|
OpenVAS
mailing list archives
Re: NVT Description
From: "Jan-Oliver Wagner" <Jan-Oliver.Wagner () greenbone net>
Date: Fri, 25 Jan 2013 11:20:39 +0100
List-id: OpenVAS plugins <openvas-plugins.wald.intevation.org>
On Freitag, 25. Januar 2013, Sebastien Aucouturier wrote:
OVERVIEW (MANDATORY)
DESCRIPTION (MANDATORY)
What would be the difference between these two?
Or in other words: How would you specify content
for these?
as example : 12planet_chat_server_xss.nasl
now :
desc = "
Synopsis :
The remote host contains a CGI which is vulnerable to a cross-site
scripting
issue.
Description :
The remote host is using 12Planet Chat Server.
There is a bug in this software which makes it vulnerable to cross site
scripting attacks.
An attacker may use this bug to steal the credentials of the legitimate
users
of this site.
Solution :
Upgrade to the newest version of this software";
script_description(desc);
can become :
script_summary("Checks for the presence of an XSS bug in 12Planet
Chat Server.");
OK, so summary remains as before.
script_overview("The remote host contains a CGI which is vulnerable
to a cross-site scripting issue.");
This nasl function does not exist.
So you actually mean
script_tag(name: "overview", value: "The remote host contains a CGI which is vulnerable
to a cross-site scripting issue.");
?
What would be the difference between "overview" and "summary".
I fear that too many similar term will confuse NVT developers and lead
to either inconsistent use or copy-over behaviour (same content for both).
If we are unable to specify a clear advice for what to write into
the fields, this indicates we need to simplify ;-)
script_desc("The remote host is using 12Planet Chat Server. There is
a bug in this software which makes it vulnerable to cross site scripting
attacks. An attacker may use this bug to steal the credentials of the
legitimate users of this site.");
script_tag(name:"solution", value:"Upgrade to the newest version of
this software");
OK.
But this brings me to a very important idea on how we could manage the
transition where we stay compatible with old NVTs and still only
maintain one feed (one file per NVT):
How about (following the example above):
script_tag(name:"description", value:"The remote host is using 12Planet Chat Server. There is
a bug in this software which makes it vulnerable to cross site scripting
attacks. An attacker may use this bug to steal the credentials of the
legitimate users of this site.");
and leave the script_desc() content untouched?
In other words: We create sensible tags out of the current script_desc() content,
including a "descripion" and add them as tags while keeping the script_desc() as is.
This would create redundancy in terms of Meta-data.
It would _not_ create redundancy in code, because we can do some clever
variables and use the in two ways, once for the new tags and once (concatenated)
for the traditional script_desc().
At the time, OpenVAS-6 is retired, we can drop the script_desc() entirely.
What do you think?
idea is also to remove extra blank line between 'chapter' and let
reporting tools cut line as their own.
do you agree ?
Yes, that was one driving idea: ensure, there are no overlong words anymore
in the returned results. Therfore be sure word wrapping of paragraphs will work.
Extra blank lines to separate paragraphs are not bad, I would like
to keep this option open for the author.
Best
Jan
--
Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-plugins mailing list
Openvas-plugins () wald intevation org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
 By Date 
By Thread
Current thread:
Re: NVT Description Jan-Oliver Wagner (Jan 25)
(Thread continues...)
| 
