Hello, I am curious if anyone here knows anything about the scoring that is done in the “Result Overview” section of the PDF reports that are generated. Our company is currently working on SOC-II certification and I am trying to complete a Risk Assessment table and noticed that OpenVas already generates a table for you with a scoring. I would just like more clarification as to how the scoring is done and how the point system works. That way I can accommodate my policy more accordingly.
Operating system: Kali Linux 2020.4 Kernel: Linux Kali 5.7.0-Kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64 GNU/ Linux Installation method / source:
The PDF report is generated from the LaTex report. Internally most report formats are based on XSLT to transform am XML based report to something else. The sources of these report formats are included in the gvmd tarball or can be found in the corresponding git repository. The code of the Result Overview XSLT can be found here https://github.com/greenbone/gvmd/blob/v9.0.1/src/report_formats/LaTeX/latex.xsl#L737
Awesome! Thank you so much for that! My next question is… is there a way of seeing my report in LaTex before it’s generated to PDF? Possible path location?
I hate to be a pain, but… I’m still having trouble understanding how this scoring works. I was able to download and copy the report.xml and the report-start.xml while generating a PDF. Perhaps I’m blind and I cannot see what I am looking for in the report.xml.
I have a host that has a 0 score of High, a 7 as Medium and a 1 as low.
The service (port) are 443/TCP, 80/TCP, general/tcp
443TCP has a threat level of Medium
80/tcp has a threat level of Medium
general/tcp has a threat level of Low.
Where do those 7 points of Medium come from? Where does the 1 point of low come from?