1.examples.md

Examples

This document includes examples of repositories, content and user stories that we intend our work to address in Phases I and II.

These lists are not intended to be exhaustive or prioritized. They should--at least--be representative of the various types of sources and capabilities that our members know they would like to address.

So... if there's something you want this project to address and there's nothing like it on these lists... please tell us via the mailing list!

Phase I: OVAL/XCCDF Automation

Example Phase I Repositories

Examples of actual SCAP repositories that we intend our proposal to address in Phase I:

• OVAL Repositories (vulnerability feeds)
  • OVAL Repository
  • RHEL CVE OVAL
  • Oracle Linux CVE OVAL
  • Ubuntu CVE OVAL
  • SUSE CVE OVAL
  • Debian CVE OVAL
• XCCDF/OVAL Repositories (compliance benchmarks)
  • DISA STIG SCAP Repository
  • Compliance as Code: SCAP Security Guide
  • CIS Benchmarks
  • NIST USGCB

Example Phase I Content

Examples actual SCAP content feeds/packages that we intend our proposal to address in Phase I:

• OVAL Definitions
  • Microsoft Windows 10 CVE Feed
  • RHEL 7 CVE Feed
  • Cisco IOS CVE Feed
  • Red Hat Bug Advisory OVAL: rhbs-20070026
  • Ubuntu Bionic CVE Feed (bz2)
• XCCDF Benchmarks with OVAL Definitions (SCAP 1.2 Datastream)
  • Microsoft Windows Server 2016 STIG Benchmark - Ver 1, Rel 9 (zipped)
  • SCAP Security Guide v0.1.44 (zip of several datastreams)
• XCCDF Benchmarks with OVAL Definitions (SCAP 1.1 Bundle)
  • AIX 6.1 STIG-Benchmark - Ver 1, Rel 9

Example Phase I Stories

Examples of user stories we intend our proposal to support in Phase I:

• Automated Identification of Repository Metadata

  • Repository host organization, repository name, repository description

• Automated CVE OVAL Content Discovery

  • Identify platforms and applications covered by CVE OVAL content in repository
  • Identify CVEs and vendor advisories covered by CVE OVAL content in repository
  • Identify content source and license

• Automatied CVE OVAL Content Retrieval

  • Download SCAP .xml package with all CVE content for a single platform or platform/application
  • Download SCAP .xml package with all CVE content for specific CVE(s) and/or advisories on a single platform
  • Determine whether package has been updated since last download

• Automated XCCDF/OVAL Package Discovery

  • Discover list of available packages
  • For each package, determine:
    • Platform, application, use case
    • Title, description, author, license, version, format and packaging format
    • ID that should remain the same even as package is versioned and metedata revised

• Automated XCCDF/OVAL Package Retrieval

  • Download SCAP packages for specific platform, application, use case and/or ID
  • Determine whether package has been updated since last download

Phase II: Broader SCAP v2

Example Phase II Repositories

Examples of actual and notional SCAP repositories that we intend our proposal to address in Phase II:

• National Vulnerability Database
• SWID Repositories TBD

Example Phase II Content

Examples actual and notional SCAP content feeds/packages that we intend our proposal to address in Phase II:

• NVD JSON/XML Vulnerability Feeds
• NVD CPE Dictionary
• SWID Feeds TBD

Example Phase II Stories

Examples of user stories we intend our proposal to support in Phase II:

• Single Known Content/Infrequent or Manual Access

  • The user knows what singular piece (or pieces) of content they need, and are searching the repository to find it. They will download it once, and only rarely (if ever) seek to redownload or update later.
  • To support this story, our proposal needs to contain information that serves to identify unique pieces of content, and to make it possible for tools to search for this information.

• Many Known Content/Infrequent or Manual Access

  • Same as above, but user is looking for a large group of content (Maybe packaged into an archive, maybe not)
  • Might not imply any additional requirements, beyond containing information that supports a batch search or batch download

• Unknown Content/Infrequent or Manual Access

  • The user is simply browsing the repository with some criteria in mind, but without a known concrete piece of content.
  • To support this story, our proposal needs parsable (by human or tool) and meaningful metadata that can be browsed freely

• Single Known Content/Frequent or Automated Access

  • The user knows what singular piece (or pieces) of content they need, and are searching the repository to find it. The user needs this content to be up to date, and will frequently download or check for updates

• Many Known Content/Frequent or Automated Access

  • Same as above, but user is looking for a large group of content (Maybe packaged into an archive, maybe not)

Status

We have completed our work on this draft for the time being and have moved on to the next milestone. However, if you have any comments or revisiosn to this page, please let us know.