OpenVAS Change Request #58: NVT Feed CVSS consolidation
Status: Voted +6. In progress.
Consolidation of risk categorisation towards CVSS for NVT feed.
Currently the risk categorisation is redundant. risk_factor derives from CVSS and thus would not be necessary. However, dropping risk_factor is only possible once all NVTs are associated with a CVSS.
Another redundancy is the CVSS information inside description text which should be removed.
The tag "risk_factor" would be gone.
The CVSS definitions inside the description text would be gone.
Design and Implementation
For a complete CVSS information the vector string should be added for all NVTs. This can done with a another tag. The values can be automatically retrieved for all NVTs that have at least one CVE reference (the maximum CVSS determines which is used if more than CVE is referenced).
For those NVTs where a CVSS is missing (rough estimate: 6500 NVTs), first the description text can be searched for a usable CVSS. Next, for those that do send only log messages the CVSS can be set to 0. More NVT types for easy migration might be identified. The remaining NVTs need to be reviewed manually.
Note that it has been discussed to automatically assign CVSS, but the idea was dropped because it would produce hard-to-interpret CVSS values: The CVSS could be automatically set via the respective risk factor of the NVTs. For each risk factor class the highest CVSS could be applied (for "Critical" always 10.0, for "High" always 8.0, for "Medium" 5.0, for "Low" 2.0 and for "None" 0.0).
The removal of CVSS values and vectors strings from the description could be done mostly automatically. The temporal CVSS will be dropped during this phase as these do not add a benefit. Over time the CVSS are adjusted with CVE updates anyway.
The risk_factor removal should be fully automatable.
- 2013-03-19 Jan-Oliver Wagner <jan-oliver.wagner at greenbone dot net>:
All of the NVTs are now provided with a CVSS base vector. In fact, the cvss_base value is therefore also redundant and can be removed together with the risk_factor tag. It is save to remove the tags once OpenVAS-5 is retired, because OpenVAS-6 computes cvss value and risk_factor from cvss_base_vector when needed.
- 2011-12-14 Henri Doreau <henri.doreau at greenbone dot net>:
- 2011-12-06 Jan-Oliver Wagner <jan-oliver.wagner at greenbone dot net>:
Slightly Updated (automatic CVSS assignment) according to discussions at openvas-devel.
- 2011-12-01 Jan-Oliver Wagner <jan-oliver.wagner at greenbone dot net>:
Slightly Updated (automatic CVSS assignment, dropping of temporal CVSS, estimate of number of NVTs to work on).
- 2011-10-29 Jan-Oliver Wagner <jan-oliver.wagner at greenbone dot net>: