The security protection type gain administrative access gain user access A single fix action should only cover a single patch application, software update, configuration change, or external fix. Dependencies should be documented by using the "next_fix_action" element to point to a recursive list of fix actions. CPE name of the software update package. States whether the fix action fully avoids the risk associated with the vulnerability or reduces risk to some extent. Describes or points to the check/test (either OVAL or other) that this particular fix action addresses. E.G. applying this fix will change the value of this test result. Unique value within the source. Will be used with the source element to serve as a global unique identifier. Should be a URI-like -- e.g. inverted DNS address e.g mil.jtf-gno The CPE name of the scanning tool. A value must be supplied for this element. The CPE name can be used for a CPE from the NVD. The CPE title attribute can be used for internal naming conventions. (or both, if possible) Defines required signature or policy definition that must be installed on the tool. TODO: Low priority: Add reference to notes type to allow analysts, vendor and other comments. Add source attribute. Maybe categorization? Denotes a scanner and required configuration that is capable of detecting the referenced vulnerability. May also be an OVAL definition and omit scanner name. This element should ultimately be held in a threat model. TODO: revisit referenceType and textType Extends the base "reference" class by adding the ability to specify which kind (within the vulnerability model) of reference it is. See "Vulnerability_Reference_Category_List" enumeration. TODO: determine purpose