[openvas-discuss] OpenVAS DevCon 1 write up

Norm Donovan Norm.Donovan at Sentrik.com
Wed Apr 5 22:07:08 CEST 2006


Javier,

My understanding is that the database we discussed was to be a database of vulnerabilities used to generate and/or store plugins before they were collected into a library, not a database to store the results of scans, which I think is what you are discussing.  The ideal solution would be if OSVDB had extensions to hold plugins.  There was no discussion of results databases as people should be free to use whatever client they choose.

We need a tool to handle sets of plugins coming from various sources that overlap.  We also need to identify where we have gaps.

I would guess that if a database was ever built into Nessus, it would be part of Nessus3 not Nessus2.

I think that there was general agreement that a code management system like CVS is not optimal for handling plugins.

I believe that SecuritySpace is holding off at this time until they see how OpenVAS progresses.

If OpenVAS maintained the same naming conventions as Nessus, would not that lead to conflicts if both tools were installed on the same machine? 

Best regards,

Norm


-----Original Message-----
From: openvas-discuss-bounces at openvas.org [mailto:openvas-discuss-bounces at openvas.org] On Behalf Of Javier Fernández-Sanguino Peña
Sent: Wednesday, April 05, 2006 11:13 AM
To: Tim Brown
Cc: openvas-discuss at openvas.org
Subject: Re: [openvas-discuss] OpenVAS DevCon 1 write up

On Fri, Mar 31, 2006 at 02:33:38AM +0100, Tim Brown wrote:
> All,
> 
> Last weekend, the developers of OpenVAS met in Germany to hack code and 
> discuss how OpenVAS was progressing.  The report from this conference is 
> now - http://www.openvas.org/doku.php?id=devcon_1_write_up - available.  

A few random comments:

- it's not GNU/Debian. The Project is called 'Debian' the OS is called
  'Debian GNU/Linux' (or 'Debian GNU/Hurd' or 'Debian GNU/kBSD' depending on
  the kernel).

- if there are bug fixes in the code from OpenVAS (not name changes) I would
  appreciate if they were published as separate patchsets and properly
  labeled to decide if they could be submitted upstream (to Nessus bugzilla)
  and added to the Nessus packages in Debian too. 
  If there are Debian-specific bugs they should be sent to the Debian BTS

- you mention you are based on the 2.2.5 codebase, Debian currently ships
  2.2.7 + patches so it would read that you are not tracking Debian's
  unstable packages 

- ditto for the plugins, I've made significant changes to the 2.2.7 set of
  (GPL) plugins and nobody here seems to be tracking those either
  Those look like they have been merged in the CVS, however.

- where are all the plugins SecuritySpace wishes to publish?

- database schema: please look at the Nessus mailing list archives, and,
  explicitly at the NESSUS_SQL branch, web browseable at:
  http://cvsweb.nessus.org/cgi-bin/viewcvs.cgi/nessus-core/doc/database/?only_with_tag=NESSUS_SQL
  Some people already invested time in producing a proper database schema,
  even if that did not get merged into Nessus proper.
  Alternatively, NessusWX and Inprotect have (different) database schemas.

- I'd rather have OpenVAS use libnasl (or nessus-libraries for that matter)
  than change that too just for naming reasons. That way (in Debian) there
  wouldn't be that much replicated code

- Marc Haber offered (in private) a while back (November last year) to
  produce packages for OpenVAS. Maybe it's worth contacting him to get
  OpenVAS packages in unstable as soon as there is a release.


Best regards

Javier






More information about the Openvas-discuss mailing list