As usual, an uncooked selection of automatic reactions from my side :) While the idea of both CRs is great and will result in a clean up of the NASL NVTs and make them more consistent, I want to express concern about using the script_tag approach.
The neatness of the script-tag approach is that in theory only the NASL scripts themselves have to be updated and there is no compatibility issues at all. The clients will display the content of the tags (although currently it will not look nice, as all tags are cramped together in a single string iirc). Thats all great and I will probably thus vote +1 ;). However, in my eyes, the disadvantages are 1) Tags do not have a clear semantic (e.g. CVSS is a number, think about sorting). 2) Typos are hard to find (assume somebody accidentally typed cvSs), in contrast to a function call like 'meta_info_cvss (5.0);' where the interpreter (and thus Q&A scripts) would warn about un-naslness. 3) Many tags will make the nice and relatively new cache format unreadable again. 4) Many tags will probably make the clients view of NVTs look weird. 5) Start of a "ok, lets do everything with tags"- mentality, where we need proper solutions. Remember the meta-data discussions on the devcon. I think its an okay intermediate solution and if you guys can do the work of touching all these scripts thats a great effort in the right direction. Regarding CR 42: Some nasl- scripts currently do not directly relate to any security issue (e.g. "General Settings", "Toolcheck"). These should get an own SEVERITY, too. "None", or "n/a", "unrelated", "scan-related",...? Similarly for CR 41, should these get an empty string as cvss? A "0.0", a "-1"...? Also, it seems that redundant information is delivered in case both tags are given. The only additional information gained by "risk_factor" is whether the script is just "informational", otherwise the level can be deducted from the cvss score, on client side. If openvas-nasl-tags wouldnt be key-value-pairs I would opt for the first community-agreed-on-tag: "informational". And I am waiting for the meta-data CR :) -- felix On Friday 05 February 2010 07:12:27 Chandrashekhar B wrote: > Hello, > > I have added two new CR's towards standardizing representation of CVSS and > Risk Factor in NVT's. > > #41 - Adoption of CVSS Standard http://www.openvas.org/openvas-cr-41.html > > #42 - Adoption of Risk Factor standard for NVT's > http://www.openvas.org/openvas-cr-42.html > > Please review and let me know if there are any concerns, comments or > suggestions. > > Thanks, > Chandra. -- Felix Wolfsteller | ++49 541 335083-783 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
