OpenVAS Change Request #41: Adoption of CVSS Standard

Status: Voted +4. Done.

Purpose

To adopt CVSS as explicit vulnerability severity scoring system so that the CVSS scores can be automatically processed internally for reporting and statistics.

References

CVSS Standard

Rationale

CVSS (Common Vulnerability Scoring System) provides universal open and standardized method for rating vulnerabilities. Currently, CVSS is used by some of the NVT Developers to define the severity category. However, most NVTs are developed based on a CVE and any CVE is associated with a CVSS. Current practice of the NVT developers is to add the CVSS score as part of the general NVT description text. Obviously, the CVSS in the text cannot be processed in automatic ways.

To allow for automatic processing of CVSS, these data need to be formally represented. A standard way to do so would be to use the script_tag() function like it is used for other NVT attributes already.

Based on script_tag(), the CVSS scoring would be related to NVTs and since scan results have a relation to the NVTs, statistics and other algorithmic processes can be implemented for the analysis of reports.

It is of course not possible to have all NVT's associated with a CVSS score and thus CVSS-based statistics need to keep this in mind. Also some NVTs combine more than one CVE and it will be unclear in such cases which CVSS to apply.

Effects

• All the existing NVT's that are using CVSS Scoring in the description text will instead use the script_tag() function inside the if(description) section of the NVT. Hence the CVSS score will not appear as part of the report text in the Client but instead it'll be listed as one of the NVT's attribute like script_cve_id and others. For clients that do not show tags this means the user won't easily see the CVSS values anymore.

Design and Implementation

The implementation needs to incorporate the following changes:

• Update all NVT's that are currently using CVSS score to use, script_tag("cvss_base", x.y) and script_tag("cvss_temporal", x.y) format, where x and y are score indicators from 0 and upto 10. Also remove the CVSS Score that is currently embedded in the description.
• Update all NVT's that refer to CVE through script_cve_id() to also include CVSS score through script_tag("cvss_base", x.y) and script_tag("cvss_temporal", x.y).
• Update the compendium describing the procedure to add CVSS scores in NVT's.

History

• 2010-07-24 Jan-Oliver Wagner <jan-oliver.wagner@greenbone.net>:
  Updated status to Done.
• 2010-02-24 Chandrashekhar B <bchandra@secpod.com>:
  Minor doc changes.
• 2010-02-24 Jan-Oliver Wagner <jan-oliver.wagner@greenbone.net>:
  Refined Rationale and Effects. Fixed Status.
• 2010-02-04 Chandrashekhar B <bchandra@secpod.com>:
  Initial Text.