I’m trying to find a way to be able to compare vulnerabilities found by this scanner automatically with others found by others but I can’t figure out what element uniquely identifies the vulnerabilities found so that if I find the same vulnerability through another scan, you have a match!
I noticed that there is a section for each result dedicated to the NVT, I initially thought that at each NVT run where a result was obtained, a CVE was specified and that I could use that CVE to identify the vulnerability found, but in the various reports I checked, not in all NVTs are the CVEs specified (which I usually find in the ref section).
So I wanted to ask what information do you think I could take into consideration for each vulnerability found to make the comparisons I had in mind.
For Greenbone, vulnerability tests (NVTs) all have a unique ID - the
OID or “object ID”. These OIDS can be found referenced in the description code of the
.inc file and from each result in a vulnerability test, the OID can be found by clicking on the “Detection Method” section of the result’s description. There will be a link to the NVT and the OID is the last section of the URL.
However, this OID will not be the same for comparison to other scanners. Although CVE might work for you, it should be noted that each NVT could have more than one CVE referenced and also, a CVE may be referenced by multiple NVTs, so you will have to take that into account in your comparison.
Thank you very much for your reply,
I noticed the presence of the OID shortly after I asked the question, but actually I could only consider it as an identifier if the other scanners also use NVT.
I’ve been trying these days to study what elements can identify the vulnerabilities reported by the report but searching online I found little information (or maybe it’s me searching in the wrong way).
So what I did was to take all the vulnerabilities in my report and study the types of references that exist, and the ones I found are as follows:
- Url - I can ignore since it seems to me to be just additional information that does not identify
- Cve - I will consider, even combined when there are more than one for the same vulnerability
- Cisa - I noticed that it only indicates to me whether or not the associated CVE is in the Known Exploited Vulnerabilities, so by not identifying anything I can ignore this information
For the latter 3 types, I might consider them since they are IDs.
So first of all I wanted to ask if I’m thinking in the right way by ignoring some information.
The last thing I’m wondering is if there are also other types of references that can appear, so that I can take them into consideration in case they are identifying.
I use GMP version 22.04 and I use the full and fast scan and the default scanner.
CVE is the most commonly used vulnerability reference in the cybersecurity industry and IMO generally the best to effectively cross-reference NVTs in Greenbone and other forms of vulnerability tests. But again, I don’t know your purpose, so maybe something else is better such as CPE to compare vuln test by product rather than published vulnerabillity.
As a side note:
I guess this topic should be moved (can be done by the OP by editing the initial topic) to the Security Chat - Greenbone Community Forum as this seems to be more related to an overall concept to compare results of different products / scanners rather then something specific to VTs / NASL scripts (which this category is usually used for).