OpenFISMA

Ben, what is the status of this item? This is a top priority.

The technical specification of this task should be finished by the end of tomorrow.

Test cases need one more day to complete.

Ben, this needs to be completed and reviewed and graded by December 18, which means we need you to finish your implementation by December 10. Will you be able to meet that deadline?

T.S finished although,the core pseudo-code needs to be elaborated much more based on suggestion from Jackson after the internal review. Anyway I will try my best to meet deadline.

Done, please review and give me response if you have any question about it.

I am re-assigning this to Josh for review and implementation.

TS is rejeceted. Feedback:

1) isValidAsset() and isValidFinding() are not appropriate. A scanner injection plugin does not need to validate assets and findings. That should be handled somewhere else.

2) There are no line numbers. It is impossible to comment on pseudo code without line numbers.

3) The _persist method should just be persisting objects. It should not be searching the XML document. That should be done in parse() or a helper function.

4) The worst part: the test cases. The ideas are okay, but I don't like the format. It is too much overhead. This is why it takes 3 weeks to write a 2 page document! Make less work for yourself, and write each test case as a sentence or two, like, "Plugin returns user error if the file select is blank," and, "Plugin returns error if the XML document is not well-formed". This will take you a lot less time to write, and it is still just as meaningful.

5) Please write the documentation in MultiMarkdown format. Follow the example of the existing App Detective plug-in.

6) Don't write pseudocode unless you really need it to explain a difficult algorithm. In 99% of cases, I don't want to see pseudocode (or real code either) in a TS.

7) Graphics are very valuable. I am interested in design, and not implementation. If you draw a flow chart which shows how the new classes will interact, that is 1000 times more useful than pseudocode.

8) The most interesting part of the plugin is how you transform data from the Nessus format into the OpenFISMA format. Your document doesn't even mention it. Please take a look at the AppDetective plugin documentation as an example.

Functional and technical specifications here:

http://documentation.openfisma.org/trunk/Components/Findings/Injection_Plugins/Nessus.html

Nessus RNG Schema

Failing this. Forgot to add in new fields to findings for CVSS/etc.

I'm failing it again, looks like you are working on it. Also, I have some feedback:

• Line breaks in the description are not being handled correctly. See two screenshots. i think this is due to the bug in the text2html method that we discussed during code review.

• There is a see_also tag that seems like it would be useful included in the finding.recommendation field. What do you think? (I would include it as a <ul> of links)

• CVSS vectors are stored with a prefix like "CVSS2#" – is that a standard? I don't think it is. We should parse out that prefix.

• The findings that are created don't appear to be keyword indexed. If I upload a file of Nessus scans and then search for a word that I know is in there, the search comes up with no results.

All issues noted above fixed. I have no issue with indexing, works fine for me. Check your permissions.

Yep, I had the wrong file permissions on some of my index files. Everything looks good.