Qualified Security Advisory Reference (mod_sec)

Abstract

This document provides information for the mod_sec XML format.

In order to gather the information and perform the relationship between the gathered information, it is necessary to improve the method of the security information sharing. If the security information is machine readable, many Internet sites can reduce the cost of information gathering. Our security information sharing proposes the XML formats as to approach solving these problems. JVNRSS (http://jvndb.jvn.jp/en/schema/jvnrss.html) is the overview XML format based on RSS with mod_sec and VULDEF (http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/) is the detail XML format.

The classification of JVNRSS and VULDEF

Authors

The members of JVNRSS Feasibility Study Team:

Masato Terada (IPA, JPCERT/CC)
JVN Working Group (JPCERT/CC, IPA)

Version

Latest Version: V2.1 2009-04-28
V2.1 2009-04-28
http://jvndb.jvn.jp/en/schema/mod_sec.html
Publish JVNRSS specification and XML schema on jvndb.jvn.jp.
V2.0 2009-01-05
http://jvnrss.ise.chuo-u.ac.jp/jtg/mod_sec/2.0/
V2.0 supports XML Schema file (mod_sec_2.0.xsd).
Tags deleted: <sec:category>, <sec:hierarchy>
V1.0 2008-05-19
http://jvnrss.ise.chuo-u.ac.jp/jtg/mod_sec/1.0/ (in Japanese)
New tags added: <sec:cpe-item>
V1.0beta 2007-06-30
http://jvnrss.ise.chuo-u.ac.jp/jtg/mod_sec/1.0b/ (in Japanese)
New tags added: <sec:category>, <sec:cvss>, <sec:hierarchy>
V1.0alpha 2005-10-31
http://jvnrss.ise.chuo-u.ac.jp/jtg/mod_sec/1.0a/

Status

Proposed

Comments should be directed to the JVN Working Group.

Rights

Copyright © 2005 - 2009 by the Authors.

Permission to use, copy, modify and distribute the mod_sec Specification and its accompanying documentation for any purpose and without fee is hereby granted in perpetuity, provided that the above copyright notice and this paragraph appear in all copies. The copyright holders make no representation about the suitability of the specification for any purpose. It is provided "as is" without expressed or implied warranty.

This copyright applies to the mod_sec Specification and accompanying documentation and does not extend to the mod_sec format itself.

Table of Contents

1. Overview
2. Namespace Declarations and XML Schema
3. Syntax
3.1 <sec:references>
3.2 <sec:identifier>
3.3 <sec:cvss>
3.4 <sec:cpe-item>
4. Examples
4.1 JVNRSS 2.0 = (RSS 1.0 + <sec:references> , <sec:identifier> , <sec:cvss> and <sec:cpe-item>)
4.2 RSS 2.0 + <sec:references> , <sec:identifier> , <sec:cvss> and <sec:cpe-item>
4.3 Atom + <sec:references> , <sec:identifier> , <sec:cvss> and <sec:cpe-item>
5. Resources
6. Acknowledgements



1. Overview

This document describes RSS Extension of security information distribution, and definition of the tags for RSS 1.0, 2.0 and Atom.



2. Namespace Declarations and XML Schema


2.1 Namespace Declarations

xmlns:sec="http://jvn.jp/rss/mod_sec/"


2.2 XML Schema

http://jvndb.jvn.jp/schema/mod_sec_2.0.xsd



3. Syntax


3.1 <sec:references>

sec:references is an element for a best reference (CVE, CERT Advisory, CERT Vulnerability Note, US-CERT Technical Alert etc.) to a related security information.

Syntax:

%name, %id, %ResourceReference
<sec:references source="%name" id="%id">%ResourceReference</sec:references>

%name, %id
<sec:references source="%name" id="%id"></sec:references>

%ResourceReference
<sec:references>%ResourceReference</sec:references>

%nameAn attribute is abbreviation name which provide the best reference, such as CVE, JPCERT, CERT, CIAC, BID, CERT-VN, MS, OSVDB, XF etc.
%idAn attribute is the unique identifier assigned by sec:source, such as VU#105259, MS01-044, CVE-2001-0525, CA-2001-14, TA05-111A etc.
%ResourceReferenceAn entity value is a URI reference to a resource.

 

Best references for security information Assigned %name Example of %id
AUSCERT AUSCERT AA-2004.02
AL-2007.0015
CIAC Bulletins/DOE-CIRC Technical Bulletin CIAC R-125
Common Vulnerabilities and Exposures (CVE) CVE CVE-2005-2177
Common Weakness Enumeration (CWE) CWE
FrSIRT Advisories FRSIRT FrSIRT/ADV-2006-4654
IBM ISS X-Force Database XF 29338
IBM ISS Security Alerts and Advisories ISS 233
IBM X-Force Alerts and Advisories ISSKK 240
IPA Security Center Alerts IPA 20061011-ms06-063
IPA Security Center IPA-VUL JVN#34522909
JVN_34522909
IPA Common Weakness Enumeration (CWE) CWE-IPA
JPCERT Alerts JPCERT-AT JPCERT-AT-2006-0017
JPCERT Report JPCERT-WR JPCERT-WR-2003-2901
JVN JVN JVN#34522909
JVNVU#209376
JVNTA06-312A
NISCC-172003
JVN iPedia JVNDB JVNDB-2009-000015
JVN Status Tracking Notes JVNTR TRTA06-312A
National Vulnerability Database (NVD) NVD CVE-2005-2177
NISCC Vulnerability Advisory/CPNI NISCC 144154/NISCC/DNS
729618/NISCC/PARASITIC-KEYS
Open Source Vulnerability Database (OSVDB) OSVDB 29788
Open Vulnerability and Assessment Language (OVAL) OVAL 3989
@police topics CYBPO-JP
The SANS Institute Diary SANS 1290
Secunia Advisory SECUNIA SA15930
Security Focus BID 14168
SecurityTracker SECTRACK 1017288
SecuriTeam SECTEAM 6W00L00C1S
CERT Advisory CERT CA-2003-04
US-CERT Cyber Security Alerts CERT-SA SA06-275A
US-CERT Vulnerability Note CERT-VN VU#884076
US-CERT Technical Cyber Security Alert CERT-TA TA06-312A
Other Other Other


3.2 <sec:identifier>

sec:identifier is an element for the unique identifier assigned by vendor.

Syntax:

<sec:identifier>%id</sec:identifier>

%idAn attribute is the unique identifier assigned by vendor, such as "Cisco Security Advisory ID#50960", HPSBMA01234 etc.


3.3 <sec:cvss>

sec:cvss is an element for the vector and the severity calculated by CVSS (Common Vulnerability Scoring System).

Syntax:

<sec:cvss version="%version" severity="%severity" score="%score" vector="(%vector)" />

%versionCVSS version
1.0 CVSS 1.0
2.0 CVSS 2.0
%severitySeverity is determined by the Common Vulnerability Scoring System (CVSS).
Low Low (%score=0.0-3.9)
Medium Medium (%score=4.0-6.9)
High High (%score=7.0-10.0)
%scoreScore is the overall impact of the vulnerability calculated by %vector.
%vectorEach metric in the vector consists of the abbreviated metric name, followed by a ":" (colon), then the abbreviated metric value. The vector lists these metrics in a predetermined order, using the "/" (slash) character to separate the metrics.

CVSS 1.0
Base Metrics
AV:[L,R]/AC:[H,L]/Au:[R,NR]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]/B:[N,C,I,A]/
Temporal Metrics
E:[U,P,F,H]/RL:[O,T,W,U]/RC:[U,Co,C]/
Environmental Metrics
CDP:[N,L,M,H]/TD:[N,L,M,H]

CVSS 2.0
Base Metrics
AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]/
Temporal Metrics
E:[U,POC,F,H,ND]/RL:[OF,TF,W,U,ND]/RC:[UC,UR,C,ND]/
Environmental Metrics
CDP:[N,L,LM,MH,H,ND]/TD:[N,L,M,H,ND]/CR:[L,M,H,ND]/IR:[L,M,H,ND]/AR:[L,M,H,ND]


3.4 <sec:cpe-item>

sec:cpe-item is an element for the CPE name, the Vendor name and the Product name.

Syntax:

<sec:cpe-item name="%cpe">
<sec:vname>%vname</sec:vname>
<sec:title>%title</sec:title>
</sec:cpe-item>

%cpeCPE name
%vnameVendor name
%titleProduct name



4. Example


4.1 RSS 1.0 + <sec:references> , <sec:identifier> , <sec:cvss> and <sec:cpe-item>

<?xml version="1.0" encoding="utf-8" ?>
<rdf:RDF 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" 
  xmlns="http://purl.org/rss/1.0/" 
  xmlns:dc="http://purl.org/dc/elements/1.1/" 
  xmlns:dcterms="http://purl.org/dc/terms/" 
  xmlns:sec="http://jvn.jp/rss/mod_sec/" 
  xsi:schemaLocation="http://purl.org/rss/1.0/ 
      http://jvndb.jvn.jp/schema/jvnrss_2.0.xsd"
>

 <channel rdf:about="http://jvn.jp/rss/jvnJP.rdf">
  <title>JVNRSS Feed</title>
  <link>http://jvn.jp/jp/</link>
  <description>Japan Vulnerability Notes - JP</description>
  <dc:publisher>JVN</dc:publisher>
  <dc:creator>jvn@jvn.jp</dc:creator>
  <dcterms:issued>2005-05-01T08:00+09:00</dcterms:issued>
  <dcterms:modified>2005-06-18T08:23+09:00</dcterms:modified>
  <items>
   <rdf:Seq>
    <rdf:li rdf:resource="http://jvn.jp/jp/JVN12345678" />
    <rdf:li rdf:resource="http://jvn.jp/jp/JVN00ABCDEF" />
   </rdf:Seq>
  </items>
 </channel>

 <item rdf:about="http://jvn.jp/jp/JVN12345678">
  <title>JVN Qualified Security Advisory Reference #12345678</title>
  <link>http://jvn.jp/jp/JVN12345678</link>
  <description>This example is description about Qualified 
               Security advisory Reference #12345678</description>
  <dc:publisher>JVN</dc:publisher>
  <dc:creator>jvn@jvn.jp</dc:creator>
  <sec:identifier>JVN#12345678</sec:identifier>
  <sec:references source="JPCERT-AT" id="JPCERT-AT-2005-0522">
   http://www.jpcert.or.jp/at/2005/at050522.txt</sec:references>
  <sec:cpe-item name="cpe:/a:jvn:jvndb">
   <sec:vname>JVN</sec:vname>
   <sec:title>JVN iPedia</sec:title>
  </sec:cpe-item>
  <sec:cvss version="2.0" severity="Medium" score="4.4" 
   vector="(AV:L/AC:M/Au:N/C:P/I:P/A:P)" />
  <dcterms:issued>2005-05-22T14:00+09:00</dcterms:issued>
  <dcterms:modified>2005-06-18T08:23+09:00</dcterms:modified>
 </item>

 <item rdf:about="http://jvn.jp/jp/JVN00ABCDEF">
  <title>JVN Qualified Security Advisory Reference #00ABCDEF</title>
  <link>http://jvn.jp/jp/JVN00ABCDEF</link>
  <description>This example is description about Qualified 
               Security Advisory Reference #00ABCDEF</description>
  <dc:publisher>JVN</dc:publisher>
  <dc:creator>jvn@jvn.jp</dc:creator>
  <sec:identifier>JVN#00ABCDEF</sec:identifier>
  <sec:references source="JPCERT-AT" id="JPCERT-AT-2005-0501">
   http://www.jpcert.or.jp/at/2005/at050501.txt</sec:references>
  <sec:references source="IPA-VUL" id="JVN_00ABCDEF">
   http://www.ipa.go.jp/security/vuln/JVN_00ABCDEF.html</sec:references>
  <sec:cpe-item name="cpe:/a:jvn:jvn">
   <sec:vname>JVN</sec:vname>
   <sec:title>JVN</sec:title>
  </sec:cpe-item>
  <sec:cvss version="2.0" severity="Low" score="1.2" 
   vector="(AV:L/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:C)" />
  <dcterms:issued>2005-05-01T08:00+09:00</dcterms:issued>
  <dcterms:modified>2005-05-31T22:22+09:00</dcterms:modified>
 </item>

</rdf:RDF>


4.2 RSS 2.0 + <sec:references> , <sec:identifier> , <sec:cvss> and <sec:cpe-item>

<?xml version="1.0" encoding="utf-8" ?>
<rss version="2.0"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
     xmlns:sec="http://jvn.jp/rss/mod_sec/" 
     xsi:noNamespaceSchemaLocation="http://www.thearchitect.co.uk/schemas/rss-2_0.xsd"
     xsi:schemaLocation="http://jvn.jp/rss/mod_sec/ 
         http://jvndb.jvn.jp/schema/mod_sec_2.0.xsd">

 <channel>
  <title>JVNRSS Feed</title>
  <link>http://jvn.jp/jp/</link>
  <description>JP Vendor Status Notes - JP</description>
  <pubDate>Sun, 01 May 2005 08:00:00 +0900</pubDate>
  <lastBuildDate>Sat, 18 Jun 2005 08:23:00 +0900</lastBuildDate>

  <item>
   <title>JVN Qualified Security Advisory Reference #12345678</title>
   <link>http://jvn.jp/jp/JVN%2312345678</link>
   <description>This example is description about Qualified 
                Security Advisory Reference #12345678</description>
   <author>JVN@jvn.jp</author>
   <pubDate>Sat, 18 Jun 2005 08:23:00 +0900</pubDate>
   <sec:identifier>JVN#12345678</sec:identifier>
   <sec:references source="JPCERT-AT" id="JPCERT-AT-2005-0522">
    http://www.jpcert.or.jp/at/2005/at050522.txt</sec:references>
   <sec:cpe-item name="cpe:/a:jvn:jvndb">
    <sec:vname>JVN</sec:vname>
    <sec:title>JVN iPedia</sec:title>
   </sec:cpe-item>
   <sec:cvss version="2.0" severity="Medium" score="4.4" 
    vector="(AV:L/AC:M/Au:N/C:P/I:P/A:P)" />
  </item>

  <item>
   <title>JVN's Qualified Security Advisory Reference #00ABCDEF</title>
   <link>http://jvn.jp/jp/JVN%2300ABCDEF</link>
   <description>This example is description about Qualified 
                Security Advisory Reference #00ABCDEF</description>
   <author>JVN@jvn.jp</author>
   <pubDate>Tue, 31 May 2005 22:22:00 +0900</pubDate>
   <sec:identifier>JVN#00ABCDEF</sec:identifier>
   <sec:references source="JPCERT-AT" id="JPCERT-AT-2005-0501">
    http://www.jpcert.or.jp/at/2005/at050501.txt</sec:references>
   <sec:references source="IPA-VUL" id="JVN_00ABCDEF">
    http://www.ipa.go.jp/security/vuln/JVN_00ABCDEF.html</sec:references>
   <sec:cpe-item name="cpe:/a:jvn:jvn">
    <sec:vname>JVN</sec:vname>
    <sec:title>JVN</sec:title>
   </sec:cpe-item>
   <sec:cvss version="2.0" severity="Low" score="1.2" 
    vector="(AV:L/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:C)" />
  </item>

 </channel>
</rss>


4.3 Atom + <sec:references> , <sec:identifier> , <sec:cvss> and <sec:cpe-item>

<?xml version="1.0" encoding="utf-8" ?>
<feed xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xmlns="http://www.w3.org/2005/Atom"
      xmlns:sec="http://jvn.jp/rss/mod_sec/"
      xsi:schemaLocation="http://www.w3.org/2005/Atom 
          http://www.kbcafe.com/rss/atom.xsd.xml
          http://jvn.jp/rss/mod_sec/ 
          http://jvndb.jvn.jp/schema/mod_sec_2.0.xsd">

 <id>http://jvn.jp/jp/</id>
 <title>JVNRSS Feed</title>
 <link rel="alternate" type="text/html" href="http://jvn.jp/jp/"/>
 <link rel="self" type="application/atom+xml" href="http://jvn.jp/jp/index.atom"/>
 <subtitle>JP Vendor Status Notes - JP</subtitle>
 <updated>2005-06-18T08:23:00+09:00</updated>
 <author>
  <name>JVN</name>
  <email>jvn@jvn.jp</email>
  <uri>http://jvn.jp/</uri>
 </author>

 <entry>
  <title>JVN Qualified Security Advisory Reference #12345678</title>
  <link rel="alternate" type="text/html" href="http://jvn.jp/jp/JVN%2312345678"/>
  <id>http://jvn.jp/jp/JVN%2312345678</id>
  <summary type="text">This example is description about Qualified 
                       Security Advisory Reference #12345678</summary>
  <published>2005-05-22T14:00:00+09:00</published>
  <updated>2005-06-18T08:23:00+09:00</updated>
  <author>
   <name>JVN</name>
   <email>jvn@jvn.jp</email>
   <uri>http://jvn.jp/</uri>
  </author>
  <sec:identifier>JVN#12345678</sec:identifier>
  <sec:references source="JPCERT-AT" id="JPCERT-AT-2005-0522">
   http://www.jpcert.or.jp/at/2005/at050522.txt</sec:references>
  <sec:cpe-item name="cpe:/a:jvn:jvndb">
   <sec:vname>JVN</sec:vname>
   <sec:title>JVN iPedia</sec:title>
   </sec:cpe-item>
  <sec:cvss version="2.0" severity="Medium" score="4.4" 
   vector="(AV:L/AC:M/Au:N/C:P/I:P/A:P)" />
 </entry>

 <entry>
  <title>JVN's Qualified Security Advisory Reference 02</title>
  <link rel="alternate" type="text/html" href="http://jvn.jp/jp/JVN%2300ABCDEF"/>
  <id>http://jvn.jp/jp/JVN%2300ABCDEF</id>
  <summary type="text">This example is description about Qualified 
                       Security Advisory Reference #00ABCDEF</summary>
  <published>2005-05-01T08:00:00+09:00</published>
  <updated>2005-05-31T22:00:00+09:00</updated>
  <author>
   <name>JVN</name>
   <email>jvn@jvn.jp</email>
   <uri>http://jvn.jp/</uri>
  </author>
  <sec:identifier>JVN#00ABCDEF</sec:identifier>
  <sec:references source="JPCERT-AT" id="JPCERT-AT-2005-0501">
   http://www.jpcert.or.jp/at/2005/at050501.txt</sec:references>
  <sec:references source="IPA-VUL" id="JVN_00ABCDEF">
   http://www.ipa.go.jp/security/vuln/JVN_00ABCDEF.html</sec:references>
  <sec:cpe-item name="cpe:/a:jvn:jvn">
   <sec:vname>JVN</sec:vname>
   <sec:title>JVN</sec:title>
  </sec:cpe-item>
  <sec:cvss version="2.0" severity="Low" score="1.2" 
   vector="(AV:L/AC:H/Au:N/C:P/I:N/A:N/E:H/RL:U/RC:C)" />
 </entry>

</feed>



5. Resources



6. Acknowledgements

JVNRSS Feasibility Study Team thanks the following for working with us for all their continued discussion and input.