OpenVAS Change Request #14: OpenVAS-Client: Remove source code copy of gdchart and gdStatus: Voted +5. Implemented in SVN trunk, revision 1113.
To significantly reduce code base of OpenVAS-Client (from approx. 50.000 down to 28.000 lines)
To use more recent (perhaps bug-fixed) system gdchart libraries
The gdchart library was pulled into OpenVAS-Client (actually into Nessus) quite some time ago to support the charts for "HTML Graph Output". The reason for dragging gdchart and gd into the client was probably problems with general availability of gdchart (in a usable form). Handling this adqualtely in configure.in would have likely meant quite some trouble. Also it might have been judged a problem to impose caring for gdchart development files for the user installing the client.
Today newer versions of gdchart seem generally available.
It is unclear whether the incorporated gdchart source copy of OpenVAS-Client contains any security problems or other sorts of bugs. Only a explicit analyse could find out about this and it is questionable whether to invest time into this.
After all, with 40 percent of the source code, gdchart adds only a single feature to OpenVAS-Client which is not a base one. Charting can be done with various tools ontop the actual scan reports. In general, OpenVAS-Client should better incorporate external tools for creation of reports instead of doing this on its own.
The source tar ball of OpenVAS-Client as well as the numbers of flawfinder hits will drop down significantly. This does not improve the quality as such, but removes distracting elements.
Removing gdchart source copy from OpenVAS-Client would lead to loss of this feature for anyone who installs OpenVAS-Client from tarball and who ignores the warning that gdchart development package is not found on the respective system.
Next, in case the user indeed want to take action, it might cause problems to him to find out how to install the missing package.
Design and Implementation
Due to the identified effects it might make sense to schedule this change for a next major release (1.1) of OpenVAS-Client and have the maintenance of the 1.0 branch (with gdchart included) continued for a while.
The following steps need to be done:
- Modify configure.in to check for gdchart development files and set a HAVE_GDCHART
- Make some code conditional to the HAVE_GDCHART flag.
- Cleanup (remove?) NO_PIES handling
- Remove directory "nessus/gdchart0.94b"
In fact, just in order to evaluate this change, a patch is 98 percent ready.
- 2008-07-10 Jan-Oliver Wagner <firstname.lastname@example.org>:
Added voting result.
- 2008-06-30 Jan-Oliver Wagner <email@example.com>: