# HG changeset patch # User Benoît Allard # Date 1412694508 -7200 # Node ID 249b3ad750b13a247d43ccb1a676aadb820bf415 # Parent b9704abca0c983e30d56220ff944c954f6ce07f9 Add Descriptions for the Threat fields diff -r b9704abca0c9 -r 249b3ad750b1 farol/templates/macros.j2 --- a/farol/templates/macros.j2 Tue Oct 07 16:51:53 2014 +0200 +++ b/farol/templates/macros.j2 Tue Oct 07 17:08:28 2014 +0200 @@ -156,8 +156,8 @@ {% endmacro %} -{% macro examples(list) %} -

Example{{ 's' if list | length > 1 }}:

+{% macro examples(list, title='') %} +

{{ title + ' ' if title }}Example{{ 's' if list | length > 1 }}:

{% if list | length == 1 %} {{ list[0] }} {% else %} diff -r b9704abca0c9 -r 249b3ad750b1 farol/templates/vulnerability/edit_threat.j2 --- a/farol/templates/vulnerability/edit_threat.j2 Tue Oct 07 16:51:53 2014 +0200 +++ b/farol/templates/vulnerability/edit_threat.j2 Tue Oct 07 17:08:28 2014 +0200 @@ -24,17 +24,34 @@ -#} {% extends "base.j2" %} -{% from "macros.j2" import selectinput, textinput, textarea, selectinput2 %} +{% from "macros.j2" import selectinput, textinput, textarea, selectinput2, examples %} {% block title %}Edit Threat{% endblock %} {% set active = 'vulnerability' %} {% block content %} +

Threat contains the vulnerability kinetic information. This information can change as the vulnerability ages and new information becomes available.

+ +

A Threat container can be tied to one or more specific products by referencing these products using either the Product ID or Group ID child elements. If the Threat is meant to be general or nonspecific for all products, the Product ID and Group ID child elements should be omitted.

-{{ selectinput('type', "Type", types, type) }} -{{ textinput('date', "Date", now.isoformat(), date, type="datetime") }} -{{ textarea('description', "Description", '', description, 5, required=True) }} +{% call selectinput('type', "Type", types, type) %} +

The Type of Threat is required and can be one of the following:

+
+
Impact:
Impact contains an assessment of the impact on the user or the target set if the vulnerability is successfully exploited. (A description of the Target Set Type follows.) If applicable, for consistency and simplicity, this section can be a textual summary of the three CVSS impact metrics. These metrics measure how a vulnerability detracts from the three core security properties of an information system: Confidentiality, Integrity, and Availability.
+
Exploit Status:
Exploit Status contains a description of the degree to which an exploit for the vulnerability is known. This knowledge can range from information privately held among a very small group to an issue that has been described to the public at a major conference or is being widely exploited globally. For consistency and simplicity, this section can be a mirror image of the CVSS “Exploitability” metric. However, it can also contain a more contextual status, such as “Weaponized” or “Functioning Code.”
+
Target Set:
Target Set contains a description of the currently known victim population in whatever terms are appropriate. Such terms may include: operating system platform, types of products, user segments, and geographic distribution.
+
+{% endcall %} +{% call textinput('date', "Date", now.isoformat(), date, type="datetime") %} +

The Date attribute is optional. All dateTime values in CVRF require a time, and we recommend the inclusion of a time zone as well (ICASI endorses the use of GMT or “Zulu time”). If a time zone is excluded, Zulu should be assumed.

+{% endcall %} +{% call textarea('description', "Description", '', description, 5, required=True) %} +

The Description element will contain a thorough human-readable discussion of the Threat.

+{{ examples(['complete compromise of the integrity of affected machines'], 'Impact') }} +{{ examples(['none', 'proof of concept'], 'Exploit Status') }} +{{ examples(['Financial Institutions', 'US Government Agencies', 'All versions of BIND 9.4.0 and lower'], 'Target Set') }} +{% endcall %} {{ selectinput2('products', "Products", products, productids, multiple=True) }} {% if groups %} {{ selectinput2('groups', "Groups", groups, groupids, multiple=True)}}