OpenVAS Change Request #18: OpenVAS-Client: Improve Handling of False-Positives

Status: Voted +3. Done. Functionality described here superseded by "severity override" features, released with openvas-client 2.0.3.

Purpose

To improve usability and usefulness of the OpenVAS client with support for management of false-positives and of individual priorities.

References

Rationale

The current implementation does not treat false-positives at all. After a full scan of a target host the user is presented a report that contains server-defined priorities for each vulnerability. If there are false-positives (e.g. anonymous FTP or CIFS directories may exist on intention and not accidentally) the user needs to reconsider each such finding in the report manually. This is subject to eat maintenance time unneccessarily for the user for each generated report.

It would be helpful if the user would be given a way to alter the priority of certain scripts locally on a per-host basis. Ultimately this would offer the user a means to treat certain test results as false-positives and to be able to downgrade (or even upgrade) the priority of other tests within the OpenVAS client.

Effects

The results overview in the OpenVAS-Client and also its reports would be extended by additional information of applied individual priority overrides. The client GUI would offer a way to alter priorities in a form of a filter action, e.g.: a series of target-host/NVT-OID/[port]=[+-]priority rules.

This feature affects the OpenVAS client only. No library or server needs to be modified.

Design and Implementation

• Modified priorities for checks are stored in the scope configuration file. This requires support for integer values in nessus/preferences.c.
• Alter the internal handling of priorities in test results on a per-test and per-target basis. This needs to be done in nessus/parser.c. This will cause some code to be moved into a function to be generally available.
• Support false positives in all output variants of reports and in input routines. This refers to nessus/*output*.c and nessus/backend.c.
• Adjust the OpenVAS client so that it will display false-positives properly in the summary and in the report. This requires modification of nessus/prefs_dialog/prefs_scope_tree.c.

History

• 2010-01-06 Felix Wolfsteller <felix.wolfsteller@intevation.de>:
  Updated status as done.
• 2008-11-13 Joey Schulze <joey@infodrom.org>:
  Initial text.
• 2008-11-16 Jan-Oliver Wagner <jan-oliver.wagner@intevation.de>:
  Rephrased and refined purpose, rationale and effects. Added the need of a data format.
• 2008-11-26 Joey Schulze <joey@infodrom.org>:
  Adjust the need for a data format to the use of the regular config file for a scope. Added the need to support all report generators. Added file references to tasks.