On Freitag, 25. Januar 2013, Sebastien Aucouturier wrote:
> >> OVERVIEW (MANDATORY)
> >> DESCRIPTION (MANDATORY)
> >
> > What would be the difference between these two?
> > Or in other words: How would you specify content
> > for these?
>
>
> as example : 12planet_chat_server_xss.nasl
>
> now :
>
> desc = "
> Synopsis :
>
> The remote host contains a CGI which is vulnerable to a cross-site
> scripting
> issue.
>
> Description :
>
> The remote host is using 12Planet Chat Server.
>
> There is a bug in this software which makes it vulnerable to cross site
> scripting attacks.
>
> An attacker may use this bug to steal the credentials of the legitimate
> users
> of this site.
>
> Solution :
>
> Upgrade to the newest version of this software";
>
> script_description(desc);
>
>
> can become :
>
> script_summary("Checks for the presence of an XSS bug in 12Planet
> Chat Server.");
OK, so summary remains as before.
> script_overview("The remote host contains a CGI which is vulnerable
> to a cross-site scripting issue.");
This nasl function does not exist.
So you actually mean
script_tag(name: "overview", value: "The remote host contains a CGI which is
vulnerable
to a cross-site scripting issue.");
?
What would be the difference between "overview" and "summary".
I fear that too many similar term will confuse NVT developers and lead
to either inconsistent use or copy-over behaviour (same content for both).
If we are unable to specify a clear advice for what to write into
the fields, this indicates we need to simplify ;-)
> script_desc("The remote host is using 12Planet Chat Server. There is
> a bug in this software which makes it vulnerable to cross site scripting
> attacks. An attacker may use this bug to steal the credentials of the
> legitimate users of this site.");
> script_tag(name:"solution", value:"Upgrade to the newest version of
> this software");
OK.
But this brings me to a very important idea on how we could manage the
transition where we stay compatible with old NVTs and still only
maintain one feed (one file per NVT):
How about (following the example above):
script_tag(name:"description", value:"The remote host is using 12Planet Chat
Server. There is
a bug in this software which makes it vulnerable to cross site scripting
attacks. An attacker may use this bug to steal the credentials of the
legitimate users of this site.");
and leave the script_desc() content untouched?
In other words: We create sensible tags out of the current script_desc()
content,
including a "descripion" and add them as tags while keeping the script_desc()
as is.
This would create redundancy in terms of Meta-data.
It would _not_ create redundancy in code, because we can do some clever
variables and use the in two ways, once for the new tags and once (concatenated)
for the traditional script_desc().
At the time, OpenVAS-6 is retired, we can drop the script_desc() entirely.
What do you think?
> idea is also to remove extra blank line between 'chapter' and let
> reporting tools cut line as their own.
> do you agree ?
Yes, that was one driving idea: ensure, there are no overlong words anymore
in the returned results. Therfore be sure word wrapping of paragraphs will work.
Extra blank lines to separate paragraphs are not bad, I would like
to keep this option open for the author.
Best
Jan
--
Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/
Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B
202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-plugins mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins
