What is CVRF?

The Common Vulnerability Reporting Format (CVRF) is a industry standard format for publishing security advisories in machine readable form.

It is different to the OVAL format, which goal is to be able to machine verify state of a system in regards to security, while the CVRF format is targeted for machine based import into ticket systems and bug trackers for vulnerability response.

The governance of CVRF has been transitioned from the ICASI to OASIS and it will be renamed to CSAF (Common Security Advisory Format).:


SUSE currently offers:

  • CVRF data indexed by Security Advisory in CVRF 1.1 and CVRF 1.2 formats. The main difference in the CVRF 1.2 content is that it can now contain also CVSSv3.1 base scores for CVEs.
  • CVRF 1.2 data indexed by CVE.

SUSE has started generating CVRF data begin of 2017 for SUSE security update notices that we have released since 2015 and going forward.


The CVRF 1.1 data can be downloaded from the SUSE ftp site.

The CVRF 1.2 data can be downloaded from the SUSE ftp site.

The CVRF 1.3 data indexed by CVE can be downloaded from the SUSE ftp site.

How to use

The CVRF format is a verbose and simple XML format, so it can be hooked into other tools pretty easily even without additional libraries.

A reference python parser for CVRF 1.1 is available at Github.

The OASIS reference CSAF python parser for both CVRF 1.1 and 1.2 formats is available at Github.