On Monday, 5. December 2011, Sébastien AUCOUTURIER wrote: > I agree with the idea > as i already send to the openvas-plugin list, this kind of mismatch > between CVSS ,severity category, risk factor, in some plugins
yep, ultimately it will be solved with CR59. > But > i do not agree with the scoring you use, > mine proposal should be > > CVSS = 0.0 -> log_message() > 0 <= CVSS <= 3.9 -> security_note() > 4.0 <= CVSS <= 6.9 -> security_warning() > 7 <= CVSS <= 10 -> security_hole() hm, my proposal was direclty derived from CR42: http://openvas.org/openvas-cr-42.html The ultimate goal is that users can specify their own categories based on the CVSS returned by the NVTs. Until then, it is a compromise anyway. If I am not mistaken most NVT developers assign message type according to CR42 (at least since we agreed on this CR)? So the most sensible approach for the transition time appeared to be CR42 ranges. > About the process to change CVSS, is it possible to make a process like > nmap use for os and service detection , a community contribution ? > Where ask for modification will be send to the plugin developper, who > may correct or justify his choice throught a request tracker ? I'd love to add a feedback mechanism for NVTs, so that users can submit directly their opinion on a NVTs finding/CVSS value. This could directly issue the notes/overrides feature and be extended with a submission mechanism. At least thats what I envision for the future. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-devel mailing list Openvas-devel@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-devel
