Internet-Draft Vulnerability Data Model October 2012
| text | meta:localeTextType | 1-n | Contains text |
| (element) | | | |
+---------------+---------------------------+-------+---------------+
Table 44: targetedTextType Properties
7.2.4.5. textTargetInformationType
textTargetInformationType provides a mechanism to specify the
intended audiences and uses of an element.
+--------------+------------+-------+-------------------------------+
| Name | Type | Count | Definition |
+--------------+------------+-------+-------------------------------+
| content-type | xsd:anyURI | 0-n | A controlled vocabulary that |
| (attribute) | | | allows the specification of |
| | | | the type of content. See |
| | | | Table 58 for more |
| | | | information. |
+--------------+------------+-------+-------------------------------+
Table 45: textTargetInformationType Properties
7.2.4.6. extendedLifecycleEventType
extendedLifecycleEventType identifies a significant event in the
lifecycle of the entity. It extends meta:lifecycleEventType.
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| event-type | xsd:anyURI | 1-n | Identifies the type of the |
| (attribute) | | | event. See Table 56 for more |
| | | | information. |
+-------------+------------+-------+--------------------------------+
Table 46: extendedLifecycleEventType Properties
7.2.4.7. vulnerabilityReferencesType
vulnerabilityReferencesType contains information relating to
references for the vulnerability.
Booth Expires April 18, 2013 [Page 38]
Internet-Draft Vulnerability Data Model October 2012
+-----------+----------------------------+-------+------------------+
| Name | Type | Count | Definition |
+-----------+----------------------------+-------+------------------+
| reference | vulnerabilityReferenceType | 1-n | The reference |
| (element) | | | source. This may |
| | | | be a URL or a |
| | | | document. |
+-----------+----------------------------+-------+------------------+
Table 47: vulnerabilityReferencesType Properties
7.2.4.8. vulnerableSoftwareType
vulnerableSoftwareType identifies the software versions that have
this vulnerability.
+------------+----------------------+-------+-----------------------+
| Name | Type | Count | Definition |
+------------+----------------------+-------+-----------------------+
| product | cpe-lang:namePattern | 1-n | The CPE name of the |
| (element) | | | vulnerable software. |
+------------+----------------------+-------+-----------------------+
Table 48: vulnerableSoftwareType Properties
7.2.4.9. vulnerableConfigurationType
vulnerableConfigurationType is a CPE language construct that
identifies the conditions under which the vulnerability exists.
+-------------------+-------------------------+-------+-------------+
| Name | Type | Count | Definition |
+-------------------+-------------------------+-------+-------------+
| id (attribute) | xsd:anyURI | 1 | The id for |
| | | | the |
| | | | vulnerable |
| | | | configurati |
| | | | on. |
| platform-configur | cpe-lang:platform-confi | 1 | The |
| ation (element) | guration | | products |
| | | | that |
| | | | collectivel |
| | | | y |
| | | | characteriz |
| | | | e a |
| | | | particular |
| | | | IT platform |
| | | | type. |
Booth Expires April 18, 2013 [Page 39]
Internet-Draft Vulnerability Data Model October 2012
| assessment-check | scap-core:assessmentMet | 0-n | An optional |
| (element) | hodType | | list of |
| | | | equivalent |
| | | | assessment |
| | | | methods |
| | | | that |
| | | | specify |
| | | | additional |
| | | | system |
| | | | state that |
| | | | must be |
| | | | present for |
| | | | the |
| | | | vulnerabili |
| | | | ty to |
| | | | exist. |
| other (element) | xsd:any | 0-n | Provides an |
| | | | extension |
| | | | point for |
| | | | additional |
| | | | information |
| | | | . |
+-------------------+-------------------------+-------+-------------+
Table 49: vulnerableConfigurationType Properties
7.2.4.10. vulnerabilityReferenceType
vulnerabilityReferenceType provides reference information.
+---------------------+---------------------+-------+---------------+
| Name | Type | Count | Definition |
+---------------------+---------------------+-------+---------------+
| deprecated | xsd:boolean | 0-1 | Indicates |
| (attribute) | | | that the |
| | | | reference has |
| | | | been |
| | | | deprecated. |
| | | | Default value |
| | | | is "false". |
Booth Expires April 18, 2013 [Page 40]
Internet-Draft Vulnerability Data Model October 2012
| type (attribute) | xsd:anyURI | 1 | A controlled |
| | | | vocabulary |
| | | | that |
| | | | identifies |
| | | | the reference |
| | | | category for |
| | | | this |
| | | | reference. |
| | | | See Table 59 |
| | | | for more |
| | | | information. |
| lang (attribute) | xml:lang | 0-1 | Identifies |
| | | | the language |
| | | | of the |
| | | | reference. |
| | | | Default value |
| | | | is "en". |
| source (element) | xsd:string | 0-1 | The source |
| | | | that provided |
| | | | the reference |
| | | | (e.g., |
| | | | organization, |
| | | | individual). |
| notes (element) | meta:localeNotesTyp | 0-1 | Additional |
| | e | | notes |
| | | | regarding the |
| | | | vulnerability |
| | | | or the |
| | | | reference |
| | | | source. |
| extended-informatio | xsd:any | 0-n | Allows |
| n (element) | | | additional |
| | | | information |
| | | | to be |
| | | | represented |
| | | | as needed. |
+---------------------+---------------------+-------+---------------+
Table 50: vulnerabilityReferenceType Properties
7.2.4.11. impactType
impactType identifies the type of impact the vulnerability may have.
Booth Expires April 18, 2013 [Page 41]
Internet-Draft Vulnerability Data Model October 2012
+--------------+-------------------------+-------+------------------+
| Name | Type | Count | Definition |
+--------------+-------------------------+-------+------------------+
| inclusion | meta:lifecycleEventType | 0-1 | The date and |
| (element) | | | time the impact |
| | | | information was |
| | | | first included |
| | | | in this data |
| | | | feed. |
| modification | meta:lifecycleEventType | 0-n | The date and |
| (element) | | | time the impact |
| | | | information was |
| | | | modified. |
| | | | Multiple |
| | | | instances may be |
| | | | used to serve as |
| | | | a change log. |
+--------------+-------------------------+-------+------------------+
Table 51: impactType Properties
7.2.4.12. cvss2ImpactType
cvss2ImpactType is an extension type that includes CVSS v2 scoring
information. Extends impactType.
+---------------+-----------------------+-------+-------------------+
| Name | Type | Count | Definition |
+---------------+-----------------------+-------+-------------------+
| cvss2-metrics | cvssv2:cvssImpactType | 1 | The CVSS v2 score |
| (element) | | | metrics for the |
| | | | vulnerability. |
+---------------+-----------------------+-------+-------------------+
Table 52: cvss2ImpactType Properties
7.2.4.13. deprecationType
deprecationType provides a type to encapsulate deprecation
information.
Booth Expires April 18, 2013 [Page 42]
Internet-Draft Vulnerability Data Model October 2012
+-----------------+-------------------------+-------+---------------+
| Name | Type | Count | Definition |
+-----------------+-------------------------+-------+---------------+
| deprecated_by | vulnerabilityIdType | 0-1 | The |
| (element) | | | identifier of |
| | | | the |
| | | | deprecating |
| | | | information. |
| deprecated_info | meta:lifecycleEventType | 0-1 | The date and |
| (element) | | | time when the |
| | | | deprecation |
| | | | occurred. |
+-----------------+-------------------------+-------+---------------+
Table 53: deprecationType Properties
7.2.4.14. supersessionType
supersessionType provides a type to encapsulate supersession
information.
+-----------------+-------------------------+-------+---------------+
| Name | Type | Count | Definition |
+-----------------+-------------------------+-------+---------------+
| supersedes | vulnerabilityIdType | 0-1 | If this |
| (element) | | | record |
| | | | supersedes |
| | | | another |
| | | | entry, the |
| | | | identifier of |
| | | | the entry |
| | | | that it |
| | | | supersedes. |
| supersedes_info | meta:lifecycleEventType | 0-1 | The date and |
| (element) | | | time when the |
| | | | record |
| | | | superseded |
| | | | another |
| | | | entry. |
| superseded_by | vulnerabilityIdType | 0-1 | If this |
| (element) | | | record has |
| | | | been |
| | | | superseded by |
| | | | another |
| | | | entry, the |
| | | | identifier of |
| | | | that entry. |
Booth Expires April 18, 2013 [Page 43]
Internet-Draft Vulnerability Data Model October 2012
| superseded_info | meta:lifecycleEventType | 0-1 | The date and |
| (element) | | | time when the |
| | | | record was |
| | | | superseded by |
| | | | another |
| | | | entry. |
+-----------------+-------------------------+-------+---------------+
Table 54: supersessionType Properties
7.2.4.15. cweReferenceType
cweReferenceType is the CWE identifier for the underlying cause of
the vulnerability.
+-------------+------------------------------+-------+--------------+
| Name | Type | Count | Definition |
+-------------+------------------------------+-------+--------------+
| id | scap-core:cweNamePatternType | 1 | The CWE |
| (attribute) | | | Identifier |
+-------------+------------------------------+-------+--------------+
Table 55: cweReferenceType Properties
8. Controlled Vocabularies
Several types in the Vulnerability Data Model utilize controlled
vocabularies in an attempt to provide a balance between usability and
flexibility. Controlled vocabularies utilize a standard format for
values of the form scap:authority:id, while allowing other entities
to create additional entries. The following elements utilize the
vocabularies defined below.
8.1. event-type
The event-type controlled vocabulary is used to identify the type of
the event that occurred.
Booth Expires April 18, 2013 [Page 44]
Internet-Draft Vulnerability Data Model October 2012
+--------------------------------+----------------------------------+
| Vocabulary Entry | Description |
+--------------------------------+----------------------------------+
| scap:gov.nist:inclusion | The date and time that the |
| | entity was first included in |
| | this data feed |
| scap:gov.nist:modification | The date and time that the |
| | vulnerability record was last |
| | modified. Multiple instances of |
| | this can be used to serve as a |
| | change log |
| scap:gov.nist:deprecation | Information used to indicate |
| | deprecation of a record. This |
| | element is only to be used if |
| | the record has been deprecated |
| scap:gov.nist:supersession | The date and time that the |
| | entity was first included in |
| | this data feed |
| scap:gov.nist:discovered | The date that the vulnerability |
| | was first discovered |
| scap:gov.nist:disclosure | The date and time that the |
| | vulnerability was disclosed to |
| | the public |
| scap:gov.nist:vendorDisclosure | The date and time that the |
| | software vendor was first |
| | notified of the vulnerability |
+--------------------------------+----------------------------------+
Table 56: event-type Controlled Vocabulary
8.2. intended-uses
The intended-uses controlled vocabulary is used to indicate the type
of information that is included in the text. This information is
provided as a "hint" to consumers on how they should present the
information in various scenarios.
Booth Expires April 18, 2013 [Page 45]
Internet-Draft Vulnerability Data Model October 2012
+-------------------------------------+-----------------------------+
| Vocabulary Entry | Description |
+-------------------------------------+-----------------------------+
| scap:gov.nist:general | Provides general |
| | information |
| scap:gov.nist:summary | A short summary of the |
| | entity |
| scap:gov.nist:description | A formatted description of |
| | the entity |
| scap:gov.nist:mitigation | A potential method to |
| | mitigate the vulnerability |
| scap:gov,nist:mitigatingFactors | Additional considerations |
| | that effect the |
| | vulnerability and may |
| | reduce its impact in |
| | certain situations |
| scap:gov.nist:scope | Identifies the potential |
| | access that can be gained |
| | through exploiting the |
| | vulnerability |
| scap:gov.nist:affectedComponent | Identifies the affected |
| | components of the software |
| scap:gov.nist:cause | Explains the root cause of |
| | the vulnerability |
| scap:gov.nist:additionalInformation | Provides additional |
| | information |
| scap:gov.nist:attackPossibilities | Identifies what an attacker |
| | may do if they can exploit |
| | the vulnerability |
| scap:gov.nist:exploitMethod | Identifies how an attacker |
| | may exploit the |
| | vulnerability |
| scap:gov.nist:primaryTargets | Identifies the types of |
| | systems that are considered |
| | most at risk to |
| | exploitation through this |
| | vulnerability |
| scap:gov.nist:updateActions | Explains what the update |
| | will do |
| scap:gov.nist:publicDisclosure | Indicates information about |
| | known public disclosures |
| scap:gov.nist:exploitReports | Indicates known instances |
| | of the exploit being used |
| | in the "wild" |
+-------------------------------------+-----------------------------+
Table 57: intended-uses Controlled Vocabulary
Booth Expires April 18, 2013 [Page 46]
Internet-Draft Vulnerability Data Model October 2012
8.3. content-type
The content-type controlled vocabulary is used to specify the type of
content.
+---------------------------+----------------------------------+
| Vocabulary Entry | Description |
+---------------------------+----------------------------------+
| scap:gov.nist:description | Provides descriptive information |
| scap:gov.nist:technical | Provides technical details |
+---------------------------+----------------------------------+
Table 58: content-type Controlled Vocabulary
8.4. reference-type
The reference-type controlled vocabulary is used to specify the type
of reference category.
+--------------------------------------------+----------------------+
| Vocabulary Entry | Description |
+--------------------------------------------+----------------------+
| scap:gov.nist:Patch | The reference |
| | includes a link to a |
| | software patch or |
| | update instructions |
| scap:gov.nist:VendorAdvisory | The reference is by |
| | an authoritative |
| | source for the |
| | affected software |
| scap:gov.nist:ThirdPartyAdvisory | The reference is by |
| | a non-authoritative |
| | source for the |
| | affected software |
| scap:gov.nist:SignatureSource | The reference |
| | includes a link to |
| | one or more |
| | signatures for use |
| | in a signature-based |
| | detection system |
| scap:gov.nist:MitigationProcedure | The reference |
| | includes information |
| | regarding mitigation |
| | techniques that may |
| | help reduce exposure |
| | to the vulnerability |
Booth Expires April 18, 2013 [Page 47]
Internet-Draft Vulnerability Data Model October 2012
| scap:gov.nist:ToolConfigurationDescription | The reference |
| | includes information |
| | regarding the |
| | configuration of a |
| | tool that can be |
| | used to detect the |
| | vulnerability |
| scap:gov.nist:AttackScenario | The reference |
| | provides a sample |
| | attack scenario that |
| | demonstrates how the |
| | vulnerability may be |
| | exploited |
| scap:gov.nist:TechnicalDescription | The reference |
| | provides a technical |
| | description of the |
| | vulnerability |
| scap:gov.nist:Other | The reference does |
| | not fit into one of |
| | the other categories |
+--------------------------------------------+----------------------+
Table 59: reference-type Controlled Vocabulary
9. Acknowledgements
The author wishes to thank his colleagues who reviewed drafts of this
document and contributed to its technical content. He would like to
acknowledge Dave Waltermire of NIST, Joseph Wolfkiel of the Defense
Information Systems Agency (DISA), Jim Ronayne of Varen Technologies,
Matt Kerr and Shane Shaffer of G2, Inc., and Karen Scarfone of
Scarfone Cybersecurity for their keen and insightful assistance
throughout the development of this document.
10. IANA Considerations
This memo includes no request to IANA.
11. Security Considerations
As a data format, the Vulnerability Data Model does not have security
concerns that are known at this time. However, as a data format
designed to be stored and transmitted between entities within an
enterprise, the fact of the matter is that it SHOULD be used within a
properly secured environment. Over time, a significant amount of
Booth Expires April 18, 2013 [Page 48]
Internet-Draft Vulnerability Data Model October 2012
information valuable to attackers can be gleaned from Vulnerability
Data Model information. Therefore, it is recommended that use of
Vulnerability Data Models be performed in environments providing
communication security mechanisms supplying the properties of
confidentiality, data integrity, and non-repudiation.
12. Normative References
[CPE] National Institute of Standards and Technology, "NIST
Interagency Reports 7695, 7696, 7697, and 7698, the Common
Platform Enumeration", 2011,
.
[CVSSv2] National Institute of Standards and Technology, "NIST
Interagency Report 7435, The Common Vulnerability Scoring
System and Its Applicability to Federal Agency Systems",
2007, .
[METADATA-CORE]
National Institute of Standards and Technology, "Metadata
Core Schema", 2012,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[SCAP-CORE]
National Institute of Standards and Technology, "SCAP Core
Schema", 2012,
.
[XML] W3C, "W3C Recommendation Extensible Markup Language (XML)
1.0 (Fifth Edition)", 2008,
.
[XSD] W3C, "W3C Recommendation XML Schema", 2004,
.
Appendix A. Use Cases
This appendix documents some common use cases that were considered
when developing VDM.
Booth Expires April 18, 2013 [Page 49]
Internet-Draft Vulnerability Data Model October 2012
A.1. OEM Vendor Statements
It is common for OEM vendors to release information regarding
vulnerabilities found in their products. These releases often take
the form of textual information about the vulnerability, in vendor
specific formats. Providing the information in a standardized format
would allow those wishing to automatically gather and parse the
vulnerability information to do so without developing custom tools
for each vendor.
A.2. Security Researchers
Security researchers have interest in correlating and analyzing the
data provided as part of the VDM for various purposes. In order to
support this use case the VDM should include the following
information:
o A unique identifier for the vulnerability
o A list of additional identifiers for the vulnerability if
applicable
o A list of the affected software and/or platforms
o An indication of the severity of the vulnerability, including any
differences in severity based on various configurations
o References to support additional research
A.3. System Design and Planning
System Administrators, System Architects, and the authors of security
guides all have an interest in knowing what vulnerabilities exist on
a given platform. The information provided by the vulnerability
model can assist in determining:
o Which platforms to deploy
o What configurations of a platform to deploy
o What mitigating controls may be needed in a given environment
o What remediations are available for a vulnerability
In order to support this use case vulnerability information should
include:
Booth Expires April 18, 2013 [Page 50]
Internet-Draft Vulnerability Data Model October 2012
o A unique identifier for a vulnerability
o An indication of when a vulnerability is applicable
o An indication of the severity of a vulnerability
o References to allow additional information about a vulnerability
to be gathered
o References to existing remediations for the vulnerability
o Indicators of the freshness of the vulnerability information
A.4. Assessment Content Authoring
Some individuals or organizations have a need to create content to
detect the presence of vulnerability. Vulnerability detection may be
done through the use of a common specification such as SCAP or
through proprietary methods. Information provided by the
vulnerability model can assist in determining:
o Which platforms are affected by a vulnerability
o Where existing detection content may already exist
o The severity of the vulnerability
In order to support the Assessment Content Authoring use case the
vulnerability model should include:
o A unique identifier for the vulnerability
o An indication of what platforms are affected by the vulnerability
o An indication of the severity of the vulnerability
o Additional references to assist in researching the vulnerability
o References to any existing assessment content
o Indicators of the freshness of the vulnerability information
A.5. Certification and Accreditation
Certification and Accreditation teams are responsible for determining
whether or not systems are allowed to remain on a given network.
This is usually determined based on the priority of the function the
system supports, assessment reports for the system, and
Booth Expires April 18, 2013 [Page 51]
Internet-Draft Vulnerability Data Model October 2012
organizational guidelines. Information provided as part of the
vulnerability model can assist in determining:
o The severity of a vulnerability
o The existence of exploits
o The existence of remediations
o The type of the vulnerability
o Indicators of the freshness of the vulnerability information
Appendix B. VDM Examples
This section shows some sample vulnerability information from various
sources put into VDM format.
Booth Expires April 18, 2013 [Page 52]
Internet-Draft Vulnerability Data Model October 2012
B.1. Sample 1
OSX Lion v10.7.4 and Security
Update 2012-002CVE-2012-0652
scap:gov.nist:publishscap:gov.nist:descriptionAn issue existed in the handling of network
account logins. The login process recorded sensitive information in
the system log, where other users of the system could read it. The
sensitive information may persist in saved logs after installation
of this update. This issue only affects systems running OS X Lion
v10.7.3 with users of Legacy File Vault and/or networked home
directories. See http://support.apple.com/kb/TS4272 for more
information about how to securely remove any remaining
records.cpe:/o:apple:mac_os_x:10.7.3
Booth Expires April 18, 2013 [Page 53]
Internet-Draft Vulnerability Data Model October 2012
B.2. Sample 2
CVE-2012-0652OSX Lion v10.7.4 and Security
Update 2012 002scap:gov.nist:summaryLogin Window in Apple Mac OS X 10.7.3, when
Legacy File Vault or networked home directories are enabled, does
not properly restrict what is written to the system log for network
logins, which allows local users to obtain sensitive information by
reading the log.AppleApple
APPLE-SA-2012-05-09-1cpe:/o:apple:mac_os_x:10.7.3
Booth Expires April 18, 2013 [Page 54]
Internet-Draft Vulnerability Data Model October 2012
4.9LOCALLOWNONECOMPLETE
NONENONENIST2012 11 05T09:00:00Z
B.3. Sample 3
CVE-2012-1848
MS12-034scap:gov.nist:summaryAn elevation of privilege vulnerability
exists in the Windows kernel-mode driver. An attacker who
successfully exploited this vulnerability could run arbitrary code
in kernel mode. An attacker could then install programs; view,
change, or delete data; or create new accounts with full
administrative rights.
Booth Expires April 18, 2013 [Page 55]
Internet-Draft Vulnerability Data Model October 2012
scap:gov.nist:mitigationMicrosoft has not identified any
workarounds for this vulnerability.scap:gov.nist:mitigatingFactorsAn attacker must have valid logon
credentials and be able to log on locally to exploit this
vulnerability.scap:gov.nist:scopeThis is an elevation of privilege
vulnerability.scap:gov.nist:affectedComponentThe component affected by this
vulnerability is the Windows kernel-mode driver
(win32k.sys).scap:gov.nist:causeThe vulnerability is caused when the
Windows kernel-mode driver improperly handles input passed
from user-mode functions.scap:gov.nist:additionalInformationWin32k.sys is a kernel-mode device
driver and is the kernel part of the Windows subsystem. It
contains the window manager, which controls window displays;
manages screen output; collects input from the keyboard,
mouse, and other devices; and passes user messages to
applications. It also contains the Graphics Device Interface (GDI),
which is a library of functions for graphics output devices.
Finally, it serves as a wrapper for DirectX support that is
implemented in another driver (dxgkrnl.sys). The Windows
kernel is the core of the operating system. It provides
system-level services such as device management and memory
management, allocates processor time to processes, and
manages error handling.scap:gov.nist:attackPossibilitiesAn attacker who successfully exploited
this vulnerability could run arbitrary code in the context of
another process. If this process runs with administrator
Booth Expires April 18, 2013 [Page 56]
Internet-Draft Vulnerability Data Model October 2012
privileges, an attacker could then install programs; view,
change, or delete data; or create new accounts with full
user rights.scap:gov.nist:exploitMethodTo exploit this vulnerability, an attacker
would first have to log on to the system. An attacker could then
run a specially crafted application that could exploit the
vulnerability and take complete control over the affected
system.scap:gov.nist:primaryTargetsWorkstations and terminal servers are
primarily at risk. Servers could be at more risk if administrators
allow users to log on to servers and to run programs. However,
best practices strongly discourage allowing this.scap:gov.nist:updateActionsThe update addresses the
vulnerability by correcting the way that the Windows
kernel-mode driver handles data passed from
user-mode functions.scap:gov.nist:publicDisclosureNo. Microsoft received information
about this vulnerability through coordinated vulnerability
disclosure.scap:gov.nist:exploitReportsNo. Microsoft had not received any
information to indicate that this vulnerability had been publicly
used to attack customers when this security bulletin was
originally issued.scap:gov.nist:inclusion
Booth Expires April 18, 2013 [Page 57]
Internet-Draft Vulnerability Data Model October 2012
cpe:/o:microsoft:windows_xp::sp3cpe:/o:microsoft:windows_xp:-:sp2:x64cpe:/o:microsoft:windows_server_2003::sp2cpe:/o:microsoft:windows_server_2003::sp2:x64cpe:/o:microsoft:windows_server_2003::sp2:itaniumcpe:/o:microsoft:windows_vista::sp2cpe:/o:microsoft:windows_vista::sp2:x64cpe:/o:microsoft:windows_server_2008::sp2:x86cpe:/o:microsoft:windows_server_2008::sp2:x64cpe:/o:microsoft:windows_server_2008::sp2:itaniumcpe:/o:microsoft:windows_7::sp1:x86cpe:/o:microsoft:windows_7::sp1:x64cpe:/o:microsoft:windows_server_2008:r2::x64cpe:/o:microsoft:windows_server_2008:r2:sp1:x64cpe:/o:microsoft:windows_server_2008:r2::itaniumcpe:/o:microsoft:windows_server_2008:r2:sp1:itanium
9.3NETWORKMEDIUMNONECOMPLETE
COMPLETE
COMPLETE
NIST
B.4. Sample 4
CVE-2012-1848scap:gov.nist:summaryscap:gov.nist:descriptionwin32k.sys in the kernel-mode drivers in
Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2,
Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1,
Windows 7 Gold and SP1, and Windows 8 Consumer Preview
does not properly handle user-mode input passed to kernel
mode, which allows local users to gain privileges via a crafted
application, aka "Scrollbar Calculation Vulnerability."scap:gov.nist:inclusioncpe:/o:microsoft:windows_xp::sp3cpe:/o:microsoft:windows_xp:-:sp2:x64cpe:/o:microsoft:windows_server_2003::sp2cpe:/o:microsoft:windows_server_2003::sp2:x64cpe:/o:microsoft:windows_server_2003::sp2:itaniumcpe:/o:microsoft:windows_vista::sp2cpe:/o:microsoft:windows_vista::sp2:x64cpe:/o:microsoft:windows_server_2008::sp2:x86cpe:/o:microsoft:windows_server_2008::sp2:x64cpe:/o:microsoft:windows_server_2008::sp2:itaniumcpe:/o:microsoft:windows_7::sp1:x86cpe:/o:microsoft:windows_7::sp1:x64cpe:/o:microsoft:windows_server_2008:r2::x64cpe:/o:microsoft:windows_server_2008:r2:sp1:x64cpe:/o:microsoft:windows_server_2008:r2::itaniumcpe:/o:microsoft:windows_server_2008:r2:sp1:itanium
Booth Expires April 18, 2013 [Page 59]
Internet-Draft Vulnerability Data Model October 2012
9.3NETWORKMEDIUMNONECOMPLETE
COMPLETE
COMPLETE
NIST
Author's Address
Harold Booth
National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, Maryland 20899
USA
Phone:
Email: harold.booth@nist.gov
Booth Expires April 18, 2013 [Page 60]