Hello Developers, we are coming close to vote about CR58:
http://www.openvas.org/openvas-cr-58.html Two open questions remained: 1. What about CVSS Temporal Scores as provided in some description texts? -> Seems this is basically uneeded as we have timely updates of CVSS according to CVE updates. Anyone has a strong opinion about CVSS Temoral Scores? Can we drop them entirely? 2. Assign CVSS to NVTs that currently have none (not even in the description). -> Henri counted around 6500 NVTs of this kind. It is easy to automatically assign a CVSS base number using the risk_factor (any NVT has one). For example, the highest CVSS of the respective range could be applied (for "Critical" this would be 10.0, for "High" this would be 8.0, etc) Alternatively, we could automatically apply the middle of the risk factor class (for Critical this would be 9.0, for High 6.5, etc). Of course, the lowest is also an option, but perhaps not the best choice. Which of the those automatic assignements should be applied? Should we do this automatically at all? Of course the CVSS Vector would be missing for those. Which in turn is a good indicator which ones were assigned manually and which not. Opinions more than welcome! Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
