OVAL and Data Stream (DS) v1 deprecation announcement

Updated -


In 2006 Red Hat started publishing security data using the Open Vulnerability and Assessment Language (OVAL) and Data Stream (DS) format. Over the years, the OVAL data format evolved significantly, and in 2019, the v2 version of our OVAL data was made available. This is the most current version of the OVAL security data. Red Hat customers use v2, including various security scanners vendors, and it is considered a default security data format for the Red Hat Vulnerability Scanner Certification program.

OVAL and DS v1 changes

Red Hat OVAL v1 security data has been considered deprecated since 2019. An announcement was made in the Evolving OVAL blog post and the Red Hat Vulnerability Scanner Certification requirements. Even though v1 was deprecated, Red Hat continued publishing new content in the old data format.

The following upcoming changes and effective dates for deprecating OVAL v1 content are now set:

  • April 1, 2023 - new content will not be published to OVAL and DS v1 data.
    All v2 content (files under /security/data/oval/v2 and /security/data/metrics/ds/v2) remains unchanged.
  • July 1, 2023 - all OVAL v1 and DS v1 data will be compressed and moved to the following archive directories:
    • /security/data/archive/oval_v1_<date>.tar.gz
    • /security/data/archive/ds_v1_<date>.tar.gz

The above changes will also impact the com.redhat.rhsa-all.xccdf.xml file available under the /data/metrics/ path as it is considered a part of the now deprecated OVAL v1 data.

Please contact Red Hat Product Security with any questions about these changes at secalert@redhat.com or file an issue in the SECDATA Jira project.