Design goals for this specification include:
- Simple and Practical: Support the most prevalent and significant use cases
- Interoperable: Allow for a common representation of software vulnerability data for production and use by static analysis tools, dynamic analysis tools (web-scanning) tools and web application firewalls
There are several known weaknesses in the current specification that will be addressed in future versions of the document if there is a demonstrate significant marker need. For example:
- Can be seen as web-application centric. This decision was made because many organizations use web application scanning tools and therefore have a need to manipulate this data in a structured manner, but only a smaller subset of organizations use more esoteric fuzzing tools. Therefore dynamic results are focused on web application testing tools and ease of data representation was selected in favor of comprehensiveness. Non-web application vulnerability data is supported from static analysis tools.
Specification / Schema