OpenVAS Change Request #42: Adoption of Risk Factor standard for NVT's

Status: Voted +4. Done.

Purpose

To indicate Risk Factor in a standard way in NVT's through script_tag() instead of embedding inside the description. Thus making it possible to run statistics and other analysis for reports based on this type of scoring.

References

Rationale

Currently Risk Factor is being set in some of the NVT's as part of the description text to indicate the severity of the vulnerability. There's no standard format being followed by NVT developers. And since the risk factor is hidden in the text, it can not be processed automatically.

The general goal is to to indicate Risk Factor in a standard way, through script_tag() function like other attributes of NVT.

Effects

• All the existing NVT's that are using Risk Factor in the description text will be moved to script_tag() function inside if(description) section of NVT. Hence the Risk Factor will not appear as part of the report text in the Client but instead it'll be listed as one of the NVT's attribute like script_cve_id and others. For clients that do not show tags this means the user won't easily see the CVSS values anymore.

Design and Implementation

The implementation needs to incorporate the following changes:

• Update all NVT's that are currently using Risk Factor to use, script_tag("risk_factor", SEVERITY) format, where SEVERITY indicates the likelihood of the vulnerability being exploited. Also remove the Risk Factor that is currently embedded in the description.

  The SEVERITY of a NVT (not to be mixed up with the severity a NVT can issue) can be one of the following,

    - None: The NVT is only gathering information about the target
      system and not reporting any vulnerability. Or it arranges things
      inernally such as setting special KB entries. This is was
      previously was called "Informational". CVSS equivalent is 0.0.
    - Low: The chances of the vulnerability being exploited is very low. In
      other words, CVSS Base score from 0.1 to 2.0.
    - Medium: The chances of the vulnerability being exploited is moderate.
      In other words, CVSS Base score from 2.1 to 5.0.
    - High: The chances of the vulnerability being exploited is high. In
      other words, CVSS Base score from 5.1 to 8.0.
    - Critical: CVSS Base score from 8.1 to 10.0.
  

• Update the compendium describing the procedure to add Risk Factor in NVT's.

History

• 2011-11-01 Michael Wiegand <michael.wiegand@greenbone.net>:
  Make CVSS ranges match current usage and unambiguous.
• 2011-08-03 Jan-Oliver Wagner <jan-oliver.wagner@greenbone.net>:
  Clarified ranges with "<" symbol.
• 2010-07-24 Jan-Oliver Wagner <jan-oliver.wagner@greenbone.net>:
  Updated status to Done.
• 2010-02-24 Jan-Oliver Wagner <jan-oliver.wagner@greenbone.net>:
  Refined Rationale and Effects. Renamed risk class "Informational" to "None". Fixed Status.
• 2010-02-04 Chandrashekhar B <bchandra@secpod.com>:
  Initial Text.