OpenVAS Change Request #1: Introduce OID as replacement for script_idStatus: Voted +5. Done. Legacy OID URLs implemented in OpenVAS-Client since 1.0.3, exclusive use of OIDs since 2.0.0.
To support distributed development of NVTs avoiding ID-conflicts on a systematic base.
To avoid confusion or/and conflicts with Nessus script IDs from which IDs are inherited but where the scripts may differ meanwhile due to maintenance modifications.
The current ID-scheme for NVTs is based on integer values. Scripts inherited from Nessus have IDs 1NNNN and 2NNNN, the Debian Local Security Checks (DLSCs) have 5NNNN and 6NNNN - not all values in these ranges are consumed for Scripts.
It is a conceivable option to continue with assign further ranges to specific contributors, but this will cause problems, because either the ranges are too big and the ID space exceeds or the ranges are small and multiple assignments need to be managed for the same contributor. Assignments to Families reveal other problems: The range was to small and a family might be distributed of two or more ID ranges.
A more generic alternative is the use of an OID scheme which solves:
- continuous ID subnumbers for families without limitation
- structure in ID scheme (groups, subgroups, families etc)
- Number scheme directly linked with Name scheme which makes it easier readable for humans.
- easier assignments of responsibilities for certain parts of the ID space.
- a side effect would be that the introduction of URLs for the scripts (e.g. http://www.openvas.org/18.104.22.168.4.1.25622.214.171.1246.html) for various reference purposes would be based on sustainable concept which in turn ensures longevity of links.
- Newly written NASL scripts need to specify OID instead of ID, e.g.: script_oid("126.96.36.199.4.1.256188.8.131.527.1");
- script_id() is deprecated. No concurrent use of both allowed. For compatibility, script_id() statements will be accepted as long as no script_oid() statement occurs.
In effect this means, new OpenVAS Servers can use old NASL scripts, but old servers will not be able to handle new NASL scripts. Since it does make sense to manage a special Feed with old ID scheme (high effort) any OpenVAS users will be forced to update to the new server if they want to use the new scripts. Thus, the new OpenVAS server should be released and distributed prior to starting to apply OID in scripts. A clear timeline must be communicated to all users by when they have to update the server at the latest.
Even earlier the OpenVAS clients need to be updated (highest priority).
It needs to be evaluated whether it makes sense to have a convenience work around in a way that OIDs are transformed into Integer IDs (e.g. 184.108.40.206.4.1.256220.127.116.117.1 to 11001157001). It is not possible to ensure uniqueness of convenience IDs but they would be quite unlikely. In case a convenience ID is applied, backward compatibility would be possible to some extent.
Design and Implementation
- In general, at various places no OID might be available yet (old script) but a OID scheme is needed. In these cases the OID is assembled this way using the old ID (specific scheme to be decided)
- Extend specification of protocol for optional OID and update documentation.
- Handling of the OID: In openvas-libraries/libopenvas/plugutils.c new functions plug_set_oid() and plug_get_oid().
- Add handling of OID in openvas-libraries/libopenvas/store.c.
- Add function script_oid() in openvas-libnasl/nasl/nasl_nessusd_glue.c.
- Add OID handling to protocol in openvas-server/openvasd/comm.c
- Replace handling of ID by OID in openvas-server/openvasd/nasl_plugins.c
- Replace use of ID by OID in openvas-server/openvasd/pluginlaunch.c.
- Modify to use OID instead of ID in openvas-server/openvasd/plugs_hash.c.
- Eventually: Assign OIDs in openvas-plugins/plugins/*/*.c
- Eventually: During consolidation effort, assign OIDs in openvas-plugins/scripts/*.nasl
- OpenVAS-Client: Add additional handling of OID for protocol and various places in GUI, storage, import and export.
- Documentation of OID scheme in OpenVAS manuals and on website (also in Howtos for NASL developers)
OID Scheme by examples:
Note: OpenVAS OIDs can be applied to arbitrary things, so NVTs are only one group.
Legacy OID for old Nessus script ID 976:
18.104.22.168.4.1.25622.214.171.1246 = iso.org.dod.internet.private.enterprise.OpenVAS.NVT.legacy.976
Group for support scripts (e.g. information gatherer):
126.96.36.199.4.1.25623.1.1 = iso.org.dod.internet.private.enterprise.OpenVAS.NVT.lib
Support script for gathering the package information from target host (gather-package-list.nasl):
188.8.131.52.4.1.256184.108.40.206 = iso.org.dod.internet.private.enterprise.OpenVAS.libraries.gather-package-list
Family of Local Vulnerability Checks Level 1 for Debian Security Alerts:
220.127.116.11.4.1.25623.1.2 = iso.org.dod.internet.private.enterprise.OpenVAS.NVT.DSA-LVT-L1
Version 1 of DSA 1157 implemented as Local Vulnerability Check Level 1:
18.104.22.168.4.1.25622.214.171.1247.1 = iso.org.dod.internet.private.enterprise.OpenVAS.NVT.DSA.1157.1
- 2008-01-24 Jan-Oliver Wagner <email@example.com>:
- 2008-02-23 Jan-Oliver Wagner <firstname.lastname@example.org>:
Updated status with result of voting.
- 2008-04-05 Jan-Oliver Wagner <email@example.com>:
- 2008-12-29 Michael Wiegand <firstname.lastname@example.org>: