The Repository Metadata Working Group was formed on May 6, 2019 at the SCAP 2.0 Developer Days.
We plan to develop proposals for how OVAL & SCAP repositories might provide a common, automation-friendly way to identify and retrieve content.
We have decided to develop proposals in two phases:
In Phase I, we will limit our scope to the automated consumption of OVAL, XCCDF, SCAP 1.0 Bundles, SCAP 1.2 Data Streams as currently published by repositories (see examples). We intend the results of this phase to be immediately useful for existing SCAPv1 repositories and use cases.
Although--strictly speaking--this phase will address SCAPv1 formats, we expect the formats and use cases addressed--or analogues--to be present in SCAPv2 and for this work to lead naturally into Phase II.
In Phase II, we will revise and expand on the work in Phase I to more fully address formats and use cases that emerge as SCAPv2 is defined.
Current Members include:
- Stephen Banghart
- Daniel Harris
- Jack Vander Pol
- David Ries
- David Waltermire
If you'd like to join us or provide feedback of any kind, please contact us via the mailing list.
If you are interested in following along, joining the working group, asking us questions or providing feedback, please join the mailing list and let us know!
We working through the Initial Process (below). Help us with Draft Metadata Requirements for Phase I.
We are considering the following initial milestones/process:
- Document Examples for Phase I and Phase II (draft complete)
- Example Repositories: list a few actual repositories that we intend our proposal to address
- Example Content: list a few actual content feeds/packages that we intend our proposal to address
- Example Stories: list a few stories we intend our proposal to support
- Draft Metadata Requirements for Phase I (in process)
- Content Types: identify unique content types that our proposal must support (e.g. content packages, document formats, etc.)
- Metadata by Content Type: for each content type, list and describe useful metadata fields
- Repository/Grouping Metadata: list and describe any useful repository-global or other non-content-type metadata fields
- Create Sample Manifests for Phase I (in process)
- Create abbreviated, sample manifests in a variety of formats subject to interest (e.g. XML, ROLIE, JSON)
- Discuss and select a format (or formats)
- Assessment, Feedback, Next Steps
- Discuss whether we’ve more-or-less completed our work (subject to outside feedback, documentation, etc.) or… have we come to the realization that this is going to take significantly more time, work, etc.?
- Solicit feedback from community, repository owners, etc. (tbd)
- Plan next steps
The open source development of this specification did not advanced as expected, as there was not enough consensus. The SCAP Compliance Checker (SCC) team from NIWC proceeded with their own XML based specification, and a real world (functioning/live) example can be found at:
https://raw.githubusercontent.com/DISA-STIGS/DISA-STIGS.github.io/master/niwc-content-repository.xml