I found that some of the nasl scripts do not give any information about the detected version or fixed version despite the scripts check whether the version is in a vulnerable range or not.
Here is an example code:
if(version_in_range(version:exeVer, test_version:“15.0”, test_version2:“15.0.847.37”))
security_message( port: 0, data: “The target host was found to be vulnerable” );
It just prints “The target host was found to be vulnerable” to the report without version information. Some of the nasl scripts use “report_fixed_ver” function for creating a report including the version information. We can change the above code as follows:
Thanks for your interest in reporting possible feed improvements.
All newer VTs since around 2017 or 2018 have already included this version in the reporting. Older VTs are updated from time to time during feed maintenance works depending on the time / resources available.
We’re happily accepting patches for this task from the Community.
I did a patch for some of the corresponding scripts to give the version information. I modified the “security_message” functions under “version_is_less” and “version_in_range” functions as I stated in the topic.
The number of modified scripts is 1829. I checked the scripts with openvas-nasl-lint and no syntax errors found. I also ran a scan and modified scripts that found any vulnerability gave the version information to the report.
I would be happy to share the scripts. If you want me to share, how can I do it?
Huge thanks to @georgetaylor for providing / developing a tool that allowed us to update around 2000 VTs automatically to report additional info like the checked vulnerable version / version range and the installed version of the application within their report.
Those changes are already included / available in the current feeds as of today.