We have a tool we use every so often that goes through and reconciles CVSS scores to bring them in line with changes that may have been made to the official cvss scores.
I'll arrange to run this today against the plugins and see what shakes out. It's been a while since we last ran this. Thomas On 09/08/12 05:32 PM, Jan-Oliver Wagner wrote: > Hello Sebastien, > > On Thursday 09 August 2012 16:44:49 Sebastien Aucouturier wrote: >> we have develop a small tool, that from each openvas nasl plugin >> extract CVE, and CVSS. >> Using the CVE we query the NVD database to compute an official max >> CVSS, and we compare with the CVSS extract from the plugin. >> >> This give the following list of mistake attach as file. >> In the file : Local score is CVSS read from the plugin, the highest >> official score the one get from nvd. >> I think result help to fix plugin where score are missing, and point >> the one with faulty one >> (but their writter can tell us more if they dont'agree). >> >> At the end, do you want us to correct it ? and send it to the >> repository ? > > I am trying to understand the issues first. > > I simply took the first NVT in your list: > > deb_1554_1.nasl: > local score: 5.0, highest official score: 4.3 > > The NASL script shows 4.3 and the only referenced CVE is > ID CVE-2008-1474 > Published 2008-03-24T18:44:00.000-04:00 > Last modified 2012-05-31T00:00:00.000-04:00 > Last updated 2012-07-06T06:01:00.000+0000 > > that shows: > > Base score 4.3 > Access vector NETWORK > Access Complexity MEDIUM > Authentication NONE > Confidentiality impact NONE > Integrity impact PARTIAL > Availability impact NONE > Source http://nvd.nist.gov > Generated 2008-03-25T12:44:00.000-04:00 > > > > So, at least for the first one it _looks_ right > in the NVT. Am I missing something? > > Best > > Jan > > > _______________________________________________ Openvas-plugins mailing list [email protected] http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
