SecPod SCAP Repo Web Service

It is a REST based web service interface for SCAP Repo. It allows,
- Login/logout
- Fetch SCAP entity metadata
- Fetch SCAP entity XML
- Get SCAP data bundle
- Get SCAP data stream
- Get RSS based alert
- List SCAP Repo profile
- Get profile based SCAP content
- Get Priority List 1 Products CPEs XML or JSON

With these methods, a security scanner can be devised to fetch the security content in an automated fashion. Some of these interfaces require a subscription to the SCAP Repo, while others work over an anonymous binding without authorization. Every subscriber will be provided with a SAML based authorization assertions, which has to be sent part of the HTTP Authorization header of the login interface. The assertion has to be compressed and Base64 encoded so that it is accomodated within the Authorization header.

Service Interface Documentation


Login. Arguments - Authorization token
public Response login(@HeaderParam("Authorization") String authorization)


Logout. Argument - session id.
public Response logout(@HeaderParam("Authorization") String authorization)

Get Metadata

Get Metadata based on SCAP content ID (CVE, CCE, CPE, CWE, OVAL, XCCDF). id
public Response getContent(@QueryParam("id") String id)
Get metadata schema here

Get Metadata with SCAP References (needs valid credentials)

Get Metadata with SCAP References based on SCAP content ID (CVE, CCE, CPE, CWE, OVAL, XCCDF). Requires valid assertion token and SCAP ID
public Response GetSecInfo(@HeaderParam("Authorization") String authorization, @QueryParam("id") String id)


Get XML based on SCAP content ID (CVE, CCE, CPE, CWE, OVAL, XCCDF). Arguments - session Id and content id
public Response getContent(@HeaderParam("Authorization") String authorization, @QueryParam("contentId") String contentId)

Get Profile

Lists content profile names. Argument - session Id
public Response getProfile(@HeaderParam("Authorization") String authorization)

Get Profile Content

Get all SCAP content for a specific profile. Arguments - session ID and profile Id
public Response getProfileContent(@HeaderParam("Authorization") String authorization, @QueryParam("profile") String profile)

Get Datastream

Get SCAP datastream based on an XCCDF Id. Arguments -session Id, XCCDF Id
public Response getXCCDFDataStream(@HeaderParam("Authorization") String authorization, @QueryParam("xccdfId") String xccdfId)

Get Bundle

Get SCAP bundle zip for a specific Id. IDs can be of CVE, CCE, CPE, OVAL or XCCDF type. Arguments- session Id, Content Id
public Response getBundle(@HeaderParam("Authorization") String authorization, @QueryParam("id") String id)

Get RSS Feed

Get RSS based alert XML for a specific type (oval/cce/cpe/xccdf/cve/cwe). The alerts are for new additions into the repo. This functionality does not need login. Argument- type
public Response getRss(@QueryParam("type") String scapType)

Get P1 Products CPE

Get P1 Products CPE XML or Json. Requires valid assertion token and file type (json or xml). Argument- type
public Response getP1ProductsCpes(@HeaderParam("Authorization") String authorization, @QueryParam("type") String XMLorJSON)

Get End-of-life data of Products

Get End-of-life data in a zip file which contains individual product's JSON file. Requires valid assertion token. Argument- type
public Response getEOLData(@HeaderParam("Authorization") String authorization)

Sample SCAP Repo Web Service Client

A client written in python with modules designed for SCAP Repo Web Service
Download the client here

A Java client to SCAP Repo Web Service, an interface to login/logout, get XML, get bundle,get datastream, get RSS feed, get profile, get profile content.
Pre-Requisites: OpenJDK 1.6/JDK 1.6 or higher versions
Download the client (including javadocs) here
Download the metadata schema file here

For more info: Visit or mail us at

About            FAQ            Terms