On Oct/11, Philippe Thierry wrote: > The current Debian OVAL files title field contains the reference id, > making it redundant with the reference ref_id field. As a consequence, > the resulting report doesn't show the affected software. is it > possible to show the software name in the title field, as CIS does in > its OVALRepo for the DSA ?
There are 2 main reasons the title field is a CVE ID: - there could be multiple affected source packages - our OVAL files are by definition a list of *vulnerabilities* The list of affected *source packages* for each vulnerability can be accessed, together with the vulnerable versions, in the "Release section" criteria entries. A more simple "product" field, under "affected", is also available. Looking around the OVAL horizon, RedHat's exports[1] are a list of id=patch (basically a list of Red Hat Security Announcements), which allows them to bundle the package name in their title. We prefer to expose every single vulnerability affecting Debian, whether a DSA was issued for it or not, and therefore our current format is pretty identical to what SuSE[1] exports. Cheers, --Seb [1] https://www.redhat.com/security/data/oval/ [2] http://support.novell.com/security/oval/
