Re: [Ivil-discussion] Some ideas for updating the schema

[Frank B. <FBr...@sc...>]

Dave,

Sorry to get back to you this late. I'm afraid there isn't a big community yet, but we'll get there. See my comments inline.

> Anyway, looking at the schema it looks easy to use and read, though I think that there's some room for improvement.

I'm open for your suggestions.

> Name. I'd suggest that we pronounce it "evil", just for kicks and giggles - it matches the English rules of pronunciation and sends better than "ivil"!

Yes, we should pronounce it as "evil" especially ans we can make the funny reference "insert ivil here..."

> Addressee - I'd suggest "recipient" as an alternative name to match sender (though it really makes no difference).

For compatibility we could allow both, you are probably right that it is correct.

> <programSpecificData> is a bit wordy for an XML tag, mostly these tend to be simple and object orientated. As this should use the source we need to define it so that the tags don't need expanding, so, something
like:
> <ivil version="0.90">
>   <recipient>
>    <program>Dradis</program>
>     <options>
>      <option name="address">127.0.0.1:8045</option>
>      <option name="user">fred</option>
>      <option name="password">shelia</option>
>     </options>
>    </recipient>
> (I'm not happy with <options> either - but it's all I could think of at the moment).

What about:
<program name='dradis'>
 <options>
  <option name='name' value='value'>
 </options>
</program>

> Sender
> Similar comments to <addressee>; we could do with removing the underscore in scannertype (as most XML schemas tend to use a dash (-) instead). We should also move the type of timestamp to ISO8601. An attribute should 
> also be used to specify what type of timestamp it is (start/end etc):

I'll have a look, but good comment.

> Findings
> Per host and per finding won't cover several cases, for example web based assessment on a vhost or a specific sub-site. I'd suggest changing the <hosts> schema to <targets>.

Host is indeed a target, so maybe it should be the case.

> I'd also like to see an evidence section (as I always try to include evidence in my reports).
Evidence is good, but it not often produced by tools.

> For severity, we should allow the option of CVSS severity as a separate type.

For severity I did specifically stick to HMLN. I don't mind including CVSS (which ivil does) but not using it as the primary source and not all tools have CVSS tags. Most tools have some sort of HMLN rating in one for or the other (except Nikto ;)

> References shouldn't have locked tags for each reference, to allow future expansion, so I'd suggest having something like <reference type="osvdb"> and have a known list or valid references.

Valid point

> The above are all suggestion which may or may not be good.

And highly appreciated!