Open Vulnerability and Assessment Language (OVAL)
An OVAL is a definition file that is designed for use by automated test tools to determine the patch state of a machine. It is developed by NIST.
CVRF is not designed as being a way to determine the patch state of a machine, but it can provide an alternative machine-reacable version of security advisories.
Common Vulnerability Reporting Framework (CVRF)
The goal of CVRF is to share information about security updates (security advisories) in an XML machine-readable format. It is developed by ICASI (and is integrated to FIRST in Jun 2021).
CVRF has been transitioned to the OASIS Common Security Advisory Framework (CSAF) Technical Committee.
The most common supported CVRF is v1.1 today.
What are the differences between OVAL and CVRF?
OVAL is a definition file that used by scanning tools to perform assessment, and CVRF is security advisories documents.
OVAL is available as a roll up definition file for OS version, such as Ubuntu Focal. It contains all the patch info since day 1.
CVRF document is usually provided by OS vendor at a regular basis. For example, Microsoft provides a monthly security advisories in CVRF format, and can be retrieved via API call with the parameter 2021-apr.
Think of OVAL is for security scanning (with OpenSCAP), and CVRF is just the security advisories (not for assessment) that used for communicating security information to customers.
Both are in XML format that machine-readable.
Vendor Supports
Most OS vendors support OVAL and provide OVAL download for free. For example, RedHat starts provide OVAL definition since 2006, and starts providing CVRF documents for all RedHat security advisories across all products since 2012.
So far, Microsoft only provide CVRF documents and an API call to access the documents based on the YYYY-mmm.
Links: