OVAL Content Repositories

OVAL Content Repositories exist to preserve OVAL definitions and make them available for public use. While the CIS Repository is the official repository, others exist that contain content specific to operating systems, applications, and software vendors.


Below is a list of additional known OVAL repositories.


The ALTEX-SOFT repository OVALdb consist of OVAL Definitions that correspond to security advisories/notices/bulletins/compliances for a lot of software vendors. This repository contains OVAL definitions for vulnerabilities, patches, compliances and inventories.

Click here for the ALTEX-SOFT Repository


This page provides OVAL xml content for the latest Ubuntu operating system versions.

Click here for the Ubuntu Repository


The CIS repository is the new official OVAL Repository following the transition away from MITRE. Created August 2015.

Click here for the CIS Repository


The Cisco Security Intelligence Operations repository consists of Cisco security advisories in the standardized Common Vulnerability Reporting Format (CVRF) and includes OVAL Vulnerability Definitions for the Cisco IOS security advisories. Created September 2012.

Click here for the Cisco Repository


The Debian repository of OVAL content consists of OVAL Definitions that correspond to Debian security advisories. Created August 2010.

Click here for the Debian Repository

Defense Information Systems Agency Field Security Operations (DISA FSO)

A repository of Security Technical Implementation Guides (STIGs) in support of Security Content Automation Protocol (SCAP) content and tools. Created: May 2012.

Click here for the DISA FSO Repository

IT Security Database

This site collects OVAL Definitions from sources such as the OVAL Repository, Red Hat, Suse, NVD, Apache, etc., and provides a unified, easy-to-use Web interface to all IT security related items about them including patches, vulnerabilities, and compliance checklists. Created: November 2010.

Click here for the IT Security Database Repository


The Security Content Automation Program (SCAP) is a public free repository of security content to be used for automating technical control compliance activities, vulnerability checking (both application misconfigurations and software flaws), and security measurement. Created January 2007.

Click here for the NIST (SCAP) Repository

Positive Technologies

The Positive Technologies repository of OVAL content consists of OVAL Definitions collected from various sources. Created May 2012. Note that this repository is currently inactive but is being reworked as of October 2018.

Click here for the Positive Technologies Repository


The Red Hat repository of OVAL content consists of OVAL Patch Definitions that correspond to Red Hat Errata security advisories. Created May 2006.

Click here for the Red Hat Repository


SecPod SCAP Feed, also hosted as a repository, is a service providing standardized SCAP content (CVE™, CPE™, CCE™, XCCDF, and OVAL®) for vulnerability, patch, inventory, and compliance management. Created December 2010.

Click here for the SecPod Repository

Security Database

This Web site provides a mirror of the OVAL Repository and links its Alerts to OVAL Definitions when possible. Created February 2012.

Click here for the Security Database Repository


The SUSE Linux Enterprise OVAL Information database is an index of fixed security incidents indexed by product, RPM package name and version for use in security compliance checking. Created July 2010.

Click here for the SUSE Repository

Updating the List

To make changes to this list; to be added, removed, or have existing content modified,