OVAL Repository Transition

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

OVAL Repository Transition

Adam Montville-2


As stated in a previous message to the OVAL developer and discussion lists (see this forum entry), the OVAL Board, in cooperation with DHS and in communication with top contributors, has been planning for and taking steps to:

  • Make OVAL a community-run and community-sponsored program, independent of direct U.S. Government sponsorship

  • Make governance and content management more responsive and transparent

  • Upgrade the tools, technologies and processes based on lessons learned over the past decade

In brief, the MITRE repository will be replaced by the CIS repository, and the CIS repository, while maintaining existing views into the data it contains, will also offer an improved way of working. The transition team is taking lessons-learned from MITRE and working to create an improved OVAL repository.  All top contributors have committed to contribute to the new OVAL Repository and it has been designed to minimize disruption for existing content users. Details about the new repository will be posted to the OVAL mailing lists over the next few weeks.

The Concept

The CIS repository will consist of a GitHub repository and a set of Web pages hosted at github.io.  The GitHub repository will hold all the “raw” data.  Packages and other expected artifacts will be available via the set of Web pages.

  • All content in the MITRE repository will be put into CIS’ GitHub repository.

  • Each categorical OVAL element (i.e. definition, test, object, state, variable) will be in its own file and organized in folders.

  • The repository will contain a set of software tools to perform content validation, build complete OVAL definitions files, and so on.

Impact to Contributors and Consumers

In effect, CIS becomes the new moderator of the content, but we expect to automate much of the submission process in a manner that suits a style of community-based management.  

In general, contributors will be expected to:

  1. Clone/fork the CIS repository to have your own copy

  2. Make changes

  3. Submit a “pull request”

At that point, CIS (or an automated process) will comment on or accept the pull-request [1].  It is expected that much about the submission process will remain the same, but be on the lookout for details coming soon.

Consumers of the repository content, on the other hand, will have two options:

  1. Custom Build: advanced users can fork the repo and use scripts that will be included to build definitions. Scripts will also be included that can be used to create larger packages, such as an OVAL definitions file for all windows content or all windows vulnerability content, etc.

  2. Download from Site: there will also be a website associated with the repository offering search and download features much like the current website so users will be able to browse the repository contents and download individual definitions as well as packages

Anticipated Timeline

  • July 10 - Experimental CIS OVAL Repository available

  • July 15 - CIS OVAL Repository submission process details proposed

  • July 20 - CIS OVAL Repository website to be available for testing by content consumers

  • July 20 - CIS OVAL Repository submission process details revised (if necessary)

  • July 31 - MITRE OVAL Repository stops accepting submissions

  • August 1 - CIS OVAL Repository submission process begins

Comments and Questions

Please feel free to post comments or questions regarding this transition to the [hidden email] or the [hidden email].


[1] The transition team and CIS are presently defining the workflow for processing submissions.

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].