Post scan report severity is not updated - "Log" only

Hey guys,

I’m new here ;$

I’m using Kali GNU/Linux 5.10.0-kali9-amd64 #1 SMP Debian
version 2022.1

Greenbone: GVM-21.4.3

I would like to know if I am the only one with this problem.

When performing a new scan, and finishing this one, the data of the “report” is not shown their severity based on the feed.

With these commands:

greenbone-feed-sync --type GNMD_DATA
greenbone-feed-sync --type SCAP
greenbone-feed-sync --type CERT

I have already performed the update of the feed, but without success can someone help me?

My Feed

The scan was performed on a website with several vulnerabilities (Acunetix)

Thanks in advance! looks like a custom written PHP application / web shop for testing web application scanners (WAS) like Acunetix.

Doing web application scanning for such unknown web applications is not the scope of GVM so i would try to choose a more adequate target for your test like e.g.: Metasploitable download |

But if your GVM setup is working and the scanner was able to reach the target a few results / vulnerabilities might show up if you e.g. update the filter of your report to show results with a lower QoD value < 70% like explained here:

More info on the Quality of Detection (QoD) concept is available here:

1 Like

Hello @cfi

Thanks for the help so far!

What intrigues me the most is that it is not only on a website that this behavior occurs. I’m performing a pentest on a SaaS web platform, but the same problem occurs, the Scan takes a few minutes and ends.

Is it not able to access the website server?

I practically use to look up the direct IP.
After that, I go to OpenVas > Scan > Task > New Task > New Target I add the Ip directly there, but without changing the QoD, I just leave it at 70%

I question this behavior as it seems ineffective, because I’ve tested other scanners and the results were different, (positive for vulnerabilities)

If you can help me with this, I would be very grateful!

Thanks for the articles, I’ll check them out

Without having any knowledge on the web app(s) or other scanner(s) some notes:

  1. The web app(s) are custom ones which might require a different kind of scanner (WAS like previously described) then GVM
  2. Vulnerability test coverage for the web app(s) are only part of the enterprise feed
  3. There is no vulnerability test coverage for the web app(s) at all
  4. The results of the other scanner(s) are false positive (if they haven’t been evaluated / confirmed manually)
  5. Other environmental issues (e.g. setup issues of GVM, not up2date feed, networking issues, …)

The “log” level results of the scan in question could also give some info if / which products got detected. If there are no specific products like e.g. a Web Server detected there also won’t be much vulnerability results in the report).

1 Like

Hello @cfi

Thanks for the quick turnaround.

So maybe OpenVas wouldn’t be a suitable program for scanning web applications?

My comparison is for example with Nessus. I performed the same scan with him, and several vulnerable points were found that I was already expected to find.

About the updated feed, yes, I’m updating daily. Only point is that the GVMD_DATA is up to date, but with the message of “Too old Please check …” but when searching about it here on the forum, I saw other people with the same problem, where it’s actually not a problem, this is the latest version of himself my versions:
GVMD_DATA: 20220128T1556
CERT: 20220301T0130
SCAP: 20220304T0230
NVT: 20220302T1104

Unfortunately it is not possible to answer this question without knowing which vulnerabilities exists / have been found or which products are installed on the target(s) in question. :slightly_frowning_face:

A few rule of thumbs:

  1. If there are only few or no known products detected for the target(s) in question (e.g. in the “8” Log entries in the first screenshot) no vulnerabilities can’t be reported because for most products related detections needs to detect the product first.
  2. You can check in the SecInfo → NVTs part of your GSA web interface within the “Product detection” family if the product in question is having a detection at all which would be a prerequisite for a vulnerability reporting. A related filter for such a search in the Filter input box could be something like e.g. ~myproductname and family="Product detection"

This looks good :+1:

Note that there might be still unknown vectors (e.g. networking / environmental issues) which could prevent a detection.