When a NVT was performed but was not found on host, EXIT_NOTVULN is reported in the XML report, together with the OID for the specific host.
This indicates that the NVT/OID is not present on this host. However, I have reports where a NVT/OID is reported both as EXIT_NOTVULN and as a found vulnerability. But this raises a question: was the NVT found or not??
I’m guessing in this example the vulnerability was testes for 2 ports where it was found on 1 port but not on the other.
Does anyone else has this issue? Could someone shine a light on how it should work?
If you look at the last line of .nasl scripts, you’ll often see “exit(99)”, calling the “nasl_do_exit” function with “EXIT_NOTVULN”.
You’ll see the following line in nasl_misc_funcs.c:
if (retcode == NASL_EXIT_NOTVULN)
simple_register_host_detail (lexic, "EXIT_CODE", "EXIT_NOTVULN");
Basically the function doesn’t register the port for the .nasl script which was not vulnerable. Because of this behaviour, a vulnerability could exist on port 80 but not on port 443. The vulnerability will be reported both as vulnerable as not vulnerable since we don’t know which port was not vulnerable.
@cfi@bricks do you think we could add the port to the simple_register_host_detail call, or would we need to rewrite every single .nasl ?