Mercurial > farol
changeset 53:249b3ad750b1
Add Descriptions for the Threat fields
| author | Benoît Allard <benoit.allard@greenbone.net> |
|---|---|
| date | Tue, 07 Oct 2014 17:08:28 +0200 |
| parents | b9704abca0c9 |
| children | 8ffd3ec96f7c |
| files | farol/templates/macros.j2 farol/templates/vulnerability/edit_threat.j2 |
| diffstat | 2 files changed, 23 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/farol/templates/macros.j2 Tue Oct 07 16:51:53 2014 +0200 +++ b/farol/templates/macros.j2 Tue Oct 07 17:08:28 2014 +0200 @@ -156,8 +156,8 @@ </div> {% endmacro %} -{% macro examples(list) %} -<p><strong>Example{{ 's' if list | length > 1 }}:</strong></p> +{% macro examples(list, title='') %} +<p><strong>{{ title + ' ' if title }}Example{{ 's' if list | length > 1 }}:</strong></p> {% if list | length == 1 %} <samp>{{ list[0] }}</samp> {% else %}
--- a/farol/templates/vulnerability/edit_threat.j2 Tue Oct 07 16:51:53 2014 +0200 +++ b/farol/templates/vulnerability/edit_threat.j2 Tue Oct 07 17:08:28 2014 +0200 @@ -24,17 +24,34 @@ -#} {% extends "base.j2" %} -{% from "macros.j2" import selectinput, textinput, textarea, selectinput2 %} +{% from "macros.j2" import selectinput, textinput, textarea, selectinput2, examples %} {% block title %}Edit Threat{% endblock %} {% set active = 'vulnerability' %} {% block content %} +<p><strong>Threat</strong> contains the vulnerability kinetic information. This information can change as the vulnerability ages and new information becomes available.</p> + +<p>A <strong>Threat</strong> container can be tied to one or more specific products by referencing these products using either the <strong>Product ID</strong> or <strong>Group ID</strong> child elements. If the <strong>Threat</strong> is meant to be general or nonspecific for all products, the <strong>Product ID</strong> and <strong>Group ID</strong> child elements should be omitted.</p> <form role="form" method="POST"> -{{ selectinput('type', "Type", types, type) }} -{{ textinput('date', "Date", now.isoformat(), date, type="datetime") }} -{{ textarea('description', "Description", '', description, 5, required=True) }} +{% call selectinput('type', "Type", types, type) %} +<p>The <em>Type</em> of <strong>Threat</strong> is required and can be one of the following:</p> +<dl class="dl-horizontal"> + <dt>Impact:</dt><dd>Impact contains an assessment of the impact on the user or the target set if the vulnerability is successfully exploited. (A description of the <samp>Target Set</samp> <em>Type</em> follows.) If applicable, for consistency and simplicity, this section can be a textual summary of the three CVSS impact metrics. These metrics measure how a vulnerability detracts from the three core security properties of an information system: Confidentiality, Integrity, and Availability.</dd> + <dt>Exploit Status:</dt><dd>Exploit Status contains a description of the degree to which an exploit for the vulnerability is known. This knowledge can range from information privately held among a very small group to an issue that has been described to the public at a major conference or is being widely exploited globally. For consistency and simplicity, this section can be a mirror image of the CVSS “Exploitability” metric. However, it can also contain a more contextual status, such as “Weaponized” or “Functioning Code.”</dd> + <dt>Target Set:</dt><dd>Target Set contains a description of the currently known victim population in whatever terms are appropriate. Such terms may include: operating system platform, types of products, user segments, and geographic distribution.</dd> +</dl> +{% endcall %} +{% call textinput('date', "Date", now.isoformat(), date, type="datetime") %} +<p>The <em>Date</em> attribute is optional. All dateTime values in CVRF require a time, and we recommend the inclusion of a time zone as well (ICASI endorses the use of GMT or “Zulu time”). If a time zone is excluded, Zulu should be assumed.</p> +{% endcall %} +{% call textarea('description', "Description", '', description, 5, required=True) %} +<p>The <strong>Description</strong> element will contain a thorough human-readable discussion of the <strong>Threat</strong>.</p> +{{ examples(['complete compromise of the integrity of affected machines'], 'Impact') }} +{{ examples(['none', 'proof of concept'], 'Exploit Status') }} +{{ examples(['Financial Institutions', 'US Government Agencies', 'All versions of BIND 9.4.0 and lower'], 'Target Set') }} +{% endcall %} {{ selectinput2('products', "Products", products, productids, multiple=True) }} {% if groups %} {{ selectinput2('groups', "Groups", groups, groupids, multiple=True)}}