source-git / openscap

Clone
Source Code
GIT

Files

  1.   ad980385e9ca7ad428617424fa81fc6dc0123828
  2.   schemas
  3.   cve
  4.   vulnerability_0.4.xsd
Blob Blame History Raw 
<?xml version="1.0" encoding="UTF-8"?>
<!--
== Model: Version 0-4 NetD
== Package: vulnerability
-->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://scap.nist.gov/schema/vulnerability/0.4"
  xmlns:scap-core="http://scap.nist.gov/schema/scap-core/0.1"
  xmlns:cve="http://scap.nist.gov/schema/cve/0.1"
  xmlns:cce="http://scap.nist.gov/schema/cce/0.1"
  xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/0.2"
  xmlns:cpe-lang="http://cpe.mitre.org/language/2.0"
  xmlns:patch="http://scap.nist.gov/schema/patch/0.1"
  xmlns:xml="http://www.w3.org/XML/1998/namespace"
  targetNamespace="http://scap.nist.gov/schema/vulnerability/0.4"
  elementFormDefault="qualified" attributeFormDefault="unqualified"
  version="0.4">
  <xsd:import namespace="http://scap.nist.gov/schema/scap-core/0.1" schemaLocation="scap-core_0.1.xsd"/>
  <xsd:import namespace="http://scap.nist.gov/schema/cve/0.1" schemaLocation="cve_0.1.xsd"/>
  <xsd:import namespace="http://scap.nist.gov/schema/cce/0.1" schemaLocation="cce_0.1.xsd"/>
  <xsd:import namespace="http://scap.nist.gov/schema/cvss-v2/0.2" schemaLocation="cvss-v2_0.2.xsd"/>
  <xsd:import namespace="http://cpe.mitre.org/language/2.0" schemaLocation="cpe-language_2.1.xsd"/>
  <xsd:import namespace="http://scap.nist.gov/schema/patch/0.1" schemaLocation="patch_0.1.xsd"/>
  <xsd:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="../common/xml.xsd"/>
  <!-- ================================================== -->
  <!-- =====  Element Declarations  -->
  <!-- ================================================== -->
  <xsd:element name="vulnerability" type="vulnerabilityType"/>
  <!-- ================================================== -->
  <!-- =====  Simple Type Definitions  -->
  <!-- ================================================== -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Fix_Action_Description_List  <<simpleType>>  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:simpleType name="fixActionDescriptionEnumType">
    <xsd:restriction base="xsd:token">
      <xsd:enumeration value="PATCH"/>
      <xsd:enumeration value="SOFTWARE_UPDATE"/>
      <xsd:enumeration value="CONFIGURATION_CHANGE"/>
      <xsd:enumeration value="POLICY_CHANGE"/>
      <xsd:enumeration value="EXTERNAL_MITIGATION"/>
    </xsd:restriction>
  </xsd:simpleType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Fix_Action_Type_List  <<simpleType>>  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:simpleType name="fixActionTypeEnumType">
    <xsd:restriction base="xsd:token">
      <xsd:enumeration value="MITIGATION"/>
      <xsd:enumeration value="REMEDIATION"/>
    </xsd:restriction>
  </xsd:simpleType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Fix_Effectiveness_List  <<simpleType>>  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:simpleType name="fixEffectivenessEnumType">
    <xsd:restriction base="xsd:token">
      <xsd:enumeration value="PARTIAL"/>
      <xsd:enumeration value="COMPLETE"/>
    </xsd:restriction>
  </xsd:simpleType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Vulnerability_Reference_Category_List  <<simpleType>>  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:simpleType name="vulnerabilityReferenceCategoryEnumType">
    <xsd:restriction base="xsd:token">
      <xsd:enumeration value="PATCH"/>
      <xsd:enumeration value="VENDOR_ADVISORY"/>
      <xsd:enumeration value="THIRD_PARTY_ADVISORY"/>
      <xsd:enumeration value="SIGNATURE_SOURCE"/>
      <xsd:enumeration value="MITIGATION_PROCEDURE"/>
      <xsd:enumeration value="TOOL_CONFIGURATION_DESCRIPTION"/>
      <xsd:enumeration value="UNKNOWN"/>
    </xsd:restriction>
  </xsd:simpleType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Security_Protection  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:simpleType name="securityProtectionType">
    <xsd:annotation>
      <xsd:documentation>The security protection type</xsd:documentation>
    </xsd:annotation>
    <xsd:restriction base="xsd:token">
      <xsd:enumeration value="ALLOWS_ADMIN_ACCESS">
        <xsd:annotation>
          <xsd:documentation>gain administrative access</xsd:documentation>
        </xsd:annotation>
      </xsd:enumeration>
      <xsd:enumeration value="ALLOWS_USER_ACCESS">
        <xsd:annotation>
          <xsd:documentation>gain user access</xsd:documentation>
        </xsd:annotation>
      </xsd:enumeration>
      <xsd:enumeration value="ALLOWS_OTHER_ACCESS"/>
    </xsd:restriction>
  </xsd:simpleType>
  <!-- ================================================== -->
  <!-- =====  Complex Type Definitions  -->
  <!-- ================================================== -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Associated_Exploit_Location  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="associatedExploitLocationType">
    <xsd:sequence>
      <xsd:element name="physical-access" type="xsd:boolean" minOccurs="0" default="false"/>
      <xsd:element name="voluntarily-interact" type="xsd:boolean" minOccurs="0" default="false"/>
      <xsd:element name="dialup" type="xsd:boolean" minOccurs="0" default="false"/>
      <xsd:element name="unknown" type="xsd:boolean" minOccurs="0" default="false"/>
    </xsd:sequence>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Fix_Action  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="fixActionType">
    <xsd:annotation>
      <xsd:documentation>A single fix action should only cover a single patch application, software update, configuration change, or external fix.  Dependencies should be documented by using the "next_fix_action" element to point to a recursive list of fix actions.</xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element ref="patch:patch" minOccurs="0"/>
      <xsd:element name="configuration-remediation" type="vulnerabilityReferenceType" minOccurs="0"/>
      <xsd:element name="software-update" type="scap-core:cpeNamePatternType" minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>CPE name of the software update package.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="notes" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="deprecated-by" type="scap-core:cpeNamePatternType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="next-fix-action" type="fixActionType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="fix-action-tool-configuration" type="toolConfigurationType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="applicable-configuration" type="cpe-lang:PlatformType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="effectiveness" type="fixEffectivenessEnumType" minOccurs="0">
        <xsd:annotation>
          <xsd:documentation>States whether the fix action fully avoids the risk associated with the vulnerability or reduces risk to some extent.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="applicable-check" type="scap-core:checkReferenceType" minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Describes or points to the check/test (either OVAL or other) that this particular fix action addresses.  E.G. applying this fix will change the value of this test result.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
    <xsd:attribute name="fix_action_description" type="fixActionDescriptionEnumType" use="required"/>
    <xsd:attribute name="fix_action_type" type="fixActionTypeEnumType" use="required"/>
    <xsd:attribute name="id" type="xsd:token" use="required">
      <xsd:annotation>
        <xsd:documentation>Unique value within the source.  Will be used with the source element to serve as a global unique identifier.</xsd:documentation>
      </xsd:annotation>
    </xsd:attribute>
    <xsd:attribute name="source" type="xsd:anyURI" use="required">
      <xsd:annotation>
        <xsd:documentation>Should be a URI-like -- e.g. inverted DNS address e.g mil.jtf-gno</xsd:documentation>
      </xsd:annotation>
    </xsd:attribute>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  OSVDB_Extension  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="osvdbExtensionType">
    <xsd:sequence>
      <xsd:element name="exploit-location" type="associatedExploitLocationType"/>
    </xsd:sequence>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Tool_Configuration  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="toolConfigurationType">
    <xsd:sequence>
      <xsd:element name="name" type="scap-core:cpeNamePatternType" minOccurs="0">
        <xsd:annotation>
          <xsd:documentation>The CPE name of the scanning tool.  A value must be supplied for this element.  The CPE name can be used for a CPE from the NVD.  The CPE title attribute can be used for internal naming conventions. (or both, if possible)</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="definition" type="scap-core:checkReferenceType" minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Defines required signature or policy definition that must be installed on the tool.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  CWE Reference  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="cweReferenceType">
    <xsd:attribute name="id" type="scap-core:cweNamePatternType" use="required"/>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Vulnerable Software  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="vulnerableSoftwareType">
    <xsd:sequence>
      <xsd:element name="product" type="cpe-lang:namePattern" minOccurs="1" maxOccurs="unbounded"/>
    </xsd:sequence>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Vulnerability  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="vulnerabilityType">
    <xsd:annotation>
      <xsd:documentation>TODO: Low priority: Add reference to notes type to allow analysts, vendor and other comments.  Add source attribute.  Maybe categorization?</xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="osvdb-ext" type="osvdbExtensionType" minOccurs="0"/>
      <xsd:element name="vulnerable-configuration" type="cpe-lang:PlatformType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="vulnerable-software-list" type="vulnerableSoftwareType" minOccurs="0"/>
      <xsd:choice minOccurs="0">
        <xsd:element name="cve-id" type="cve:cveNamePatternType"/>
        <xsd:element name="cce-id" type="cce:cceNamePatternType"/>
      </xsd:choice>
      <xsd:element name="discovered-datetime" type="xsd:dateTime" minOccurs="0"/>
      <xsd:element name="disclosure-datetime" type="xsd:dateTime" minOccurs="0"/>
      <xsd:element name="exploit-publish-datetime" type="xsd:dateTime" minOccurs="0"/>
      <xsd:element name="published-datetime" type="xsd:dateTime" minOccurs="0"/>
      <xsd:element name="last-modified-datetime" type="xsd:dateTime" minOccurs="0"/>
      <xsd:element name="cvss" type="cvssv2:cvssImpactType" minOccurs="0"/>
      <xsd:element name="security-protection" type="securityProtectionType" minOccurs="0"/>
      <xsd:element name="assessment_check" type="scap-core:checkReferenceType" maxOccurs="unbounded" minOccurs="0"/>
      <xsd:element name="cwe" type="cweReferenceType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="references" type="vulnerabilityReferenceType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="fix_action" type="fixActionType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="scanner" type="toolConfigurationType" minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Denotes a scanner and required configuration that is capable of detecting the referenced vulnerability.  May also be an OVAL definition and omit scanner name.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="summary" type="xsd:string" minOccurs="0"/>
      <xsd:element name="technical_description" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded"/>
      <xsd:element name="attack_scenario" type="scap-core:referenceType" minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>This element should ultimately be held in a threat model.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
    <xsd:attribute name="id" type="vulnerabilityIdType" use="required"/>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Vulnerability_Reference  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="vulnerabilityReferenceType">
    <xsd:annotation>
      <xsd:documentation>TODO: revisit referenceType and textType</xsd:documentation>
      <xsd:documentation>Extends the base "reference" class by adding the ability to specify which kind (within the vulnerability model) of reference it is.  See "Vulnerability_Reference_Category_List" enumeration.</xsd:documentation>
    </xsd:annotation>
        <xsd:sequence>
          <xsd:element name="source" type="xsd:string" minOccurs="0">
            <xsd:annotation>
              <xsd:documentation>TODO: determine purpose</xsd:documentation>
            </xsd:annotation>
          </xsd:element>
          <xsd:element name="reference" type="scap-core:referenceType"/>
          <xsd:element minOccurs="0" name="notes" type="scap-core:notesType"/>
        </xsd:sequence>
        <xsd:attribute ref="xml:lang" use="optional" default="en"/>
        <xsd:attribute name="reference_type" type="vulnerabilityReferenceCategoryEnumType" use="required"/>
        <xsd:attribute name="deprecated" type="xsd:boolean"/>
  </xsd:complexType>
  
  <xsd:simpleType name="vulnerabilityIdType">
    <xsd:restriction base="xsd:token"/>
  </xsd:simpleType>
</xsd:schema>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation