Below is a list of additional known OVAL repositories.

The ALTEX-SOFT repository OVALdb consist of OVAL Definitions that correspond to security advisories/notices/bulletins/compliances for a lot of software vendors. This repository contains OVAL definitions for vulnerabilities, patches, compliances and inventories.

Repository: http://www.ovaldb.altx-soft.ru/


This page provides OVAL xml content for the latest Ubuntu operating system versions.

Repository: https://people.canonical.com/~ubuntu-security/oval/


The CIS repository is the new official OVAL Repository following the transition away from MITRE. Created August 2015.

Repository: https://oval.cisecurity.org/repository


The Cisco Security Intelligence Operations repository consists of Cisco security advisories in the standardized Common Vulnerability Reporting Format (CVRF) and includes OVAL Vulnerability Definitions for the Cisco IOS security advisories. Created September 2012.

Repository: https://tools.cisco.com/security/center/publicationListing.x


The Debian repository of OVAL content consists of OVAL Definitions that correspond to Debian security advisories. Created August 2010.

Repository: https://www.debian.org/security/oval/


Defense Information Systems Agency Field Security Operations (DISA FSO)

A repository of Security Technical Implementation Guides (STIGs) in support of Security Content Automation Protocol (SCAP) content and tools. Created: May 2012.

Repository: http://iase.disa.mil/stigs/scap/index.html


IT Security Database

This site collects OVAL Definitions from sources such as the OVAL Repository, Red Hat, Suse, NVD, Apache, etc., and provides a unified, easy-to-use Web interface to all IT security related items about them including patches, vulnerabilities, and compliance checklists. Created: November 2010.

Repository: http://www.itsecdb.com/oval


The Security Content Automation Program (SCAP) is a public free repository of security content to be used for automating technical control compliance activities, vulnerability checking (both application misconfigurations and software flaws), and security measurement. Created January 2007.

Repository: http://scap.nist.gov/content/


The Positive Technologies repository of OVAL content consists of OVAL Definitions collected from various sources. Created May 2012.

Repository: http://oval.ptsecurity.com


The Red Hat repository of OVAL content consists of OVAL Patch Definitions that correspond to Red Hat Errata security advisories. Created May 2006.

Repository: https://www.redhat.com/security/data/oval/


SecPod SCAP Feed, also hosted as a repository, is a service providing standardized SCAP content (CVE™, CPE™, CCE™, XCCDF, and OVAL®) for vulnerability, patch, inventory, and compliance management. Created December 2010.

Repository: https://www.scaprepo.com


This Web site provides a mirror of the OVAL Repository and links its Alerts to OVAL Definitions when possible. Created February 2012.

Repository: https://www.security-database.com/oval.php


The SUSE Linux Enterprise OVAL Information database is an index of fixed security incidents indexed by product, RPM package name and version for use in security compliance checking. Created July 2010.

Repository: http://ftp.suse.com/pub/projects/security/oval/