...
- SCAP.V.8: The vendor shall provide instructions on how the product indicates the validity of the imported SCAP-expressed data stream to a target platform. Instructions should also describe how the imported data stream is indicated to not be valid for a target platform. This requirement is testing the use of the OVAL check associated with a CPE name via the CPE dictionary to determine applicability of the data stream.
See Creating a Policy. Selecting the profile will choose the associated target computers (if any exist).
CVSS + CCE
...
- SCAP.V.9
...
- : The vendor shall provide documentation explaining where the NVD CVSS base scores and vector strings can be located with the corresponding CVE ID. The vendor may optionally provide the tester information on how the product can be updated with new NVD CVSS base scores and vector strings prior to testing.
See Vulnerability Reports.
SCAP-Expressed Data Stream Import
- SCAP.V.10: The vendor shall provide documentation explaining how an SCAP-expressed data stream can be imported into the product and subsequently executed.
See Importing Profiles.
...