Report - Results Overview

Hello, I am curious if anyone here knows anything about the scoring that is done in the “Result Overview” section of the PDF reports that are generated. Our company is currently working on SOC-II certification and I am trying to complete a Risk Assessment table and noticed that OpenVas already generates a table for you with a scoring. I would just like more clarification as to how the scoring is done and how the point system works. That way I can accommodate my policy more accordingly.

Thank you

GVM versions

gsad: 9.0.1
gvmd: 9.0.1
openvas-scanner: 7.0.1
gvm-libs: 11.0.1

Environment

Operating system: Kali Linux 2020.4
Kernel: Linux Kali 5.7.0-Kali1-amd64 #1 SMP Debian 5.7.6-1kali2 (2020-07-01) x86_64 GNU/ Linux
Installation method / source:

The PDF report is generated from the LaTex report. Internally most report formats are based on XSLT to transform am XML based report to something else. The sources of these report formats are included in the gvmd tarball or can be found in the corresponding git repository. The code of the Result Overview XSLT can be found here https://github.com/greenbone/gvmd/blob/v9.0.1/src/report_formats/LaTeX/latex.xsl#L737

3 Likes

Awesome! Thank you so much for that! My next question is… is there a way of seeing my report in LaTex before it’s generated to PDF? Possible path location?

The current report formats are just scripts (called generate) that get a path to the report xml as first argument. Take a look at the PDF report format for more details https://github.com/greenbone/gvmd/blob/v9.0.1/src/report_formats/PDF/generate

1 Like

I hate to be a pain, but… I’m still having trouble understanding how this scoring works. I was able to download and copy the report.xml and the report-start.xml while generating a PDF. Perhaps I’m blind and I cannot see what I am looking for in the report.xml.

I have a host that has a 0 score of High, a 7 as Medium and a 1 as low.
The service (port) are 443/TCP, 80/TCP, general/tcp
443TCP has a threat level of Medium
80/tcp has a threat level of Medium
general/tcp has a threat level of Low.

Where do those 7 points of Medium come from? Where does the 1 point of low come from?

Thank you

Scoring is CVSS 2.0, just read the standard … You can configure the limits for low, medium and high depending from the CVSS value.

1 Like