Re: [Openvas-devel] Call for vote: CR58: NVT Feed CVSS consolidation

Fri, 02 Dec 2011 11:33:21 -0800 

On Friday 02 December 2011 16:04:15 Thomas Reinke wrote:
>   b) Keep risk_factor tag until all scripts are assigned a
>      true CVSS score. Details:
> 
>      - Keep risk_factor tag in all scripts for now.

sure.

>      - Have risk_factor tags automatically adjusted based on current
>        value of CVSS (this is automated, as we already have the scripts
>        both openvas as well as us, in place to do this). Do this
>        on a regular basis (weekly, bi-weekly, etc.) to maintain
>        consistency of risk_factor values based on current cvss scores.

yes, it is already in the processing chain.

>      - evaluate creation of cvss scores for nvts missing them.
>        (yikes, much much work).

this is what I am worried about: will it be an endless story as
we don't gather enough man power to work through all 6500 NVTs?

>      - once all scripts have cvss scores, and no scripts added without
>        them, THEN and only then remove risk_factor tags as being
>        obsolete.

This rule applies for either case.
 
> The key down side on option b is that I'm suggesting keep risk_factor
> until such time that cvss can truly, and reliably (without short cuts)
> be used to replace them, without devaluing the cvss scores themselves.

IMHO the main drawback of b) is that we have no good idea about the efford
necessary here.

> My suggestion between the above two approaches is b)

How about adjusting CR to follow option b) and start into manual CVSS
assignment. We'll see how many NVTs we can easily assign a CVSS. For example
will quite a number of NVTs have 0.0 as they only are about detection.
Perhaps we can identify some other groups that a simple to handle.

Then we'll see what remains due to lack of man power and can jointly
discuss how to proceed from there.

Sounds like a plan?


Best

        Jan


-- 
Dr. Jan-Oliver Wagner |  ++49-541-335084-0  |  http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
http://lists.wald.intevation.org/mailman/listinfo/openvas-devel

Reply via email to