English | Deutsch
Home »

OpenVAS Change Request #41: Adoption of CVSS Standard

Status: Voted +4. Done.


To adopt CVSS as explicit vulnerability severity scoring system so that the CVSS scores can be automatically processed internally for reporting and statistics.


CVSS Standard


CVSS (Common Vulnerability Scoring System) provides universal open and standardized method for rating vulnerabilities. Currently, CVSS is used by some of the NVT Developers to define the severity category. However, most NVTs are developed based on a CVE and any CVE is associated with a CVSS. Current practice of the NVT developers is to add the CVSS score as part of the general NVT description text. Obviously, the CVSS in the text cannot be processed in automatic ways.

To allow for automatic processing of CVSS, these data need to be formally represented. A standard way to do so would be to use the script_tag() function like it is used for other NVT attributes already.

Based on script_tag(), the CVSS scoring would be related to NVTs and since scan results have a relation to the NVTs, statistics and other algorithmic processes can be implemented for the analysis of reports.

It is of course not possible to have all NVT's associated with a CVSS score and thus CVSS-based statistics need to keep this in mind. Also some NVTs combine more than one CVE and it will be unclear in such cases which CVSS to apply.


Design and Implementation

The implementation needs to incorporate the following changes: