English | Deutsch
Home »

OpenVAS Change Request #58: NVT Feed CVSS consolidation

Status: Voted +6. In progress.



Consolidation of risk categorisation towards CVSS for NVT feed.


Currently the risk categorisation is redundant. risk_factor derives from CVSS and thus would not be necessary. However, dropping risk_factor is only possible once all NVTs are associated with a CVSS.

Another redundancy is the CVSS information inside description text which should be removed.


The tag "risk_factor" would be gone.

The CVSS definitions inside the description text would be gone.

Design and Implementation

For a complete CVSS information the vector string should be added for all NVTs. This can done with a another tag. The values can be automatically retrieved for all NVTs that have at least one CVE reference (the maximum CVSS determines which is used if more than CVE is referenced).

For those NVTs where a CVSS is missing (rough estimate: 6500 NVTs), first the description text can be searched for a usable CVSS. Next, for those that do send only log messages the CVSS can be set to 0. More NVT types for easy migration might be identified. The remaining NVTs need to be reviewed manually.

Note that it has been discussed to automatically assign CVSS, but the idea was dropped because it would produce hard-to-interpret CVSS values: The CVSS could be automatically set via the respective risk factor of the NVTs. For each risk factor class the highest CVSS could be applied (for "Critical" always 10.0, for "High" always 8.0, for "Medium" 5.0, for "Low" 2.0 and for "None" 0.0).

The removal of CVSS values and vectors strings from the description could be done mostly automatically. The temporal CVSS will be dropped during this phase as these do not add a benefit. Over time the CVSS are adjusted with CVE updates anyway.

The risk_factor removal should be fully automatable.