OVAL® is a XML description and reporting format used to assess and report the state of an operating system. More in depth information about OVAL can be found on the Mitre OVAL website.
SUSE is currently providing OVAL information for SUSE Linux Enterprise products that allows to assess and report on the RPM package versions affected by known security issues in a CVE to RPM name/version mapping.
The OVAL data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Available OVAL Data for SUSE
SUSE offers OVAL data in three flavors:
- Indexed by released patches (“patch” style OVAL). Note that every patch can fix multiple CVEs.
- Indexed by CVEs (“vulnerability” style OVAL), containing fixed and SUSE not affecting security issues.
- Indexed by CVEs (“vulnerability” style OVAL), containing fixed, unfixed and SUSE not affecting security
issues. Note that this set will usually have some TRUE matches due to the time taken between intake
evaluation and release of our security fixes.
OVAL data is also available on a per service pack basis, and we offer OVAL data also bzip2 compressed.
All available OVAL files, also for past products, can be browsed on this direct link: https://ftp.suse.com/pub/projects/security/oval/
How to use
A sample call to run is:
oscap oval eval suse.linux.enterprise.15.xml
which will list true/false for each definition. You can also generate HTML and OVAL result XML output:
oscap oval eval –-results result.html –-report result.xml suse.linux.enterprise.15.xml