Internet Engineering Task Force H. Booth
Internet-Draft National Institute of Standards
Intended status: Informational and Technology
Expires: April 25, 2013 K. Scarfone
Scarfone Cybersecurity
October 22, 2012
Vulnerability Data Model
draft-booth-sacm-vuln-model-01
Abstract
This Internet-Draft describes the Vulnerability Data Model (VDM)
version 1.0, a vendor neutral data model for expressing data and
metadata for individual vulnerabilities, and an XML format that can
be used to exchange vulnerability data model information. VDM
provides standard fields, formats and vocabularies that can be used
to transmit information about software vulnerabilities between
entities in an interoperable manner. VDM is suited for a wide
variety of use cases, and provides extension points to facilitate
additional use cases.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Booth & Scarfone Expires April 25, 2013 [Page 1]
Internet-Draft Vulnerability Data Model October 2012
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.1. Purpose and Scope . . . . . . . . . . . . . . . . . . . . 5
1.2. Audience . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Document Structure . . . . . . . . . . . . . . . . . . . . 6
2. Document Conventions . . . . . . . . . . . . . . . . . . . . . 7
3. Terms and Abbreviations . . . . . . . . . . . . . . . . . . . 8
3.1. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Relationship to Existing Standards and Specifications . . . . 9
5. Conformance . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1. Capability Conformance . . . . . . . . . . . . . . . . . . 9
5.2. Content Conformance . . . . . . . . . . . . . . . . . . . 10
6. Vulnerability Data Model Overview . . . . . . . . . . . . . . 10
7. Data Model Description . . . . . . . . . . . . . . . . . . . . 10
7.1. Component Schemas . . . . . . . . . . . . . . . . . . . . 10
7.2. XML Data Model Requirements . . . . . . . . . . . . . . . 11
7.2.1. Vulnerability Data Model XML . . . . . . . . . . . . . 13
7.2.1.1. vulnerabilityType . . . . . . . . . . . . . . . . 13
7.2.1.2. vulnerabilityIdType . . . . . . . . . . . . . . . 15
7.2.1.3. vulnerabilityAliasType . . . . . . . . . . . . . . 15
7.2.1.3.1. vulnerabilityAliasEnumType . . . . . . . . . . 16
7.2.1.4. metadataType . . . . . . . . . . . . . . . . . . . 16
7.2.1.4.1. vulnerabilityRecordStatusEnumType . . . . . . 18
7.2.1.4.2. extendedLifecycleEventType . . . . . . . . . . 18
7.2.1.4.3. supersessionType . . . . . . . . . . . . . . . 19
7.2.1.4.4. lifecycleEventType . . . . . . . . . . . . . . 19
7.2.1.5. targetedTextType . . . . . . . . . . . . . . . . . 21
7.2.1.5.1. textTargetInformationType . . . . . . . . . . 21
7.2.1.5.2. localeTextType . . . . . . . . . . . . . . . . 22
7.2.1.6. vulnerabilityReferencesType . . . . . . . . . . . 22
7.2.1.6.1. vulnerabilityReferenceType . . . . . . . . . . 22
7.2.1.6.2. referenceType . . . . . . . . . . . . . . . . 23
7.2.1.6.3. referenceItemType . . . . . . . . . . . . . . 24
7.2.1.6.4. embeddedReferenceItemType . . . . . . . . . . 24
7.2.1.6.5. externalReferenceItemType . . . . . . . . . . 25
7.2.1.6.6. localeNotesType . . . . . . . . . . . . . . . 25
7.2.1.7. vulnerableSoftwareType . . . . . . . . . . . . . . 25
7.2.1.8. vulnerableConfigurationType . . . . . . . . . . . 26
Booth & Scarfone Expires April 25, 2013 [Page 2]
Internet-Draft Vulnerability Data Model October 2012
7.2.1.8.1. assessmentMethodType . . . . . . . . . . . . . 27
7.2.1.8.2. checkReferenceType . . . . . . . . . . . . . . 28
7.2.1.8.3. checkSearchType . . . . . . . . . . . . . . . 28
7.2.1.9. vulnerabilityAnalysisType . . . . . . . . . . . . 28
7.2.1.9.1. internalReferenceType . . . . . . . . . . . . 29
7.2.1.9.2. cvss2ImpactType . . . . . . . . . . . . . . . 29
7.2.1.9.3. impactType . . . . . . . . . . . . . . . . . . 30
7.2.1.9.4. vulnerabilityCharacteristicType . . . . . . . 30
7.2.2. CVSS v2 . . . . . . . . . . . . . . . . . . . . . . . 31
7.2.2.1. cvssType . . . . . . . . . . . . . . . . . . . . . 31
7.2.2.2. cvssImpactType . . . . . . . . . . . . . . . . . . 31
7.2.2.3. cvssImpactBaseType . . . . . . . . . . . . . . . . 32
7.2.2.4. cvssImpactTemporalType . . . . . . . . . . . . . . 32
7.2.2.5. cvssImpactEnvironmentalType . . . . . . . . . . . 32
7.2.2.6. metricsType . . . . . . . . . . . . . . . . . . . 32
7.2.2.7. baseMetricsType . . . . . . . . . . . . . . . . . 33
7.2.2.7.1. zeroToTenDecimalType . . . . . . . . . . . . . 34
7.2.2.7.2. accessVectorType . . . . . . . . . . . . . . . 34
7.2.2.7.3. accessVectorEnumType . . . . . . . . . . . . . 34
7.2.2.7.4. accessComplexityType . . . . . . . . . . . . . 35
7.2.2.7.5. accessComplexityEnumType . . . . . . . . . . . 35
7.2.2.7.6. authenticationType . . . . . . . . . . . . . . 35
7.2.2.7.7. authenticationEnumType . . . . . . . . . . . . 36
7.2.2.7.8. ciaType . . . . . . . . . . . . . . . . . . . 36
7.2.2.7.9. ciaEnumType . . . . . . . . . . . . . . . . . 36
7.2.2.8. environmentalMetricsType . . . . . . . . . . . . . 36
7.2.2.8.1. collateralDamagePotentialType . . . . . . . . 38
7.2.2.8.2. collateralDamagePotentialEnumType . . . . . . 38
7.2.2.8.3. targetDistributionType . . . . . . . . . . . . 38
7.2.2.8.4. targetDistributionEnumType . . . . . . . . . . 39
7.2.2.8.5. ciaRequirementType . . . . . . . . . . . . . . 39
7.2.2.8.6. ciaRequirementEnumType . . . . . . . . . . . . 39
7.2.2.9. temporalMetricsType . . . . . . . . . . . . . . . 40
7.2.2.9.1. exploitabilityType . . . . . . . . . . . . . . 41
7.2.2.9.2. exploitabilityEnumType . . . . . . . . . . . . 41
7.2.2.9.3. remediationLevelType . . . . . . . . . . . . . 41
7.2.2.9.4. remediationLevelEnumType . . . . . . . . . . . 41
7.2.2.9.5. confidenceType . . . . . . . . . . . . . . . . 42
7.2.2.9.6. confidenceEnumType . . . . . . . . . . . . . . 42
8. Controlled Vocabularies . . . . . . . . . . . . . . . . . . . 42
8.1. event-type . . . . . . . . . . . . . . . . . . . . . . . . 42
8.2. intended-uses . . . . . . . . . . . . . . . . . . . . . . 43
8.3. content-type . . . . . . . . . . . . . . . . . . . . . . . 45
8.4. reference-type . . . . . . . . . . . . . . . . . . . . . . 45
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 46
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 46
11. Security Considerations . . . . . . . . . . . . . . . . . . . 46
12. Normative References . . . . . . . . . . . . . . . . . . . . . 47
Booth & Scarfone Expires April 25, 2013 [Page 3]
Internet-Draft Vulnerability Data Model October 2012
Appendix A. Use Cases . . . . . . . . . . . . . . . . . . . . . . 47
A.1. OEM Vendor Statements . . . . . . . . . . . . . . . . . . 47
A.2. Security Researchers . . . . . . . . . . . . . . . . . . . 48
A.3. System Design and Planning . . . . . . . . . . . . . . . . 48
A.4. Assessment Content Authoring . . . . . . . . . . . . . . . 49
A.5. Certification and Accreditation . . . . . . . . . . . . . 49
Appendix B. VDM Examples . . . . . . . . . . . . . . . . . . . . 50
B.1. Sample 1 . . . . . . . . . . . . . . . . . . . . . . . . . 51
B.2. Sample 2 . . . . . . . . . . . . . . . . . . . . . . . . . 52
B.3. Sample 3 . . . . . . . . . . . . . . . . . . . . . . . . . 53
B.4. Sample 4 . . . . . . . . . . . . . . . . . . . . . . . . . 56
Appendix C. Vulnerability Data Model Schema . . . . . . . . . . . 58
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 76
Booth & Scarfone Expires April 25, 2013 [Page 4]
Internet-Draft Vulnerability Data Model October 2012
1. Introduction
A vulnerability may be defined as an error, flaw, or mistake in
computer software that permits or causes an unintended behavior to
occur. As an example, the Common Vulnerabilities and Exposure (CVE)
dictionary provides a list of known vulnerabilities. Since the
unintended behavior of a vulnerability often has computer security
implications, exchanging vulnerability information to understand the
impact of a vulnerability to an enterprise, and to prioritize
remediation is often desirable.
Sharing vulnerability information among individuals, products, and
organizations has been challenging because of a lack of standardized
vulnerability data fields, vocabularies, and formats. The National
Vulnerability Database (NVD) has been producing vulnerability
information for over ten years and this document documents and
improves upon the data feeds currently provided by the NVD to
establish the Vulnerability Data Model (VDM); a common basis upon
which to share vulnerability information. The Vulnerability Data
Model facilitates communication of vulnerability information by
enumerating common data fields and vocabularies useful for describing
individual vulnerabilities.
The vulnerability data model and associated exchange format are
intended for use by universal vulnerability data feeds, such as those
that would be produced by a vulnerability database or security
service provider for consuming organizations. Additionally, the
vulnerability date model exchange format incorporates extension
points to allow producer specific data to be incorporated into a data
feed which may be optionally processed by a consuming organization
that understands the producer specific data.
1.1. Purpose and Scope
This report defines the Vulnerability Data Model and XML data
exchange format. The report gives an introduction to VDM version
1.0, defines the vulnerability data model, and documents conformance
requirements to comply with VDM 1.0. The vulnerability data model
has been divided into two component models: vulnerability core and
CVSS version 2 models. Other versions of VDM are not addressed here.
Future versions of VDM will be defined in distinct revisions of this
report, each clearly labeled with a revision number and the
appropriate VDM version number.
This report does not describe the queries, instructions, methods,
processes, or data required to produce a VDM document. This report
does not describe how to transform any specific data model or data
set into a VDM document. This report provides normative guidance
Booth & Scarfone Expires April 25, 2013 [Page 5]
Internet-Draft Vulnerability Data Model October 2012
relating to the production and consumption of the XML vulnerability
data model format. The appendices contain additional information
about how to use VDM.
1.2. Audience
This document is intended for individuals or organizations intending
to make use of the vulnerability data model to either produce or
consume vulnerability information. Possible uses of the
vulnerability data model may be as part of a product or service
delivery effort such as a vulnerability database or vulnerability
scanning tool, by vendors wishing to supply vulnerability information
to end users in a human readable format,, and by researchers
analyzing vulnerability information. Readers of this report should
already be familiar with basic vulnerability characteristics and
concepts.
1.3. Document Structure
The remainder of this document is organized into the following major
sections:
o Section 2 defines the document's conventions.
o Section 3 defines the terms used within this specification and
provides a list of common abbreviations.
o Section 4 describes how this specification relates to other
standards and specifications.
o Section 5 defines the conformance requirements for VDM.
o Section 6 provides an overview of the VDM data model constructs
and key concepts.
o Section 7 documents the VDM data model.
o Section 8 lists existing controlled vocabulary items.
o Section 9 provides acknowledgments for the document.
o Section 10 discusses IANA considerations.
o Section 11 discusses security considerations.
o Section 12 provides a list of normative references for the
document.
Booth & Scarfone Expires April 25, 2013 [Page 6]
Internet-Draft Vulnerability Data Model October 2012
o Appendix A describes use cases for VDM.
o Appendix B provides some VDM examples.
o Appendix C contains the VDM XML schema.
2. Document Conventions
Throughout this specification, when referencing a normative
reference, the name will be written between brackets, such as [XSD].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
XML elements [XML] are referred to using qualified names when they
are not in the VDM namespace. Elements with no prefix can be assumed
to be in the VDM namespace, unless otherwise noted. A qualified name
associates a named element with a namespace. The namespace
identifies the specific XML schema that defines (and consequently may
be used to validate) the syntax of the element instance. A qualified
name declares this schema to element association using the format
'prefix:element-name'. The association of prefix to namespace is
defined in the metadata of an XML document and varies from document
to document. In this specification, the conventional mappings listed
in Table 1 are used.
+--------+-------------------------------------+---------+----------+
| Mappin | Namespace URI | Schema | Referenc |
| gs | | | e |
| Prefix | | | |
+--------+-------------------------------------+---------+----------+
| cpe-la | http://cpe.mitre.org/language/2.0 | CPE | [CPE] |
| ng | | | |
| cvssv2 | http://scap.nist.gov/schema/cvss-v2 | CVSS v2 | [CVSSv2] |
| | /1.0 | | |
| dcterm | http://purl.org/dc/terms/ | Dublin | [DCTERMS |
| s | | Core | ] |
| | | Metadat | |
| | | a Terms | |
| xsd | http://www.w3.org/2001/XMLSchema | XML | [XSD] |
| | | Schema | |
| xsi | http://www.w3.org/2001/XMLSchema-in | XML | [XSI] |
| | stance | Schema | |
| | | Instanc | |
| | | e | |
+--------+-------------------------------------+---------+----------+
Booth & Scarfone Expires April 25, 2013 [Page 7]
Internet-Draft Vulnerability Data Model October 2012
Table 1: Conventional XML Mappings
3. Terms and Abbreviations
This section defines a set of common terms and abbreviations used
within this specification.
3.1. Terms
Data Source: The origin of the vulnerability data.
Vulnerability: An error, flaw, or mistake in computer software that
permits or causes an unintended behavior to occur.
3.2. Acronyms
CPE - Common Platform Enumeration
CVE - Common Vulnerabilities and Exposures
CVSS - Common Vulnerability Scoring System
CWE - Common Weakness Enumeration
IR - Interagency Report
IT - Information Technology
NIST - National Institute of Standards and Technology
OVAL - Open Vulnerability and Assessment Language
SCAP - Security Content Automation Protocol
SP - Special Publication
URI - Universal Resource Identifier
USGCB - United States Government Configuration Baseline
VDM - Vulnerability Data Model
W3C - World Wide Web Consortium
XCCDF - Extensible Configuration Checklist Description Format
XML - Extensible Markup Language
Booth & Scarfone Expires April 25, 2013 [Page 8]
Internet-Draft Vulnerability Data Model October 2012
XSD - XML Schema
XSLT - Extensible Stylesheet Language Transformations
4. Relationship to Existing Standards and Specifications
VDM's relationships to other selected specifications are described
below.
1. CPE - VDM leverages CPE to identify affected platforms and
products. Information about the CPE specification can be found
at: http://scap.nist.gov/specifications/cpe/.
2. CVSS - VDM uses CVSS to provide metrics and scores for
vulnerabilities. Information about the CVSS specification can be
found at: http://www.first.org/cvss/.
3. CWE - VDM leverages CWE to identify the type of software weakness
underlying a vulnerability. Information about the CWE
specification can be found at: http://cwe.mitre.org/.
5. Conformance
Developers and organizations may want to build products in
conformance with VDM to foster consistency and interoperability of
their own products. End-user organizations may wish to require
conformance with VDM in order to have a predictable defined format
that products and tools used within their environment will produce
and consume. In addition, products that conform to this
specification will be better able to interoperate and exchange
reporting information with other products that conform to VDM.
Products may want to claim conformance with this specification to
advertise their interoperability with other VDM compliant tools and
repositories, as well as to meet requirements set by other
specifications or organizations.
The following sections define the criteria for content and products
to claim conformance with this specification.
5.1. Capability Conformance
There are two types of VDM capabilities: producers and consumers. A
producer has the capability to generate VDM documents, while a
consumer has the capability to accept an existing VDM document and
process it. To claim conformance to one or more capabilities defined
Booth & Scarfone Expires April 25, 2013 [Page 9]
Internet-Draft Vulnerability Data Model October 2012
within this specification the following requirements SHALL be adhered
to:
1. For producer capability, generate well-formed content as defined
in Section 5.2.
2. For consumer capability, accept and process well-formed content
as defined in Section 5.2.
3. Make an explicit claim of conformance to this specification in
any documentation provided to end users.
5.2. Content Conformance
In order for a VDM document to be considered in compliance with this
specification, the report MUST adhere to the following requirements:
1. The VDM document SHALL conform to all of the normative guidance
provided in Section 7.
6. Vulnerability Data Model Overview
This section is to be developed in the future. It will provide an
overview of the vulnerability data model structure and design
philosophy.
7. Data Model Description
This section describes the requirements for the vulnerability data
model manifested as Extensible Markup Language (XML). Section 7.1
discusses the component schemas, while Section 7.2 examines the
actual XML data model in detail.
7.1. Component Schemas
The vulnerability data model was designed in a modular fashion, with
multiple schemas developed to encourage composability and
reusability. Items with similar properties and uses are grouped into
the same namespace.
Booth & Scarfone Expires April 25, 2013 [Page 10]
Internet-Draft Vulnerability Data Model October 2012
===============
|Vuln Data Model|
===============
|
|
|
|
|
=============
| CVSSv2 |
=============
Figure 1: Vulnerability Data Model Schemas
o CVSS v2: The CVSS v2 schema represents CVSS version 2 scores. The
information includes CVSS base metrics, environmental metrics and
temporal metrics. See Section 7.2.2 and [CVSSv2] for more
information on the CVSS v2 schema.
o Vulnerability Data Model: The vulnerability data model provides a
representation of the vulnerability information. See
Section 7.2.1 and Appendix C for more information on the
vulnerability data model schema.
7.2. XML Data Model Requirements
The vulnerability element is the root element of the Vulnerability
Data Model; it is of the vulnerabilityType type. It contains
identification, metadata, and additional information about an
individual Vulnerability in a vulnerability document. See
Section 7.2.1.1 for additional information on the vulnerability
element.
+---------------+
| vulnerability |
+---------------+
| |<>----------[ vulnerability-id ]
| |<>--{0..*}--[ vulnerability-id-alias ]
| |<>--{0..1}--[ record-metadata ]
| |<>--{1..*}--[ text ]
| |<>--{0..1}--[ references ]
| |<>--{0..1}--[ vulnerable-software-list ]
| |<>--{0..*}--[ vulnerable-configuration ]
| |<>--{0..1}--[ analysis ]
| |<>--{0..*}--[ ##other ]
+---------------+
Booth & Scarfone Expires April 25, 2013 [Page 11]
Internet-Draft Vulnerability Data Model October 2012
Figure 2: Vulnerability Element
In order to comply with the VDM data model,
o The user MUST produce an XML vdm:vulnerability element consistent
with the data model described below.
o The XML element produced MUST validate against the XSD for
Vulnerability Data Model 1.0 listed in Appendix C. In situations
where the XSD does not match the documented model elsewhere in
this specification, the XSD SHALL take precedence.
The following tables formalize the data model. The data contained in
the tables are requirements and MUST be interpreted as follows:
o If present, the "Type Name" field indicates the name for the XML
type being described.
o The "Definition" field indicates the prose description of the
type/element. The definition field MAY contain requirement words
as indicated in [RFC2119].
o If present, the "Properties" field is broken into four subfields:
* The "Name" column indicates the name of a property that MAY or
MUST be included in the described type/element, in accordance
with the cardinality indicated in the "Count" field
* The "Type" column indicates the REQUIRED data type for the
value of the property. There are three categories of types:
literal, element, and special. A literal type will indicate
the type of literal as defined in [XSD]. An element type will
reference the name of another element that defines that
property. A special type is listed when the type is neither
literal nor element. The special type will indicate the nature
of permitted content, such as allowing any XML to be used.
* The "Count" column indicates the cardinality of the property
within the type/element. The property MUST be included in the
type/element in accordance with the cardinality. If a range is
given, and "n" is the upper-bound of the range, then the upper
limit is unbounded.
* The "Definition" column defines the property in the context of
the type/element. The definition MAY contain requirement words
as indicated in [RFC2119].
Booth & Scarfone Expires April 25, 2013 [Page 12]
Internet-Draft Vulnerability Data Model October 2012
7.2.1. Vulnerability Data Model XML
The vulnerability data model defines the various constructs that are
used to provide vulnerability information.
7.2.1.1. vulnerabilityType
vulnerabilityType holds all of the information about a given
vulnerability.
+--------------------+-----------------------+-------+--------------+
| Name | Type | Count | Definition |
+--------------------+-----------------------+-------+--------------+
| vulnerability-id | vulnerabilityIdType | 1 | The unique |
| (element) | | | identifier |
| | | | for the |
| | | | vulnerabilit |
| | | | y in regards |
| | | | to this |
| | | | vulnerabilit |
| | | | y data |
| | | | source. |
| vulnerability-id-a | vulnerabilityAliasTyp | 0-n | Additional |
| lias (element) | e | | identifiers |
| | | | for the |
| | | | vulnerabilit |
| | | | y that |
| | | | represent it |
| | | | in other |
| | | | data |
| | | | sources. An |
| | | | example |
| | | | would be a |
| | | | CVE |
| | | | identifier. |
| record-metadata | metadataType | 0-1 | Additional |
| (element) | | | metadata |
| | | | about the |
| | | | record. |
Booth & Scarfone Expires April 25, 2013 [Page 13]
Internet-Draft Vulnerability Data Model October 2012
| text (element) | targetedTextType | 1-n | Provides |
| | | | textual |
| | | | information |
| | | | about the |
| | | | vulnerabilit |
| | | | y, such as |
| | | | different |
| | | | texts for |
| | | | different |
| | | | audiences. |
| | | | See Table 50 |
| | | | for a list |
| | | | of valid |
| | | | values. |
| references | vulnerabilityReferenc | 0-1 | References |
| (element) | esType | | to |
| | | | additional |
| | | | information |
| | | | about the |
| | | | vulnerabilit |
| | | | y. |
| vulnerable-softwar | vulnerableSoftwareTyp | 0-1 | A list of |
| e-list (element) | e | | CPE names |
| | | | correspondin |
| | | | g to the |
| | | | software |
| | | | versions |
| | | | that have |
| | | | this |
| | | | vulnerabilit |
| | | | y. |
| vulnerable-configu | vulnerableConfigurati | 0-n | A CPE |
| ration (element) | onType | | Language |
| | | | construct |
| | | | that |
| | | | identifies |
| | | | the |
| | | | conditions |
| | | | under which |
| | | | the |
| | | | vulnerabilit |
| | | | y exists. |
Booth & Scarfone Expires April 25, 2013 [Page 14]
Internet-Draft Vulnerability Data Model October 2012
| analysis (element) | vulnerabilityAnalysis | 0-n | Characterist |
| | Type | | ics and |
| | | | impact of |
| | | | the |
| | | | vulnerabilit |
| | | | y, |
| | | | optionally |
| | | | split based |
| | | | on |
| | | | configuratio |
| | | | n. |
| ##other (element) | xsd:any | 0-n | Provides an |
| | | | extension |
| | | | point for |
| | | | additional |
| | | | information. |
+--------------------+-----------------------+-------+--------------+
Table 2: vulnerabilityType Properties
7.2.1.2. vulnerabilityIdType
vulnerabilityIdType is a type used to represent the ID of a
vulnerability. The combination of system and id MUST be globally
unique. Extends xsd:token (represents the id given to the
vulnerability record by the identified system provider).
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| system | xsd:string | 1 | The identification system used |
| (attribute) | | | to assign the associated id. |
+-------------+------------+-------+--------------------------------+
Table 3: vulnerabilityIdType Properties
7.2.1.3. vulnerabilityAliasType
vulnerabilityAliasType is a type used to represent the alias of a
vulnerability.
Booth & Scarfone Expires April 25, 2013 [Page 15]
Internet-Draft Vulnerability Data Model October 2012
+-------------+----------------------------+-------+----------------+
| Name | Type | Count | Definition |
+-------------+----------------------------+-------+----------------+
| relationshi | vulnerabilityAliasEnumType | 1 | Represents the |
| p | | | relationship |
| (attribute) | | | of the |
| | | | vulnerabilty |
| | | | to another |
| | | | vulnerability. |
+-------------+----------------------------+-------+----------------+
Table 4: vulnerabilityAliasType Properties
7.2.1.3.1. vulnerabilityAliasEnumType
The enumeration of available relationships between vulnerabilities
that exist in different naming systems.
Allowed enumeration values: CORRESPONDS, INCLUDED_IN, INCLUDES,
OVERLAPS
CORRESPONDS: This vulnerability corresponds to another vulnerability.
INCLUDED_IN: This vulnerability is included in another vulnerability.
INCLUDES: This vulnerability includes another vulnerability.
OVERLAPS: This vulnerability overlaps another vulnerability.
7.2.1.4. metadataType
metadataType is a type used to represent the metadata associated with
the vulnerability.
Booth & Scarfone Expires April 25, 2013 [Page 16]
Internet-Draft Vulnerability Data Model October 2012
+------------+-------------------------------+-------+--------------+
| Name | Type | Count | Definition |
+------------+-------------------------------+-------+--------------+
| status | vulnerabilityRecordStatusEnum | 0-1 | Records the |
| (element) | Type | | status of |
| | | | the |
| | | | vulnerabilit |
| | | | y record |
| | | | within the |
| | | | scope of the |
| | | | primary |
| | | | namespace. |
| | | | Default |
| | | | value is |
| | | | "VALID". |
| event | extendedLifecycleEventType | 0-n | Identifies |
| (element) | | | significant |
| | | | events in |
| | | | the |
| | | | lifecycle of |
| | | | the entity. |
| | | | The |
| | | | available |
| | | | types of |
| | | | events are |
| | | | listed in |
| | | | Table 48. |
| | | | The event |
| | | | element |
| | | | SHALL NOT |
| | | | have more |
| | | | than one |
| | | | event of a |
| | | | particular |
| | | | type. |
Booth & Scarfone Expires April 25, 2013 [Page 17]
Internet-Draft Vulnerability Data Model October 2012
| supersessi | supersessionType | 0-1 | Information |
| on | | | used to |
| (element) | | | indicate |
| | | | supersession |
| | | | relationship |
| | | | s for a |
| | | | record. This |
| | | | element is |
| | | | only to be |
| | | | used if the |
| | | | record has |
| | | | been |
| | | | superseded |
| | | | or if the |
| | | | record has |
| | | | superseded |
| | | | another |
| | | | entry. |
+------------+-------------------------------+-------+--------------+
Table 5: metadataType Properties
7.2.1.4.1. vulnerabilityRecordStatusEnumType
The vulnerabilityRecordStatusEnumType defines the allowed values for
the available vulnerability record statuses.
Allowed enumeration values: VALID, INVALID, MERGED, SPLIT, DUPLICATE.
MERGED: with one or more other CVEs into a single CVE.
SPLIT: into two or more other CVE identifiers.
DUPLICATE: of another CVE identifier.
INVALID: CVE identifier that did not meet the content decision
criteria.
7.2.1.4.2. extendedLifecycleEventType
extendedLifecycleEventType identifies a significant event in the
lifecycle of the entity. It extends lifecycleEventType.
Booth & Scarfone Expires April 25, 2013 [Page 18]
Internet-Draft Vulnerability Data Model October 2012
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| event-type | xsd:anyURI | 1-n | Identifies the type of the |
| (attribute) | | | event. See Table 48 for more |
| | | | information. |
+-------------+------------+-------+--------------------------------+
Table 6: extendedLifecycleEventType Properties
7.2.1.4.3. supersessionType
supersessionType provides a type to encapsulate supersession
information.
+-----------------+---------------------+-------+-------------------+
| Name | Type | Count | Definition |
+-----------------+---------------------+-------+-------------------+
| supersedes | vulnerabilityIdType | 0-n | If this record |
| (element) | | | supersedes |
| | | | another entry, |
| | | | the identifier of |
| | | | the entry that it |
| | | | supersedes. |
| supersedes_info | lifecycleEventType | 0-1 | The date and time |
| (element) | | | when the record |
| | | | superseded |
| | | | another entry. |
| superseded_by | vulnerabilityIdType | 0-n | If this record |
| (element) | | | has been |
| | | | superseded by |
| | | | another entry, |
| | | | the identifier of |
| | | | that entry. |
| superseded_info | lifecycleEventType | 0-1 | The date and time |
| (element) | | | when the record |
| | | | was superseded by |
| | | | another entry. |
+-----------------+---------------------+-------+-------------------+
Table 7: supersessionType Properties
7.2.1.4.4. lifecycleEventType
Metadata for a resource.
Booth & Scarfone Expires April 25, 2013 [Page 19]
Internet-Draft Vulnerability Data Model October 2012
+-------------------+---------------------+-------+-----------------+
| Name | Type | Count | Definition |
+-------------------+---------------------+-------+-----------------+
| identifier | dcterms:identifier | 0-n | A reference to |
| (element) | | | the resource |
| | | | (such as an |
| | | | identifier). |
| date (element) | dcterms:date | 0-n | The date when |
| | | | an event |
| | | | occurred. |
| creator (element) | dcterms:creator | 0-n | The |
| | | | organization or |
| | | | individual |
| | | | responsible for |
| | | | creating the |
| | | | resource. |
| contributor | dcterms:contributor | 0-n | The |
| (element) | | | organization or |
| | | | individual |
| | | | responsible for |
| | | | contributing to |
| | | | the resource. |
| publisher | dcterms:publisher | 0-n | The |
| (element) | | | organization or |
| | | | individual |
| | | | responsible for |
| | | | publishing the |
| | | | resource. |
| description | dcterms:description | 0-n | A description |
| (element) | | | of the |
| | | | resource. |
| subject (element) | dcterms:subject | 0-n | The subject of |
| | | | the resource. |
| source (element) | dcterms:source | 0-n | Another |
| | | | resource that |
| | | | this resource |
| | | | is derived |
| | | | from. |
| extended-metadata | xsd:any | 0-1 | Provides an |
| (element) | | | extension point |
| | | | for additional |
| | | | information. |
+-------------------+---------------------+-------+-----------------+
Table 8: lifecycleEventType Properties
Booth & Scarfone Expires April 25, 2013 [Page 20]
Internet-Draft Vulnerability Data Model October 2012
7.2.1.5. targetedTextType
targetedTextType provides textual information about the
vulnerability.
+---------------+---------------------------+-------+---------------+
| Name | Type | Count | Definition |
+---------------+---------------------------+-------+---------------+
| intended-uses | textTargetInformationType | 0-n | Specifies the |
| (element) | | | potential |
| | | | target and |
| | | | use case |
| | | | combinations |
| | | | where this |
| | | | text may be |
| | | | appropriate. |
| | | | See |
| | | | Section 8.2 |
| | | | for more |
| | | | information. |
| text | localeTextType | 1-n | Contains |
| (element) | | | texts (such |
| | | | as different |
| | | | texts for |
| | | | different |
| | | | audiences). |
+---------------+---------------------------+-------+---------------+
Table 9: targetedTextType Properties
7.2.1.5.1. textTargetInformationType
textTargetInformationType provides a mechanism to specify the
intended audiences and uses of an element.
+--------------+------------+-------+-------------------------------+
| Name | Type | Count | Definition |
+--------------+------------+-------+-------------------------------+
| content-type | xsd:anyURI | 0-n | A controlled vocabulary that |
| (attribute) | | | allows the specification of |
| | | | the type of content. See |
| | | | Table 50 for more |
| | | | information. |
+--------------+------------+-------+-------------------------------+
Table 10: textTargetInformationType Properties
Booth & Scarfone Expires April 25, 2013 [Page 21]
Internet-Draft Vulnerability Data Model October 2012
7.2.1.5.2. localeTextType
The localeTextType defines a string based element that allows the
specification of a language. This type allows the xml:lang attribute
to associate a specific language with an element's string content.
Extends xsd:string.
+-------------+----------+-------+----------------------------------+
| Name | Type | Count | Definition |
+-------------+----------+-------+----------------------------------+
| lang | xml:lang | 1 | The language of the text |
| (attribute) | | | element. The default value is |
| | | | 'en-US'. |
+-------------+----------+-------+----------------------------------+
Table 11: localeTextType Properties
7.2.1.6. vulnerabilityReferencesType
vulnerabilityReferencesType contains information relating to
references for the vulnerability.
+-----------+----------------------------+-------+------------------+
| Name | Type | Count | Definition |
+-----------+----------------------------+-------+------------------+
| reference | vulnerabilityReferenceType | 1-n | The reference |
| (element) | | | source. This |
| | | | SHALL be either |
| | | | a URL or a |
| | | | document. |
+-----------+----------------------------+-------+------------------+
Table 12: vulnerabilityReferencesType Properties
7.2.1.6.1. vulnerabilityReferenceType
vulnerabilityReferenceType provides reference information. Extends
referenceType.
Booth & Scarfone Expires April 25, 2013 [Page 22]
Internet-Draft Vulnerability Data Model October 2012
+----------------------+-----------------+-------+------------------+
| Name | Type | Count | Definition |
+----------------------+-----------------+-------+------------------+
| deprecated | xsd:boolean | 0-1 | Indicates that |
| (attribute) | | | the reference |
| | | | has been |
| | | | deprecated. |
| | | | Default value is |
| | | | "false". |
| type (attribute) | xsd:anyURI | 1 | A controlled |
| | | | vocabulary that |
| | | | identifies the |
| | | | reference |
| | | | category for |
| | | | this reference. |
| | | | See Table 51 for |
| | | | more |
| | | | information. |
| lang (attribute) | xml:lang | 0-1 | Identifies the |
| | | | language of the |
| | | | reference. |
| | | | Default value is |
| | | | "en". |
| source (element) | xsd:token | 0-1 | The source that |
| | | | provided the |
| | | | reference (e.g., |
| | | | organization, |
| | | | individual). |
| notes (element) | localeNotesType | 0-1 | Additional notes |
| | | | regarding the |
| | | | vulnerability or |
| | | | the reference |
| | | | source. |
| extended-information | xsd:any | 0-n | Allows |
| (element) | | | additional |
| | | | information to |
| | | | be represented |
| | | | as needed. |
+----------------------+-----------------+-------+------------------+
Table 13: vulnerabilityReferenceType Properties
7.2.1.6.2. referenceType
The referenceType defines a container that may be used to hold one or
more metadata core referenceItemType entities.
Booth & Scarfone Expires April 25, 2013 [Page 23]
Internet-Draft Vulnerability Data Model October 2012
+-----------+-------------------+-------+---------------------------+
| Name | Type | Count | Definition |
+-----------+-------------------+-------+---------------------------+
| item | referenceItemType | 1-n | A collection of one or |
| (element) | | | more locale specific |
| | | | reference items |
+-----------+-------------------+-------+---------------------------+
Table 14: referenceType Properties
7.2.1.6.3. referenceItemType
The referenceItemType extends the localeTextType entity to include an
optional URI reference (intended to be a URL).
+-----------+-----------+-------+-----------------------------------+
| Name | Type | Count | Definition |
+-----------+-----------+-------+-----------------------------------+
| ref-id | xs:anyURI | 0-1 | A URI reference that points to a |
| (element) | | | resource. This SHOULD point to |
| | | | extra descriptive material, the |
| | | | supplier's web site, or the |
| | | | platform documentation. |
| ##other | xsd:any | 0-n | Provides an extension point for |
| (element) | | | additional information. |
+-----------+-----------+-------+-----------------------------------+
Table 15: referenceItemType Properties
7.2.1.6.4. embeddedReferenceItemType
embeddedReferenceItemType extends referenceItemType.
+-----------+---------------------+-------+-------------------------+
| Name | Type | Count | Definition |
+-----------+---------------------+-------+-------------------------+
| text | xhtmlLocaleTextType | 0-1 | Embedded reference |
| (element) | | | material in text form. |
| | | | Either text or binary |
| | | | must be used, but not |
| | | | both |
| binary | xsd:base64Binary | 0-1 | Embedded reference |
| (element) | | | material in binary |
| | | | form. Either text or |
| | | | binary must be used, |
| | | | but not both |
+-----------+---------------------+-------+-------------------------+
Booth & Scarfone Expires April 25, 2013 [Page 24]
Internet-Draft Vulnerability Data Model October 2012
Table 16: embeddedReferenceItemType Properties
7.2.1.6.5. externalReferenceItemType
Type for a reference with an optional URI reference. This would
normally be used to point to extra descriptive material, or the
supplier's web site, or the platform documentation. It consists of a
piece of text (intended to be human-readable) and a URI (intended to
be a URL, and point to a real resource).
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| href | xsd:anyURI | 1 | Reference pointing to extra |
| (attribute) | | | descriptive material, or the |
| | | | supplier's web site, or the |
| | | | platform documentation. |
+-------------+------------+-------+--------------------------------+
Table 17: externalReferenceItemType Properties
7.2.1.6.6. localeNotesType
The localeNotesType defines a container that may contain one or more
metadata core localeTextType elements. It is intended to provide a
location for additional information to provide about an entity. This
type defines an element that consists of one or more child note
elements. It is assumed that each of these note elements is
representative of the same language as defined by its parent.
+---------------+----------------+-------+--------------------------+
| Name | Type | Count | Definition |
+---------------+----------------+-------+--------------------------+
| note | localeTextType | 1-n | A note in a given |
| (element) | | | language. |
+---------------+----------------+-------+--------------------------+
Table 18: localeNotesType Properties
7.2.1.7. vulnerableSoftwareType
vulnerableSoftwareType identifies the software versions that have
this vulnerability.
Booth & Scarfone Expires April 25, 2013 [Page 25]
Internet-Draft Vulnerability Data Model October 2012
+------------+----------------------+-------+-----------------------+
| Name | Type | Count | Definition |
+------------+----------------------+-------+-----------------------+
| product | cpe-lang:namePattern | 1-n | The CPE name of the |
| (element) | | | vulnerable software. |
+------------+----------------------+-------+-----------------------+
Table 19: vulnerableSoftwareType Properties
7.2.1.8. vulnerableConfigurationType
vulnerableConfigurationType is a CPE language construct that
identifies the conditions under which the vulnerability exists.
+-------------------+-------------------------+-------+-------------+
| Name | Type | Count | Definition |
+-------------------+-------------------------+-------+-------------+
| id (attribute) | xsd:anyURI | 1 | The id for |
| | | | the |
| | | | vulnerable |
| | | | configurati |
| | | | on. |
| platform-configur | cpe-lang:platform-confi | 1 | The |
| ation (element) | guration | | products |
| | | | that |
| | | | collectivel |
| | | | y |
| | | | characteriz |
| | | | e a |
| | | | particular |
| | | | IT platform |
| | | | type. |
| assessment-check | assessmentMethodType | 0-n | An optional |
| (element) | | | list of |
| | | | equivalent |
| | | | assessment |
| | | | methods |
| | | | that |
| | | | specify |
| | | | additional |
| | | | system |
| | | | state that |
| | | | must be |
| | | | present for |
| | | | the |
| | | | vulnerabili |
| | | | ty to |
| | | | exist. |
Booth & Scarfone Expires April 25, 2013 [Page 26]
Internet-Draft Vulnerability Data Model October 2012
| other (element) | xsd:any | 0-n | Provides an |
| | | | extension |
| | | | point for |
| | | | additional |
| | | | information |
| | | | . |
+-------------------+-------------------------+-------+-------------+
Table 20: vulnerableConfigurationType Properties
7.2.1.8.1. assessmentMethodType
The assessmentMethodType denotes a scanner and required configuration
that is capable of detecting the referenced vulnerability. It may
also be an OVAL definition and omit scanner name. It identifies a
tool and any associated information about the tool, such as signature
versions, that indicate the tool is capable or properly detecting
and/or remediating the vulnerability or misconfiguration.
+------------------+---------------------+-------+------------------+
| Name | Type | Count | Definition |
+------------------+---------------------+-------+------------------+
| assessment-check | checkReferenceType | 1 | Identifies a |
| (element) | | | check that can |
| | | | be used to |
| | | | detect the |
| | | | vulnerability or |
| | | | misconfiguration |
| assessment-engin | cpe-lang:namePatter | 0-n | The CPE name of |
| e (element) | n | | the scanning |
| | | | tool. The CPE |
| | | | name can be used |
| | | | for a CPE from |
| | | | the NVD. The CPE |
| | | | title attribute |
| | | | can be used for |
| | | | internal naming |
| | | | conventions (or |
| | | | both, if |
| | | | possible). |
+------------------+---------------------+-------+------------------+
Table 21: assessmentMethodType Properties
Booth & Scarfone Expires April 25, 2013 [Page 27]
Internet-Draft Vulnerability Data Model October 2012
7.2.1.8.2. checkReferenceType
The checkReferenceType defines a method to represent a checking
system and check id to identify a method of detecting the presence of
the vulnerability on an asset. Extends checkSearchType to add an
external file reference, which could be used to point to the file in
which the content test identifier is defined.
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| href | xsd:anyURI | 1 | Identifies the file in which |
| (attribute) | | | the check exists |
+-------------+------------+-------+--------------------------------+
Table 22: checkReferenceType Properties
7.2.1.8.3. checkSearchType
The checkSearchType defines a method to represent a searchable check
identifier that can be used to locate a check in a repository. It
identifies the test id and checking system used.
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| system | xsd:anyURI | 1 | URI for a checking system. |
| (attribute) | | | SHOULD be the URI for a |
| | | | particular version of OVAL or |
| | | | a related system testing |
| | | | language. |
| name | xsd:token | 0-1 | A test identifier. MUST be an |
| (attribute) | | | identifier of a test written |
| | | | in the language specified by |
| | | | the system attribute. |
+-------------+------------+-------+--------------------------------+
Table 23: checkSearchType Properties
7.2.1.9. vulnerabilityAnalysisType
vulnerabilityAnalysisType
Booth & Scarfone Expires April 25, 2013 [Page 28]
Internet-Draft Vulnerability Data Model October 2012
+-------------------+---------------------+------+------------------+
| Name | Type | Coun | Definition |
| | | t | |
+-------------------+---------------------+------+------------------+
| id (attribute) | xsd:anyURI | 1 | The ID for the |
| | | | attack method. |
| vulnerable-config | internalReferenceTy | 0-n | A reference to |
| uration-ref | pe | | the |
| (element) | | | vulnerable-confi |
| | | | guration |
| | | | element(s) that |
| | | | can be exploited |
| | | | through this |
| | | | particular |
| | | | attack method. |
| impact (element) | cvss2ImpactType | 0-1 | Provides |
| | | | information |
| | | | about the |
| | | | severity of the |
| | | | vulnerability. |
| characteristic | vulnerabilityCharac | 0-n | Identifies |
| (element) | teristicType | | characteristics |
| | | | of the |
| | | | vulnerability. |
| ##other (element) | xsd:any | 0-n | Provides an |
| | | | extension point |
+-------------------+---------------------+------+------------------+
Table 24: vulnerabilityAnalysisType Properties
7.2.1.9.1. internalReferenceType
+--------------+------------+-------+-------------------------------+
| Name | Type | Count | Definition |
+--------------+------------+-------+-------------------------------+
| id-ref | xsd:anyURI | 0-1 | A reference to a |
| (attribute) | | | vulnerable-configuration |
| | | | element |
+--------------+------------+-------+-------------------------------+
Table 25: internalReferenceType Properties
7.2.1.9.2. cvss2ImpactType
cvss2ImpactType is an extension type that includes CVSS v2 scoring
information. Extends impactType.
Booth & Scarfone Expires April 25, 2013 [Page 29]
Internet-Draft Vulnerability Data Model October 2012
+---------------+-----------------------+-------+-------------------+
| Name | Type | Count | Definition |
+---------------+-----------------------+-------+-------------------+
| cvss2-metrics | cvssv2:cvssImpactType | 1 | The CVSS v2 score |
| (element) | | | metrics for the |
| | | | vulnerability. |
+---------------+-----------------------+-------+-------------------+
Table 26: cvss2ImpactType Properties
7.2.1.9.3. impactType
impactType identifies the type of impact the vulnerability may have.
+--------------+--------------------+-------+-----------------------+
| Name | Type | Count | Definition |
+--------------+--------------------+-------+-----------------------+
| inclusion | lifecycleEventType | 0-1 | The date and time the |
| (element) | | | impact information |
| | | | was first included in |
| | | | this data feed. |
| modification | lifecycleEventType | 0-n | The date and time the |
| (element) | | | impact information |
| | | | was modified. |
| | | | Multiple instances |
| | | | may be used to serve |
| | | | as a change log. |
+--------------+--------------------+-------+-----------------------+
Table 27: impactType Properties
7.2.1.9.4. vulnerabilityCharacteristicType
Holds information relating to the characteristics for the
vulnerability.
+-------------+------------+-------+--------------------------------+
| Name | Type | Count | Definition |
+-------------+------------+-------+--------------------------------+
| type | xsd:anyURI | 0-1 | Type of vulnerability |
| (attribute) | | | |
| ##other | xsd:any | 0-1 | Provides an extension point |
| (element) | | | for additional information. |
+-------------+------------+-------+--------------------------------+
Table 28: vulnerabilityAnalysisType Properties
Booth & Scarfone Expires April 25, 2013 [Page 30]
Internet-Draft Vulnerability Data Model October 2012
7.2.2. CVSS v2
CVSS v2 defines various CVSS scoring components and representations
that may be used in the vulnerability data model.
7.2.2.1. cvssType
The cvssType defines the representation of a complete CVSS v2 score,
including all three scores: base, temporal and environmental
+--------------------+-----------------------+-------+--------------+
| Name | Type | Count | Definition |
+--------------------+-----------------------+-------+--------------+
| base_metrics | baseMetricsType | 0-n | The base |
| (element) | | | CVSS score |
| environmental_metr | environmentalMetricsT | 0-n | The |
| ics (element) | ype | | environmenta |
| | | | l CVSS score |
| temporal_metrics | temporalMetricsType | 0-n | The temporal |
| (element) | | | CVSS score |
+--------------------+-----------------------+-------+--------------+
Table 29: cvssType Properties
7.2.2.2. cvssImpactType
The cvssImpactType defines a CVSS v2 score that requires at least a
base score component, since the other score types cannot be
calculated accurately without one. Places restrictions on cvssType.
+--------------------+-----------------------+-------+--------------+
| Name | Type | Count | Definition |
+--------------------+-----------------------+-------+--------------+
| base_metrics | baseMetricsType | 1 | The base |
| (element) | | | CVSS score |
| environmental_metr | environmentalMetricsT | 0-1 | The |
| ics (element) | ype | | environmenta |
| | | | l CVSS score |
| temporal_metrics | temporalMetricsType | 0-1 | The temporal |
| (element) | | | CVSS score |
+--------------------+-----------------------+-------+--------------+
Table 30: cvssImpactType Properties
Booth & Scarfone Expires April 25, 2013 [Page 31]
Internet-Draft Vulnerability Data Model October 2012
7.2.2.3. cvssImpactBaseType
The cvssImpactBaseType defines a CVSS v2 base score component.
+---------------------+-----------------+-------+-------------------+
| Name | Type | Count | Definition |
+---------------------+-----------------+-------+-------------------+
| base_metrics | baseMetricsType | 1 | A base score |
| (element) | | | component |
+---------------------+-----------------+-------+-------------------+
Table 31: cvssImpactBaseType Properties
7.2.2.4. cvssImpactTemporalType
The cvssImpactTemporalType defines a CVSS v2 temporal score
component. It extends cvssImpactBaseType.
+-------------------+---------------------+-------+-----------------+
| Name | Type | Count | Definition |
+-------------------+---------------------+-------+-----------------+
| temporal_metrics | temporalMetricsType | 0-1 | A temporal |
| (element) | | | score component |
+-------------------+---------------------+-------+-----------------+
Table 32: cvssImpactTemporalType Properties
7.2.2.5. cvssImpactEnvironmentalType
The cvssImpactEnvironmentalType is a derived type that defines a CVSS
v2 environmental score component. It extends cvssImpactTemporalType.
+--------------------+-----------------------+-------+--------------+
| Name | Type | Count | Definition |
+--------------------+-----------------------+-------+--------------+
| environmental_metr | environmentalMetricsT | 0-1 | An |
| ics (element) | ype | | environmenta |
| | | | l score |
| | | | component |
+--------------------+-----------------------+-------+--------------+
Table 33: cvssImpactEnvironmentalType Properties
7.2.2.6. metricsType
The metricsType defines an abstract type that presents the common
attributes of all other metric types.
Booth & Scarfone Expires April 25, 2013 [Page 32]
Internet-Draft Vulnerability Data Model October 2012
+-----------------------+-------------+-------+---------------------+
| Name | Type | Count | Definition |
+-----------------------+-------------+-------+---------------------+
| upgraded-from-version | xsd:decimal | 0-1 | Indicates the |
| (attribute) | | | previous CVSS score |
| | | | version that this |
| | | | metric was upgraded |
| | | | from. |
+-----------------------+-------------+-------+---------------------+
Table 34: metricsType Properties
7.2.2.7. baseMetricsType
The baseMetricsType defines a derived metricsType that represents a
base CVSS v2 score component. Extends metricsType.
+-------------------+------------------+-------+--------------------+
| Name | Type | Count | Definition |
+-------------------+------------------+-------+--------------------+
| score (element) | zeroToTenDecimal | 0-1 | Base severity |
| | Type | | score assigned to |
| | | | a vulnerability by |
| | | | a source |
| exploit-subscore | zeroToTenDecimal | 0-1 | Base exploit |
| (element) | Type | | sub-score assigned |
| | | | to a vulnerability |
| | | | by a source |
| impact-subscore | zeroToTenDecimal | 0-1 | Base impact |
| (element) | Type | | sub-score assigned |
| | | | to a vulnerability |
| | | | by a source |
| access-vector | accessVectorType | 0-1 | Access vector |
| (element) | | | metric value for a |
| | | | base score |
| access-complexity | accessComplexity | 0-1 | Access complexity |
| (element) | Type | | metric value for a |
| | | | base score |
| authentication | authenticationTy | 0-1 | Authentication |
| (element) | pe | | metric value for a |
| | | | base score |
| confidentiality-i | ciaType | 0-1 | Confidentiality |
| mpact (element) | | | impact metric |
| | | | value for a base |
| | | | score |
| integrity-impact | ciaType | 0-1 | Integrity impact |
| (element) | | | metric value for a |
| | | | base score |
Booth & Scarfone Expires April 25, 2013 [Page 33]
Internet-Draft Vulnerability Data Model October 2012
| availability-impa | ciaType | 0-1 | Availability |
| ct (element) | | | impact metric |
| | | | value for a base |
| | | | score |
| source (element) | xsd:anyURI | 1 | Data source the |
| | | | vector was |
| | | | obtained from. |
| | | | Example: |
| | | | http://nvd.nist.go |
| | | | v or |
| | | | com.symantec.deeps |
| | | | ight |
| generated-on-date | xsd:dateTime | 0-1 | Timestamp for when |
| time (element) | | | the base score was |
| | | | generated |
+-------------------+------------------+-------+--------------------+
Table 35: baseMetricsType Properties
7.2.2.7.1. zeroToTenDecimalType
The zeroToTenDecimalType defines a type that can be used to represent
values for 0.0 to 10.0 including 1 decimal value, as used in CVSS
scores. It extends xsd:decimal with a restriction that values must
be between 0.0 and 10.0
7.2.2.7.2. accessVectorType
The accessVectorType defines the representation of an access vector
component in a CVSS score. Extends: accessVectorEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 36: accessVectorType Properties
7.2.2.7.3. accessVectorEnumType
The accessVectorEnumType defines the allowed values for the access
vector component of the base CVSS vector.
Booth & Scarfone Expires April 25, 2013 [Page 34]
Internet-Draft Vulnerability Data Model October 2012
Allowed enumeration values: LOCAL, ADJACENT_NETWORK, NETWORK
7.2.2.7.4. accessComplexityType
The accessComplexityType defines representation of an access
complexity component in a CVSS score. Extends:
accessComplexityEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 37: accessComplexityType Properties
7.2.2.7.5. accessComplexityEnumType
The accessComplexityEnumType defines the allowed values for the
access complexity component of the base CVSS vector.
Allowed enumeration values: HIGH, MEDIUM, LOW
7.2.2.7.6. authenticationType
The authenticationType defines the representation of authentication
values in a CVSS score. Extends: authenticationEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 38: authenticationType Properties
Booth & Scarfone Expires April 25, 2013 [Page 35]
Internet-Draft Vulnerability Data Model October 2012
7.2.2.7.7. authenticationEnumType
The authenticationEnumType defines the allowed values for the
authentication component of the base CVSS vector.
Allowed enumeration values: MULTIPLE_INSTANCES, SINGLE_INSTANCE, NONE
7.2.2.7.8. ciaType
The ciaType defines the representation of confidentiality, integrity
and availability impact values in a CVSS score. Extends: ciaEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 39: ciaType Properties
7.2.2.7.9. ciaEnumType
The ciaEnumType defines the allowed values for the confidentiality,
integrity and availability components of the base CVSS vector.
Allowed enumeration values: NONE, PARTIAL, COMPLETE
7.2.2.8. environmentalMetricsType
The environmentalMetricsType represents an environmental CVSS v2
score component. It extends metricsType.
Booth & Scarfone Expires April 25, 2013 [Page 36]
Internet-Draft Vulnerability Data Model October 2012
+--------------------+---------------------+------+-----------------+
| Name | Type | Coun | Definition |
| | | t | |
+--------------------+---------------------+------+-----------------+
| score (element) | zeroToTenDecimalTyp | 0-1 | Environmental |
| | e | | severity score |
| | | | assigned to a |
| | | | vulnerability |
| | | | by a source |
| collateral-damage- | collateralDamagePot | 0-1 | Collateral |
| potential | entialType | | damage |
| (element) | | | potential |
| | | | metric value |
| | | | for an |
| | | | environmental |
| | | | score |
| target-distributio | targetDistributionT | 0-1 | Target |
| n (element) | ype | | distribution |
| | | | metric value |
| | | | for an |
| | | | environmental |
| | | | score |
| confidentiality-re | ciaRequirementType | 0-1 | Confidentiality |
| quirement | | | requirement |
| (element) | | | metric value |
| | | | for an |
| | | | environmental |
| | | | score |
| integrity-requirem | ciaRequirementType | 0-1 | Integrity |
| ent (element) | | | requirement |
| | | | metric value |
| | | | for an |
| | | | environmental |
| | | | score |
| availability-requi | ciaRequirementType | 0-1 | Availability |
| rement (element) | | | requirement |
| | | | metric value |
| | | | for an |
| | | | environmental |
| | | | score |
| source (element) | xsd:anyURI | 1 | Data source the |
| | | | vector was |
| | | | obtained from. |
| | | | Example: |
| | | | http://nvd.nist |
| | | | .gov or |
| | | | com.symantec.de |
| | | | epsight |
Booth & Scarfone Expires April 25, 2013 [Page 37]
Internet-Draft Vulnerability Data Model October 2012
| generated-on-datet | xsd:dateTime | 0-1 | Timestamp for |
| ime (element) | | | when the |
| | | | environmental |
| | | | score was |
| | | | generated |
+--------------------+---------------------+------+-----------------+
Table 40: environmentalMetricsType Properties
7.2.2.8.1. collateralDamagePotentialType
The collateralDamagePotentialType defines the representation of
collateral damage potential in a CVSS score. Extends:
collateralDamagePotentialEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 41: collateralDamagePotentialType Properties
7.2.2.8.2. collateralDamagePotentialEnumType
The collateralDamagePotentialEnumType defines the allowed values for
the collateral damage potential component of the environmental CVSS
vector.
Allowed enumeration values: NONE, LOW, LOW_MEDIUM, MEDIUM_HIGH, HIGH,
NOT_DEFINED
7.2.2.8.3. targetDistributionType
The targetDistributionType defines the representation of a target
distribution value in a CVSS score. Extends:
targetDistributionEnumType
Booth & Scarfone Expires April 25, 2013 [Page 38]
Internet-Draft Vulnerability Data Model October 2012
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 42: targetDistributionType Properties
7.2.2.8.4. targetDistributionEnumType
The targetDistributionEnumType defines the allowed values for the
target distribution component of the environmental CVSS vector.
Allowed enumeration values: NONE, LOW, MEDIUM, HIGH, NOT_DEFINED
7.2.2.8.5. ciaRequirementType
The ciaRequirementType defines the representation of a
confidentiality, integrity, or availability requirement in a CVSS
score. Extends: ciaRequirementEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 43: ciaRequirementType Properties
7.2.2.8.6. ciaRequirementEnumType
The ciaRequirementEnumType defines the allowed values for the
confidentiality, integrity and availability requirement components of
the environmental CVSS vector.
Allowed enumeration values: LOW, MEDIUM, HIGH, NOT_DEFINED
Booth & Scarfone Expires April 25, 2013 [Page 39]
Internet-Draft Vulnerability Data Model October 2012
7.2.2.9. temporalMetricsType
The temporalMetricsType represents a temporal CVSS v2 score
component. It extends metricsType.
+-------------------+------------------+------+---------------------+
| Name | Type | Coun | Definition |
| | | t | |
+-------------------+------------------+------+---------------------+
| score (element) | zeroToTenDecimal | 0-1 | Temporal severity |
| | Type | | score assigned to a |
| | | | vulnerability by a |
| | | | source. The |
| | | | temporal score is |
| | | | the temporal |
| | | | multiplier times |
| | | | the base score. |
| temporal-multipli | xsd:decimal | 0-1 | The temporal |
| er (element) | | | multiplier, a |
| | | | number between zero |
| | | | and one. Reference |
| | | | the CVSS standard |
| | | | for computation. |
| exploitability | exploitabilityTy | 0-1 | Exploitability |
| (element) | pe | | metric value for a |
| | | | temporal score |
| remediation-level | remediationLevel | 0-1 | Remediation level |
| (element) | Type | | metric value for a |
| | | | temporal score |
| report-confidence | confidenceType | 0-1 | Report confidence |
| (element) | | | metric value for a |
| | | | temporal score |
| source (element) | xsd:anyURI | 1 | Data source the |
| | | | vector was obtained |
| | | | from. Example: |
| | | | http://nvd.nist.gov |
| | | | or |
| | | | com.symantec.deepsi |
| | | | ght |
| generated-on-date | xsd:dateTime | 1 | Timestamp for when |
| time (element) | | | the temporal score |
| | | | was generated |
+-------------------+------------------+------+---------------------+
Table 44: temporalMetricsType Properties
Booth & Scarfone Expires April 25, 2013 [Page 40]
Internet-Draft Vulnerability Data Model October 2012
7.2.2.9.1. exploitabilityType
The exploitabilityType defines the representation of exploitability
values in a CVSS score. Extends: exploitabilityEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 45: exploitabilityType Properties
7.2.2.9.2. exploitabilityEnumType
The exploitabilityEnumType defines the allowed values for the
exploitability component of the temporal CVSS vector.
Allowed enumeration values: UNPROVEN, PROOF_OF_CONCEPT, FUNCTIONAL,
HIGH, NOT_DEFINED
7.2.2.9.3. remediationLevelType
The remediationLevelType defines the representation of remediation
level in a CVSS score. Extends: remediationLevelEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 46: remediationLevelType Properties
7.2.2.9.4. remediationLevelEnumType
The remediationLevelEnumType defines the allowed values for the
remediation level component of the temporal CVSS vector.
Allowed enumeration values: OFFICIAL_FIX, TEMPORARY_FIX, WORKAROUND,
Booth & Scarfone Expires April 25, 2013 [Page 41]
Internet-Draft Vulnerability Data Model October 2012
UNAVAILABLE, NOT_DEFINED
7.2.2.9.5. confidenceType
The confidenceType defines the representation of report confidence
values in a CVSS score. Extends: confidenceEnumType
+--------------+-------------+-------+------------------------------+
| Name | Type | Count | Definition |
+--------------+-------------+-------+------------------------------+
| approximated | xsd:boolean | 0-1 | Indicates if the value has |
| (attribute) | | | been approximated as the |
| | | | result of an upgrade from a |
| | | | previous CVSS version. The |
| | | | default value is false. |
+--------------+-------------+-------+------------------------------+
Table 47: confidenceType Properties
7.2.2.9.6. confidenceEnumType
The confidenceLevelEnumType defines the allowed values for the report
confidence component of the temporal CVSS vector.
Allowed enumeration values: UNCONFIRMED, UNCORROBORATED, CONFIRMED,
NOT_DEFINED
8. Controlled Vocabularies
Several types in the Vulnerability Data Model utilize controlled
vocabularies in an attempt to provide a balance between usability and
flexibility. Controlled vocabularies utilize a standard format for
values of the form scap:authority:id, while allowing other entities
to create additional entries. The following elements utilize the
vocabularies defined below.
8.1. event-type
The event-type controlled vocabulary is used to identify the type of
the event that occurred.
Booth & Scarfone Expires April 25, 2013 [Page 42]
Internet-Draft Vulnerability Data Model October 2012
+--------------------------------+----------------------------------+
| Vocabulary Entry | Description |
+--------------------------------+----------------------------------+
| scap:gov.nist:Inclusion | The date and time that the |
| | entity was first included in |
| | this data feed |
| scap:gov.nist:Modification | The date and time that the |
| | vulnerability record was last |
| | modified. Multiple instances of |
| | this can be used to serve as a |
| | change log |
| scap:gov.nist:Deprecation | Information used to indicate |
| | deprecation of a record. This |
| | element is only to be used if |
| | the record has been deprecated |
| scap:gov.nist:Supersession | The date and time that the |
| | entity was first included in |
| | this data feed |
| scap:gov.nist:Discovered | The date that the vulnerability |
| | was first discovered |
| scap:gov.nist:Disclosure | The date and time that the |
| | vulnerability was disclosed to |
| | the public |
| scap:gov.nist:VendorDisclosure | The date and time that the |
| | software vendor was first |
| | notified of the vulnerability |
+--------------------------------+----------------------------------+
Table 48: event-type Controlled Vocabulary
8.2. intended-uses
The intended-uses controlled vocabulary is used to indicate the type
of information that is included in the text. This information is
provided as a "hint" to consumers on how they should present the
information in various scenarios.
Booth & Scarfone Expires April 25, 2013 [Page 43]
Internet-Draft Vulnerability Data Model October 2012
+-------------------------------------+-----------------------------+
| Vocabulary Entry | Description |
+-------------------------------------+-----------------------------+
| scap:gov.nist:general | Provides general |
| | information |
| scap:gov.nist:summary | A short summary of the |
| | entity |
| scap:gov.nist:description | A formatted description of |
| | the entity |
| scap:gov.nist:mitigation | A potential method to |
| | mitigate the vulnerability |
| scap:gov,nist:mitigatingFactors | Additional considerations |
| | that effect the |
| | vulnerability and may |
| | reduce its impact in |
| | certain situations |
| scap:gov.nist:scope | Identifies the potential |
| | access that can be gained |
| | through exploiting the |
| | vulnerability |
| scap:gov.nist:affectedComponent | Identifies the affected |
| | components of the software |
| scap:gov.nist:cause | Explains the root cause of |
| | the vulnerability |
| scap:gov.nist:additionalInformation | Provides additional |
| | information |
| scap:gov.nist:attackPossibilities | Identifies what an attacker |
| | may do if they can exploit |
| | the vulnerability |
| scap:gov.nist:exploitMethod | Identifies how an attacker |
| | may exploit the |
| | vulnerability |
| scap:gov.nist:primaryTargets | Identifies the types of |
| | systems that are considered |
| | most at risk to |
| | exploitation through this |
| | vulnerability |
| scap:gov.nist:updateActions | Explains what the update |
| | will do |
| scap:gov.nist:publicDisclosure | Indicates information about |
| | known public disclosures |
| scap:gov.nist:exploitReports | Indicates known instances |
| | of the exploit being used |
| | in the "wild" |
+-------------------------------------+-----------------------------+
Table 49: intended-uses Controlled Vocabulary
Booth & Scarfone Expires April 25, 2013 [Page 44]
Internet-Draft Vulnerability Data Model October 2012
8.3. content-type
The content-type controlled vocabulary is used to specify the type of
content.
+---------------------------+----------------------------------+
| Vocabulary Entry | Description |
+---------------------------+----------------------------------+
| scap:gov.nist:description | Provides descriptive information |
| scap:gov.nist:technical | Provides technical details |
+---------------------------+----------------------------------+
Table 50: content-type Controlled Vocabulary
8.4. reference-type
The reference-type controlled vocabulary is used to specify the type
of reference category.
+--------------------------------------------+----------------------+
| Vocabulary Entry | Description |
+--------------------------------------------+----------------------+
| scap:gov.nist:Patch | The reference |
| | includes a link to a |
| | software patch or |
| | update instructions |
| scap:gov.nist:VendorAdvisory | The reference is by |
| | an authoritative |
| | source for the |
| | affected software |
| scap:gov.nist:ThirdPartyAdvisory | The reference is by |
| | a non-authoritative |
| | source for the |
| | affected software |
| scap:gov.nist:SignatureSource | The reference |
| | includes a link to |
| | one or more |
| | signatures for use |
| | in a signature-based |
| | detection system |
| scap:gov.nist:MitigationProcedure | The reference |
| | includes information |
| | regarding mitigation |
| | techniques that may |
| | help reduce exposure |
| | to the vulnerability |
Booth & Scarfone Expires April 25, 2013 [Page 45]
Internet-Draft Vulnerability Data Model October 2012
| scap:gov.nist:ToolConfigurationDescription | The reference |
| | includes information |
| | regarding the |
| | configuration of a |
| | tool that can be |
| | used to detect the |
| | vulnerability |
| scap:gov.nist:AttackScenario | The reference |
| | provides a sample |
| | attack scenario that |
| | demonstrates how the |
| | vulnerability may be |
| | exploited |
| scap:gov.nist:TechnicalDescription | The reference |
| | provides a technical |
| | description of the |
| | vulnerability |
| scap:gov.nist:Other | The reference does |
| | not fit into one of |
| | the other categories |
+--------------------------------------------+----------------------+
Table 51: reference-type Controlled Vocabulary
9. Acknowledgements
The authors wish to thank their colleagues who reviewed drafts of
this document and contributed to its technical content. The authors
would like to acknowledge David Waltermire of NIST, Joseph Wolfkiel
of the Defense Information Systems Agency (DISA), Jim Ronayne of
Varen Technologies, Matt Kerr of G2, Inc. and Shane Shaffer of G2,
Inc. for their keen and insightful assistance throughout the
development of this document.
10. IANA Considerations
This memo includes no request to IANA.
11. Security Considerations
As a data format, the Vulnerability Data Model does not have security
concerns that are known at this time. However, as a data format
designed to be stored and transmitted between entities within an
enterprise, the fact of the matter is that it SHOULD be used within a
properly secured environment. Over time, a significant amount of
Booth & Scarfone Expires April 25, 2013 [Page 46]
Internet-Draft Vulnerability Data Model October 2012
information valuable to attackers can be gleaned from Vulnerability
Data Model information. Therefore, it is recommended that use of
Vulnerability Data Models be performed in environments providing
communication security mechanisms supplying the properties of
confidentiality, data integrity, and non-repudiation.
12. Normative References
[CPE] National Institute of Standards and Technology, "NIST
Interagency Reports 7695, 7696, 7697, and 7698, the Common
Platform Enumeration", 2011,
.
[CVSSv2] National Institute of Standards and Technology, "NIST
Interagency Report 7435, The Common Vulnerability Scoring
System and Its Applicability to Federal Agency Systems",
2007, .
[DCTERMS] Dublin Core Metadata Initiative, "Dublin Core Metadata
Terms", 2012, .
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[XML] W3C, "W3C Recommendation Extensible Markup Language (XML)
1.0 (Fifth Edition)", 2008,
.
[XSD] W3C, "W3C Recommendation XML Schema", 2004,
.
[XSI] W3C, "W3C Recommendation XML Schema Instance", 2001,
.
Appendix A. Use Cases
This appendix documents some common use cases that were considered
when developing VDM.
A.1. OEM Vendor Statements
It is common for OEM vendors to release information regarding
vulnerabilities found in their products. These releases often take
the form of textual information about the vulnerability, in vendor
specific formats. Providing the information in a standardized format
Booth & Scarfone Expires April 25, 2013 [Page 47]
Internet-Draft Vulnerability Data Model October 2012
would allow those wishing to automatically gather and parse the
vulnerability information to do so without developing custom tools
for each vendor.
A.2. Security Researchers
Security researchers have interest in correlating and analyzing the
data provided as part of the VDM for various purposes. In order to
support this use case the VDM should include the following
information:
o A unique identifier for the vulnerability
o A list of additional identifiers for the vulnerability if
applicable
o A list of the affected software and/or platforms
o An indication of the severity of the vulnerability, including any
differences in severity based on various configurations
o References to support additional research
A.3. System Design and Planning
System Administrators, System Architects, and the authors of security
guides all have an interest in knowing what vulnerabilities exist on
a given platform. The information provided by the vulnerability
model can assist in determining:
o Which platforms to deploy
o What configurations of a platform to deploy
o What mitigating controls may be needed in a given environment
o What remediations are available for a vulnerability
In order to support this use case vulnerability information should
include:
o A unique identifier for a vulnerability
o An indication of when a vulnerability is applicable
o An indication of the severity of a vulnerability
Booth & Scarfone Expires April 25, 2013 [Page 48]
Internet-Draft Vulnerability Data Model October 2012
o References to allow additional information about a vulnerability
to be gathered
o References to existing remediations for the vulnerability
o Indicators of the freshness of the vulnerability information
A.4. Assessment Content Authoring
Some individuals or organizations have a need to create content to
detect the presence of vulnerability. Vulnerability detection may be
done through the use of a common specification such as SCAP or
through proprietary methods. Information provided by the
vulnerability model can assist in determining:
o Which platforms are affected by a vulnerability
o Where existing detection content may already exist
o The severity of the vulnerability
In order to support the Assessment Content Authoring use case the
vulnerability model should include:
o A unique identifier for the vulnerability
o An indication of what platforms are affected by the vulnerability
o An indication of the severity of the vulnerability
o Additional references to assist in researching the vulnerability
o References to any existing assessment content
o Indicators of the freshness of the vulnerability information
A.5. Certification and Accreditation
Certification and Accreditation teams are responsible for determining
whether or not systems are allowed to remain on a given network.
This is usually determined based on the priority of the function the
system supports, assessment reports for the system, and
organizational guidelines. Information provided as part of the
vulnerability model can assist in determining:
o The severity of a vulnerability
Booth & Scarfone Expires April 25, 2013 [Page 49]
Internet-Draft Vulnerability Data Model October 2012
o The existence of exploits
o The existence of remediations
o The type of the vulnerability
o Indicators of the freshness of the vulnerability information
Appendix B. VDM Examples
This section shows some sample vulnerability information from various
sources put into VDM format.
Booth & Scarfone Expires April 25, 2013 [Page 50]
Internet-Draft Vulnerability Data Model October 2012
B.1. Sample 1
OSX Lion v10.7.4 and Security
Update 2012-002CVE-2012-0652
scap:gov.nist:publishscap:gov.nist:descriptionAn issue existed in the handling of network
account logins. The login process recorded sensitive information in
the system log, where other users of the system could read it. The
sensitive information may persist in saved logs after installation
of this update. This issue only affects systems running OS X Lion
v10.7.3 with users of Legacy File Vault and/or networked home
directories. See http://support.apple.com/kb/TS4272 for more
information about how to securely remove any remaining
records.cpe:/o:apple:mac_os_x:10.7.3
Booth & Scarfone Expires April 25, 2013 [Page 51]
Internet-Draft Vulnerability Data Model October 2012
B.2. Sample 2
CVE-2012-0652OSX Lion v10.7.4 and Security
Update 2012 002scap:gov.nist:summaryLogin Window in Apple Mac OS X 10.7.3, when
Legacy File Vault or networked home directories are enabled, does
not properly restrict what is written to the system log for network
logins, which allows local users to obtain sensitive information by
reading the log.AppleApple
APPLE-SA-2012-05-09-1cpe:/o:apple:mac_os_x:10.7.3
Booth & Scarfone Expires April 25, 2013 [Page 52]
Internet-Draft Vulnerability Data Model October 2012
4.9LOCALLOWNONECOMPLETE
NONENONENIST2012 11 05T09:00:00Z
B.3. Sample 3
CVE-2012-1848
MS12-034scap:gov.nist:summaryAn elevation of privilege vulnerability
exists in the Windows kernel-mode driver. An attacker who
successfully exploited this vulnerability could run arbitrary code
in kernel mode. An attacker could then install programs; view,
change, or delete data; or create new accounts with full
administrative rights.
Booth & Scarfone Expires April 25, 2013 [Page 53]
Internet-Draft Vulnerability Data Model October 2012
scap:gov.nist:mitigationMicrosoft has not identified any
workarounds for this vulnerability.scap:gov.nist:mitigatingFactorsAn attacker must have valid logon
credentials and be able to log on locally to exploit this
vulnerability.scap:gov.nist:scopeThis is an elevation of privilege
vulnerability.scap:gov.nist:affectedComponentThe component affected by this
vulnerability is the Windows kernel-mode driver
(win32k.sys).scap:gov.nist:causeThe vulnerability is caused when the
Windows kernel-mode driver improperly handles input passed
from user-mode functions.scap:gov.nist:additionalInformationWin32k.sys is a kernel-mode device
driver and is the kernel part of the Windows subsystem. It
contains the window manager, which controls window displays;
manages screen output; collects input from the keyboard,
mouse, and other devices; and passes user messages to
applications. It also contains the Graphics Device Interface (GDI),
which is a library of functions for graphics output devices.
Finally, it serves as a wrapper for DirectX support that is
implemented in another driver (dxgkrnl.sys). The Windows
kernel is the core of the operating system. It provides
system-level services such as device management and memory
management, allocates processor time to processes, and
manages error handling.scap:gov.nist:attackPossibilitiesAn attacker who successfully exploited
this vulnerability could run arbitrary code in the context of
another process. If this process runs with administrator
Booth & Scarfone Expires April 25, 2013 [Page 54]
Internet-Draft Vulnerability Data Model October 2012
privileges, an attacker could then install programs; view,
change, or delete data; or create new accounts with full
user rights.scap:gov.nist:exploitMethodTo exploit this vulnerability, an attacker
would first have to log on to the system. An attacker could then
run a specially crafted application that could exploit the
vulnerability and take complete control over the affected
system.scap:gov.nist:primaryTargetsWorkstations and terminal servers are
primarily at risk. Servers could be at more risk if administrators
allow users to log on to servers and to run programs. However,
best practices strongly discourage allowing this.scap:gov.nist:updateActionsThe update addresses the
vulnerability by correcting the way that the Windows
kernel-mode driver handles data passed from
user-mode functions.scap:gov.nist:publicDisclosureNo. Microsoft received information
about this vulnerability through coordinated vulnerability
disclosure.scap:gov.nist:exploitReportsNo. Microsoft had not received any
information to indicate that this vulnerability had been publicly
used to attack customers when this security bulletin was
originally issued.scap:gov.nist:inclusion
Booth & Scarfone Expires April 25, 2013 [Page 55]
Internet-Draft Vulnerability Data Model October 2012
cpe:/o:microsoft:windows_xp::sp3cpe:/o:microsoft:windows_xp:-:sp2:x64cpe:/o:microsoft:windows_server_2003::sp2cpe:/o:microsoft:windows_server_2003::sp2:x64cpe:/o:microsoft:windows_server_2003::sp2:itaniumcpe:/o:microsoft:windows_vista::sp2cpe:/o:microsoft:windows_vista::sp2:x64cpe:/o:microsoft:windows_server_2008::sp2:x86cpe:/o:microsoft:windows_server_2008::sp2:x64cpe:/o:microsoft:windows_server_2008::sp2:itaniumcpe:/o:microsoft:windows_7::sp1:x86cpe:/o:microsoft:windows_7::sp1:x64cpe:/o:microsoft:windows_server_2008:r2::x64cpe:/o:microsoft:windows_server_2008:r2:sp1:x64cpe:/o:microsoft:windows_server_2008:r2::itaniumcpe:/o:microsoft:windows_server_2008:r2:sp1:itanium
9.3NETWORKMEDIUMNONECOMPLETE
COMPLETE
COMPLETE
NIST
B.4. Sample 4
CVE-2012-1848scap:gov.nist:summaryscap:gov.nist:descriptionwin32k.sys in the kernel-mode drivers in
Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2,
Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1,
Windows 7 Gold and SP1, and Windows 8 Consumer Preview
does not properly handle user-mode input passed to kernel
mode, which allows local users to gain privileges via a crafted
application, aka "Scrollbar Calculation Vulnerability."scap:gov.nist:inclusioncpe:/o:microsoft:windows_xp::sp3cpe:/o:microsoft:windows_xp:-:sp2:x64cpe:/o:microsoft:windows_server_2003::sp2cpe:/o:microsoft:windows_server_2003::sp2:x64cpe:/o:microsoft:windows_server_2003::sp2:itaniumcpe:/o:microsoft:windows_vista::sp2cpe:/o:microsoft:windows_vista::sp2:x64cpe:/o:microsoft:windows_server_2008::sp2:x86cpe:/o:microsoft:windows_server_2008::sp2:x64cpe:/o:microsoft:windows_server_2008::sp2:itaniumcpe:/o:microsoft:windows_7::sp1:x86cpe:/o:microsoft:windows_7::sp1:x64cpe:/o:microsoft:windows_server_2008:r2::x64cpe:/o:microsoft:windows_server_2008:r2:sp1:x64cpe:/o:microsoft:windows_server_2008:r2::itaniumcpe:/o:microsoft:windows_server_2008:r2:sp1:itanium
Booth & Scarfone Expires April 25, 2013 [Page 57]
Internet-Draft Vulnerability Data Model October 2012
9.3NETWORKMEDIUMNONECOMPLETE
COMPLETE
COMPLETE
NIST
Appendix C. Vulnerability Data Model Schema
This appendix contains the vulnerability data model schema.
The Vulnerability Data Model
was created to facilitate communication of vulnerability information
through a common representation of a core set of concepts. The
Vulnerability Data Model was designed for use alone or in
conjunction with other data models, specifications, or proprietary
extensions.
Booth & Scarfone Expires April 25, 2013 [Page 58]
Internet-Draft Vulnerability Data Model October 2012
This schema was initially developed as part of the DoD NET-D
data modeling efforts led by Lt. Col. Joe Wolfkiel and with
participation by David Waltermire. The current revision is the
result of the experience of using the schemas within the National
Vulnerability Database (NVD) at the National Institute of Standards
and Technology (NIST) in the form of a data feed and a web
service. The following individuals also contributed ideas to the
definition of this schema: Paul Cichonski formerly at NIST, and
Jim Ronayne of Varen Technologies. The authors would also like
to acknowledge the contributions and feedback provided by the
security automation community.
0.9.3Vulnerability Data ModelDavid Waltermire, Harold Booth, Matthew Kerr0.9.32012-10-21
The Dublin Core Metadata Element Set, Version 1.1.
The DCMI Metadata Terms.
Booth & Scarfone Expires April 25, 2013 [Page 59]
Internet-Draft Vulnerability Data Model October 2012
A simplified XHTML 1.1 modular schema driver that implements
structural markup for embedding in XML data models.
The information regarding a single specific
vulnerabilityA type used to represent the ID of a
vulnerability. The combination of system and id must be
globally uniqueRepresents the id given to the
vulnerability record by the identified system provider.
Booth & Scarfone Expires April 25, 2013 [Page 60]
Internet-Draft Vulnerability Data Model October 2012
This id must be unique within a given system.
Represents the identification
system used to assign the associated id.The enumeration of available
relationships between vulnerabilities that exist in different
naming systems.A type used to represent the alias of
a vulnerability.Represents the relationship of the
vulnerabilty to another vulnerability.The enumeration of available
Booth & Scarfone Expires April 25, 2013 [Page 61]
Internet-Draft Vulnerability Data Model October 2012
vulnerability record statuses.Provides a type to encapsulate
supersession information.If this record supersedes one or more
entries, the identifier of the entry or entries that it
supersedes.The date and time when the record
superseded another entry.If this record has been superseded by one
or more entries, the identifier of the entry or entries that
this record has been superseded by.The date and time when the record was
superseded by another entry.
Booth & Scarfone Expires April 25, 2013 [Page 62]
Internet-Draft Vulnerability Data Model October 2012
Identifies a significant event in the lifecycle
of the entity.A controlled vocabulary that
represents the lifecycle event typescap:gov.nist:Inclusion -
The date and time that the entity was first included in
this data feed.scap:gov.nist:Modification -
The date and time that the vulnerability record was last
modified. Multiple instances of this can be used to
serve as a change log.scap:gov.nist:Deprecation -
Information used to indicate deprecation of a record.
This element is only to be used if the record has been
deprecated.scap:gov.nist:Supersession -
The date and time that the entity was first included in
this data feed.scap:gov.nist:Discovered -
The date that the vulnerability was first discovered.
scap:gov.nist:Disclosure -
The date and time that the vulnerability was disclosed
to the public.scap:gov.nist:VendorDisclosure -
The date and time that the software vendor was first
notified of the vulnerability.Provides a mechanism to specify
Booth & Scarfone Expires April 25, 2013 [Page 63]
Internet-Draft Vulnerability Data Model October 2012
the intended audiences and uses of an element
A controlled vocabulary that
allows the specification of the type of content
scap:gov.nist:description -
Provides descriptive informationscap:gov.nist:technical -
Provides technical detailsProvides text and optional hints
on how that text should be processedSpecifies the potential target and use
case combinations where this text may be appropriate
Contains textA type used to represent the metadata
associated with the vulnerability.
Booth & Scarfone Expires April 25, 2013 [Page 64]
Internet-Draft Vulnerability Data Model October 2012
Records the status of the vulnerability
record within the scope of the primary namespace.
Records lifecycle event information for the
entityInformation used to indicate supersession
relationships for a record. This element is only to be used
if the record has been superseded or if the record has
superseded another entry.Identifies the software versions that have
this vulnerability.
The CPE name of the vulnerable software.
Booth & Scarfone Expires April 25, 2013 [Page 65]
Internet-Draft Vulnerability Data Model October 2012
Holds all of the information about a
given vulnerability.
The unique identifier for the
vulnerability in regards to this vulnerability
data source.Additional identifiers for the
vulnerability that represent it in other data sources.
An example would be a CVE identifier.Additional metadata about the record.
Provides textual information about the
vulnerability. At least a block with the usecase
gov.nist.scap:Summary must be provided.References to additional
information about the vulnerability.
Booth & Scarfone Expires April 25, 2013 [Page 66]
Internet-Draft Vulnerability Data Model October 2012
A list of CPE names corresponding to
the software versions that have this vulnerability.
A CPE Language construct that identifies
the conditions under which the vulnerability exists. Only
needed when the vulnerability is situationally exploitable.
Characteristics and impact of the
vulnerability, optionally split based on configuration.
Extension point for additional
informationData type for the check
element, a checking system specification URI, string content,
and an optional external file reference. The checking system
specification should be the URI for a particular version of
OVAL or a related system testing language, and the content
Booth & Scarfone Expires April 25, 2013 [Page 67]
Internet-Draft Vulnerability Data Model October 2012
will be an identifier of a test written in that language. The
external file reference could be used to point to the file in
which the content test identifier is defined.Denotes a scanner and required configuration
that is capable of detecting the referenced vulnerability.
May also be an OVAL definition and omit scanner name.
Identifies a tool and any associated
information about the tool, such as signature versions, that
indicate the tool is capable or properly detecting and/or
remediating the vulnerability or misconfiguration
Identifies a check that can be used to
detect the vulnerability or misconfiguration
The CPE name of the scanning tool.
The CPE name can be used for a CPE from the NVD. The CPE
title attribute can be used for internal naming conventions.
(or both, if possible)
Booth & Scarfone Expires April 25, 2013 [Page 68]
Internet-Draft Vulnerability Data Model October 2012
The product(s) that collectively
characterize a particular IT platform type. See the CPE
Language specification for additional information.
An optional list of equivalent assessment
methods that specify additional system state that must
be present for the vulnerability to exist.The id for the vulnerable configuration.
The source that provided the
reference (e.g., individual, organization).
Notes regarding the vulnerability or
the reference source.
Booth & Scarfone Expires April 25, 2013 [Page 69]
Internet-Draft Vulnerability Data Model October 2012
TODO: Provide guidance in the spec on
how to use unbounded properly with multiple namespaces
and element contentsWhether or not this reference has been
deprecated. Deprecated references should no longer be used.
A controlled vocabulary that
identifies the reference category for this reference.
scap:gov.nist:Patch -
The reference includes a link to a software patch
or update nstructionsscap:gov.nist:VendorAdvisory -
The reference is by an authoritative source for the
affected softwarescap:gov.nist:ThirdPartyAdvisory -
The reference is by a non-authoritative source for
the affected softwarescap:gov.nist:SignatureSource -
The reference includes a link to one or more signatures
for use in a signature-based detection system
scap:gov.nist:MitigationProcedure -
The reference includes information regarding mitigation
techniques that may help reduce exposure to the
vulnerability
scap:gov.nist:ToolConfigurationDescription -
The reference includes information regarding the
configuration of a tool that can be used to detect
the vulnerability
Booth & Scarfone Expires April 25, 2013 [Page 70]
Internet-Draft Vulnerability Data Model October 2012
scap:gov.nist:AttackScenario -
The reference provides a sample attack scenario that
demonstrates how the vulnerability may be exploited
scap:gov.nist:TechnicalDescription -
The reference provides a technical description of the
vulnerabilityscap:gov.nist:Other -
the reference does not fit into one of the other
categoriesThe language used by the
reference source.Holds information relating to
references for the vulnerability.The reference source. This may be
a URL or a document.A reference to the vulnerable-configuration
element(s) that can be exploited through this particular
attack method.
Booth & Scarfone Expires April 25, 2013 [Page 71]
Internet-Draft Vulnerability Data Model October 2012
Provides information about the
severity of the vulnerability.Identifies characteristics of the
vulnerability.The ID for the attack method.
The date and time that the impact
information was first included in this data feed.
The date and time the impact
information was modified. Multiple instances of this
can be used to serve as a change log.
Booth & Scarfone Expires April 25, 2013 [Page 72]
Internet-Draft Vulnerability Data Model October 2012
The base and temporal metrics and
scores for a vulnerability.Holds information relating to the
characterisitics for the vulnerability.The identifier of the object being
referenced.
Booth & Scarfone Expires April 25, 2013 [Page 73]
Internet-Draft Vulnerability Data Model October 2012
Type for a reference
with an optional URI reference. This would normally
be used to point to extra descriptive material, or the
supplier's web site, or the platform documentation.
It consists of a piece of text (intended to be human-
readable) and a URI (intended to be a URL, and point
to a real resource).
A collection of one or more locale specific reference items.
Booth & Scarfone Expires April 25, 2013 [Page 74]
Internet-Draft Vulnerability Data Model October 2012
This type
allows the xml:lang attribute to associate a
specific language with an element's string
content.This type
defines an element that consists of one or
more child note elements. It is assumed
that each of these note elements are
representative of the same language as
defined by their parent.
Authors' Addresses
Harold Booth
National Institute of Standards and Technology
100 Bureau Drive
Gaithersburg, Maryland 20899
USA
Phone:
Email: harold.booth@nist.gov
Karen Scarfone
Scarfone Cybersecurity
13632 S. Springs Dr.
Clifton, Virginia 20124
USA
Phone:
Email: karen@scarfonecybersecurity.com
Booth & Scarfone Expires April 25, 2013 [Page 76]