Hi Bill, I recently blogged about this here:
http://blog.tenablesecurity.com/2007/09/everything-you-.html Many of the plugins that don't have CVSS scores are patch audit families where patch information does not contain CVE, bugtraq or CVSS scoring. Some plugins that do not have CVE's associated with them are for audits of things like discovered access points and service identifiers. You won't ever see a CVE or CVSS score for a pingable host or open port for example. The Nessus Low/Medium/High scoring is directly mapped off of the CVSSv2 score. The CVSSv2 number provides more fidelity (a zero to ten scale), but this is mapped to the Nessus severity rating. I've also blogged about how we used to use CVSSv1 and then moved to CVSSv2 at these links: http://blog.tenablesecurity.com/2007/07/cvss-version-2-.html http://blog.tenablesecurity.com/2006/11/cvss_scores_in_.html Ron Gula, CTO Tenable Network Security Bill Anderson wrote: > We would like to use CVSSv2 scores in our results reporting. I was > wondering if anyone is working on doing CVSS scoring on plugins that are > currently without CVSS scores? Is there any kind of schedule or estimate > on when that will be done? Would it be useful to partner on creating > scores for the plugins that do not currently have them? We strongly > prefer to use CVSS v2 scores over the normal Nessus Low/Medium/High > scoring. Also, there are a large number of plugins that do not have CVEs > associated with them. Has anyone done any research as to whether this is > due plugin writers not providing them, or do these plugins truly not have > CVEs to be associated with? Is anyone working on improving this? > > Bill > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
