changeset 53:249b3ad750b1

Add Descriptions for the Threat fields
author Benoît Allard <benoit.allard@greenbone.net>
date Tue, 07 Oct 2014 17:08:28 +0200
parents b9704abca0c9
children 8ffd3ec96f7c
files farol/templates/macros.j2 farol/templates/vulnerability/edit_threat.j2
diffstat 2 files changed, 23 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/farol/templates/macros.j2	Tue Oct 07 16:51:53 2014 +0200
+++ b/farol/templates/macros.j2	Tue Oct 07 17:08:28 2014 +0200
@@ -156,8 +156,8 @@
 </div>
 {% endmacro %}
 
-{% macro examples(list) %}
-<p><strong>Example{{ 's' if list | length > 1 }}:</strong></p>
+{% macro examples(list, title='') %}
+<p><strong>{{ title + ' ' if title }}Example{{ 's' if list | length > 1 }}:</strong></p>
 {% if list | length == 1 %}
 <samp>{{ list[0] }}</samp>
 {% else %}
--- a/farol/templates/vulnerability/edit_threat.j2	Tue Oct 07 16:51:53 2014 +0200
+++ b/farol/templates/vulnerability/edit_threat.j2	Tue Oct 07 17:08:28 2014 +0200
@@ -24,17 +24,34 @@
 -#}
 
 {% extends "base.j2" %}
-{% from "macros.j2" import selectinput, textinput, textarea, selectinput2 %}
+{% from "macros.j2" import selectinput, textinput, textarea, selectinput2, examples %}
 {% block title %}Edit Threat{% endblock %}
 
 {% set active = 'vulnerability' %}
 
 {% block content %}
+<p><strong>Threat</strong> contains the vulnerability kinetic information. This information can change as the vulnerability ages and new information becomes available.</p>
+
+<p>A <strong>Threat</strong> container can be tied to one or more specific products by referencing these products using either the <strong>Product ID</strong> or <strong>Group ID</strong> child elements. If the <strong>Threat</strong> is meant to be general or nonspecific for all products, the <strong>Product ID</strong> and <strong>Group ID</strong> child elements should be omitted.</p>
 <form role="form" method="POST">
 
-{{ selectinput('type', "Type", types, type) }}
-{{ textinput('date', "Date", now.isoformat(), date, type="datetime") }}
-{{ textarea('description', "Description", '', description, 5, required=True) }}
+{% call selectinput('type', "Type", types, type) %}
+<p>The <em>Type</em> of <strong>Threat</strong> is required and can be one of the following:</p>
+<dl class="dl-horizontal">
+  <dt>Impact:</dt><dd>Impact contains an assessment of the impact on the user or the target set if the vulnerability is successfully exploited. (A description of the <samp>Target Set</samp> <em>Type</em> follows.) If applicable, for consistency and simplicity, this section can be a textual summary of the three CVSS impact metrics. These metrics measure how a vulnerability detracts from the three core security properties of an information system: Confidentiality, Integrity, and Availability.</dd>
+  <dt>Exploit Status:</dt><dd>Exploit Status contains a description of the degree to which an exploit for the vulnerability is known. This knowledge can range from information privately held among a very small group to an issue that has been described to the public at a major conference or is being widely exploited globally. For consistency and simplicity, this section can be a mirror image of the CVSS “Exploitability” metric. However, it can also contain a more contextual status, such as “Weaponized” or “Functioning Code.”</dd>
+  <dt>Target Set:</dt><dd>Target Set contains a description of the currently known victim population in whatever terms are appropriate. Such terms may include: operating system platform, types of products, user segments, and geographic distribution.</dd>
+</dl>
+{% endcall %}
+{% call textinput('date', "Date", now.isoformat(), date, type="datetime") %}
+<p>The <em>Date</em> attribute is optional. All dateTime values in CVRF require a time, and we recommend the inclusion of a time zone as well (ICASI endorses the use of GMT or “Zulu time”). If a time zone is excluded, Zulu should be assumed.</p>
+{% endcall %}
+{% call textarea('description', "Description", '', description, 5, required=True) %}
+<p>The <strong>Description</strong> element will contain a thorough human-readable discussion of the <strong>Threat</strong>.</p>
+{{ examples(['complete compromise of the integrity of affected machines'], 'Impact') }}
+{{ examples(['none', 'proof of concept'], 'Exploit Status') }}
+{{ examples(['Financial Institutions', 'US Government Agencies', 'All versions of BIND 9.4.0 and lower'], 'Target Set') }}
+{% endcall %}
 {{ selectinput2('products', "Products", products, productids, multiple=True) }}
 {% if groups %}
   {{ selectinput2('groups', "Groups", groups, groupids, multiple=True)}}

http://farol.wald.intevation.org