What is CVRF?

The Common Vulnerability Reporting Format (CVRF) is a industry standard format for publishing security advisories in machine readable form.

It is slightly different to the OVAL format, which goal is to be able to machine verify state of a system in regards to security.

The CVRF format is targeted for machine based import into ticket systems and bug trackers for vulnerability response.

SUSE currently offers CVRF data in CVRF 1.1 and CVRF 1.2 formats. The main difference in the CVRF 1.2 content is that it can now contain also CVSSv3.1 base scores for CVEs.

The governance of CVRF has been transitioned from the ICASI to OASIS and it will be renamed to CSAF (Common Security Advisory Format).:

SUSE and CVRF

SUSE has started generating CVRF data begin of 2017 for SUSE security update notices that we have released since 2015 and going forward.

Download

The CVRF 1.1 data can be downloaded from the SUSE ftp site.

The CVRF 1.2 data can be downloaded from the SUSE ftp site.

How to use

The CVRF format is a verbose and simple XML format, so it can be hooked into other tools pretty easily even without additional libraries.

A reference python parser for CVRF 1.1 is available at Github.

The OASIS reference CSAF python parser for both CVRF 1.1 and 1.2 formats is available at Github.