Hello, for the two reference NVTs we have already implemented most of the description break-up:
* 2013/gb_nero_mediahome_server_mult_dos_vuln.nasl (OID: 1.3.6.1.4.1.25623.1.0.803150) * secpod_xpdf_mult_vuln.nasl (OID: 1.3.6.1.4.1.25623.1.0.900457) This is done in a way that makes the NVTs be compatible with pre-OpenVAS-6. Once OpenVAS-5 is deprecated, the scripts can be quite simplified again. There are still open issues where I like to propose a solution with direct examples for the reference NVTs: IMHO we should have two further tags: summary and vulnerability-detection. "summary": A short text describing what the issue and test is about. It mentions essentials and gives hints about the affected product or systems. It also give a hint on type of vulnerability and criticality. The text may extend to several lines, but all provided information should be condensed and not copy the other tags. (Note: I choose the term "summary" because "description" would naturally be the whole set of meta information) Example for secpod_xpdf_mult_vuln.nasl: "The PDF viewer Xpdf is prone to multiple vulnerabilities on Linux systems that can lead to arbitrary code execution." Original "Overview": This host is installed with Xpdf for Linux and is prone to Multiple Vulnerabilities. Which is not so suitable the way it is phrased. It already assumes the host is vulnerable. "vulnerability-detection": A short text that documents how the test detects the vulnerability. Example for secpod_xpdf_mult_vuln.nasl: "This test uses the xpdf detection results and checks version of each binary found on the target system. Version 3.02 and prior will raise a security alert." I am aware this means quite some hand-crafting work to get all NVTs furnished with adequate texts. I think it is worth the efford in order to get a really helpful and consistent documentation for the user. On the implementation side I imagine (anything I might have missed or got wrong?): - Scanner: While transfering meta data via OTP: Don't send description if the new meta-tags are present. We can ignore the old-style "summary" as well as it adds no information. - Scanner: While scanning: In case a empty exit() issued, don't copy the description into the result in case the new metatags are present. - Manager/GSA: In case of empty result display summary, insight, impact, solution (nicely arranged). Add a box "Result:" with "Vulnerability detected.". In case the result is not empty, but the NVT is "new-style", fill the box "Result:" with the returned text. This very text is the only element we should display preformatted with enforced linebreak. The rest can be directly rendered as those elements can not contain overlong words or any improper characters. Note: might make sense to manage a indicator in the NVTI that says whether we have a "new style" NVT. Please share your mind about this proposal. Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-plugins mailing list Openvas-plugins@wald.intevation.org https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
