SCAP deals with finding known vulnerabilities or configuration problems on
live networks, not the results of an ad hoc analysis of a single software
package.  NIST's SAMATE project might have exchange formats on a to-do
list somewhere, but I'm not deeply involved in that project except as it
relates to CWE.  Certainly, an exchange format would be very useful for
collating (or comparing) results from multiple tools, which also might be
its greatest barrier to vendor acceptance based on competitive reasons.

- Steve
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to