OpenVAS: Re: NVT Description

[Sebastien Aucouturier <s.aucouturier () itrust fr>]

> What would be the difference between "overview" and "summary".
> I fear that too many similar term will confuse NVT developers and 
> lead
> to either inconsistent use or copy-over behaviour (same content for 
> both).
> If we are unable to specify a clear advice for what to write into
> the fields, this indicates we need to simplify ;-)
i agree, 'things that can't be describe must be simplify'

After Checking few plugins ,
to my mind,
summary describe what the plugin will do :
script_summary("Checks for the presence of an XSS bug in 12Planet Chat 
Server");
Overview tell the facts when vulnerability is detect:
script_tag(name:"overview", value:"The remote host contains a CGI which 
is vulnerable to a cross-site scripting issue.");
The description give details about the vulnerability:
script_tag(name:"description", value:"The remote host is using 12Planet 
Chat Server. There is a bug in this software which makes it vulnerable 
to cross site scripting attacks. An attacker may use this bug to steal 
the credentials of the legitimate users of this site.");

> But this brings me to a very important idea on howwe could manage the
> transition where we stay compatible with old NVTs and still only
> maintain one feed (one file per NVT):
>
> How about (following the example above):
>
> script_tag(name:"description", value:"The remote host is using
> 12Planet Chat Server. There is
> a bug in this software which makes it vulnerable to cross site 
> scripting
> attacks. An attacker may use this bug to steal the credentials of the
> legitimate users of this site.");
>
> and leave the script_desc() content untouched?
> In other words: We create sensible tags out of the current
> script_desc() content,
> including a "descripion" and add them as tags while keeping the
> script_desc() as is.
ok, agreed.

> This would create redundancy in terms of Meta-data.
> It would _not_ create redundancy in code, because we can do some 
> clever
> variables and use the in two ways, once for the new tags and once 
> (concatenated)
> for the traditional script_desc().
> At the time, OpenVAS-6 is retired, we can drop the script_desc() 
> entirely.
> What do you think?
no problem with that, i am in.

> > idea is also to remove extra blank line between 'chapter' and let
> > reporting tools cut line as their own.
> > do you agree ?
> Yes, that was one driving idea: ensure, there are no overlong words 
> anymore
> in the returned results. Therfore be sure word wrapping of paragraphs 
> will work.
> Extra blank lines to separate paragraphs are not bad, I would like
> to keep this option open for the author.
ok, we can keep blank line but be strict on their consecutive number , 
like not more that 2 consecutive blank line in tags
--
"Le saviez-vous ? la technologie d'ITrust va sécuriser le cloud 
français"
    | Sébastien AUCOUTURIER | Responsable R&D
    | ITrust | 55 L'Occitane 31670 LABEGE
    | Email: s.aucouturier () itrust fr
    | Fixe Sdt. 05.67.34.67.80
    | IT Security Services & SaaS Editor
_______________________________________________
Openvas-plugins mailing list
Openvas-plugins () wald intevation org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins