SCAP deals with finding known vulnerabilities or configuration problems on live networks, not the results of an ad hoc analysis of a single software package. NIST's SAMATE project might have exchange formats on a to-do list somewhere, but I'm not deeply involved in that project except as it relates to CWE. Certainly, an exchange format would be very useful for collating (or comparing) results from multiple tools, which also might be its greatest barrier to vendor acceptance based on competitive reasons.
- Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________