Exit_notvuln reporting vulnerabilities which were found

When a NVT was performed but was not found on host, EXIT_NOTVULN is reported in the XML report, together with the OID for the specific host.

This indicates that the NVT/OID is not present on this host. However, I have reports where a NVT/OID is reported both as EXIT_NOTVULN and as a found vulnerability. But this raises a question: was the NVT found or not??

I’m guessing in this example the vulnerability was testes for 2 ports where it was found on 1 port but not on the other.

Does anyone else has this issue? Could someone shine a light on how it should work?

GVM versions

gvmd: 21.4.5
openvas-scanner: 21.4.4
gvm-libs: 21.4.4

Environment

Operating system: Debian Bullseye
Installation method / source: Compiled from Github/source

Okay, I tried to trace this issue back to its root cause.

“EXIT_NOTVULN” is thrown by the function “nasl_do_exit” (openvas-scanner/nasl_misc_funcs.c at main · greenbone/openvas-scanner · GitHub).

“nasl_do_exit” is mapped to number “99” in the “exit” function in .nasl scripts. (openvas-scanner/nasl_init.c at main · greenbone/openvas-scanner · GitHub)

If you look at the last line of .nasl scripts, you’ll often see “exit(99)”, calling the “nasl_do_exit” function with “EXIT_NOTVULN”.

You’ll see the following line in nasl_misc_funcs.c:

if (retcode == NASL_EXIT_NOTVULN)
    simple_register_host_detail (lexic, "EXIT_CODE", "EXIT_NOTVULN");

Basically the function doesn’t register the port for the .nasl script which was not vulnerable. Because of this behaviour, a vulnerability could exist on port 80 but not on port 443. The vulnerability will be reported both as vulnerable as not vulnerable since we don’t know which port was not vulnerable.

@cfi @bricks do you think we could add the port to the simple_register_host_detail call, or would we need to rewrite every single .nasl ?

@DeeAnn thank you for moving the topic to the right category. Do you know who has the knowledge to research this question with me?

Hi @PBSH,

It does look like a weird situation, best I can tell it ends up as something like “Schrödinger’s Vulnerability” :slight_smile:

I’ll bring it up internally to see if someone can take a look.

1 Like

Hi @DeeAnn, thank you! I was wondering if someone internally had the chance to take a look already. :slight_smile:

I’ve created a workaround, so this is no longer necessary.

Thank you anyway!