Assets & Security Information (SecInfo)
Two related reference areas of the Greenbone Enterprise Appliance. First, the asset management that stores hosts, operating systems, and TLS certificates collected during vulnerability scans. Second, the SecInfo management that centralizes security information: Vulnerability Tests (VT), the SCAP standards CVE, CPE, and CVSS, and the CERT-Bund and DFN-CERT advisories.
Based on the Greenbone Enterprise Appliance manual (GOS 22.04 / OPENVAS SCAN 22.04), chapters 13โ14, verified June 2026. The asset and SecInfo databases work the same way in the free Community Edition; the available content depends on the feed in use.
1. Managing Assetsโ
Assets include hosts, operating systems, and TLS certificates. They are collected during vulnerability scans (manual ch. 13). When creating a task, you can specify whether the host details collected during a scan are stored in the asset database; with the default task settings, the details are stored.
Hostsโ
During a scan, information about each scanned host is collected. Hosts are identified by their IP addresses. For each identified host, the appliance checks whether it already exists in the host assets; if not, a new host asset is created (ยง13.1).
Both when scanning a newly created host and when scanning an existing host, several host details are added to the host asset as identifiers: host names, IP and MAC addresses, operating systems, SSH keys, and X.509 certificates.
If vhost scanning is enabled โ which it is by default โ each vhost is added as its own asset entry. Because of the nature of vhosts, an IP address identifier may appear multiple times; such assets must then be distinguished by their other host identifiers.
Creating a hostโ
Hosts can also be added manually to the asset management, so that targets can be created from them. Except for the IP address, no other details about the host can be defined; further details are added when the manually added host is scanned (ยง13.1.1).
- Select Assets > Hosts in the menu bar.
- Create a new host using the control in the upper left corner of the page.
- Enter the IP address of the host in the input box Name.
- Click Save.
This feature is also available via GMP. Importing hosts from a configuration management database can be achieved using this option.
Managing hostsโ
All existing hosts are displayed by selecting Assets > Hosts in the menu bar. For each host, the following actions are available (ยง13.1.2): delete the host, edit the host, create a new target from the host, and export the host as an XML file. Using the controls below the list, more than one host can be deleted, exported, or used to create a new target at a time; the drop-down list selects which hosts the action applies to.
On the details page of a host (opened by clicking its name), the following registers are available:
- Information โ General information about the host. Identifying information collected during scans (host names, IP and MAC addresses, operating systems, SSH keys, X.509 certificates) appears in the section All Identifiers. If identifiers have duplicates, only the latest are shown and the section is named Latest Identifiers; all identifiers can be displayed with Show all Identifiers. For each identifier, the delete action is available.
- User Tags โ Assigned tags.
- Permissions โ Assigned permissions.
The details page also offers actions to open the corresponding manual chapter, show the list of all hosts, create a new host, edit, delete, export the host, and show the corresponding results.
Creating a target from hostsโ
A target with a set of hosts can be created as follows (ยง13.1.3):
- Filter the hosts so that only the hosts that should be used for the target (for example, only Microsoft Windows hosts) are displayed.
- Create a new target using the control below the list of hosts. The target creation window opens with the input box Hosts prefilled with the set of displayed hosts.
- Define the target and click Save.
If additional suitable hosts show up in further scans, they are not added to the target automatically.
Operating Systemsโ
The operating systems view provides a different view on the stored data. While the hosts view is centered on individual hosts, this view focuses on the operating systems detected during all vulnerability scans (ยง13.2).
For a reliable operating system identification, VTs specific to the operating systems in question must be available in the Greenbone Enterprise Feed. If no specific VTs are available, the appliance still tries to identify the operating systems, but the identification has a lower quality of detection and is prone to false-positive detections.
All operating systems are displayed by selecting Assets > Operating Systems in the menu bar. The list shows:
| Column | Meaning |
|---|---|
| Name | CPE of the operating system. |
| Title | Plain name of the operating system. |
| Severity โ Latest | Severity detected during the last scan that found this OS on a host (only hosts where the OS was the best match). |
| Severity โ Highest | Highest severity detected during all scans that found this OS on a host (best-match hosts only). |
| Severity โ Average | Average severity detected during all scans that found this OS on a host (best-match hosts only). |
| Hosts โ All | All hosts where the OS was detected. |
| Hosts โ Best OS | Hosts where the OS was detected as the best match. |
| Modified | Date and time of last modification. |
For each operating system, the available actions are delete (only operating systems not currently in use can be deleted) and export as an XML file. The details page provides the Information, User Tags, and Permissions registers, plus actions to show the hosts for which the OS was detected and the hosts for which the OS is the best match.
TLS Certificatesโ
This view focuses on the TLS certificates collected during all vulnerability scans and gives a quick overview of whether they are valid or expired (ยง13.3).
Only basic certificate information is included: host, port, activation and expiry dates, and fingerprints. There is no support for the Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) functionalities.
All existing TLS certificates are displayed by selecting Assets > TLS Certificates in the menu bar. For each certificate, the available actions are delete, download, and export as an XML file. The details page provides the Information, User Tags, and Permissions registers and the same set of actions.
2. SecInfo Overviewโ
The SecInfo management provides centralized access to a wide range of IT security information (manual ch. 14), in the following categories:
- Vulnerability Tests (VT) โ Test the target system for potential vulnerabilities.
- Common Vulnerabilities and Exposures (CVE) โ Vulnerabilities published by vendors and security researchers.
- Common Platform Enumeration (CPE) โ Standardized names for products used in IT.
- CERT-Bund Advisories โ Published by the CERT-Bund, the Computer Emergency Response Team of the German Federal Office for Information Security (BSI).
- DFN-CERT Advisories โ Published by the DFN-CERT, the Computer Emergency Response Team of the German National Research and Education Network (DFN).
CVEs and CPEs are published and made accessible by the National Institute of Standards and Technology (NIST) as part of the National Vulnerability Database (NVD).
Greenbone also offers all SecInfo data online via the SecInfo portal, which provides all SecInfo described below plus the CVSS calculator. Access is provided by activating a guest access.
3. Vulnerability Tests (VT)โ
VTs are test routines used by the appliance. They are part of the Greenbone Enterprise Feed, which is updated regularly. VTs include information about development date, affected systems, impact of vulnerabilities, and remediation (ยง14.1).
All existing VTs are displayed by selecting SecInfo > NVTs in the menu bar. The list shows:
- Name โ Name of the VT.
- Family โ Family of VTs the VT belongs to.
- Created / Modified โ Creation and last-modification dates and times.
- CVE โ CVE that is checked for using the VT.
- Solution Type โ The kind of solution available for the vulnerability. Possible solutions are: a vendor patch is available; a workaround is available; a mitigation by configuration is available; no fix is and will be available; or no solution exists.
- Severity โ The severity of the vulnerability (CVSS), displayed as a bar to support analysis of the results.
- QoD โ Quality of Detection, representing how reliable the detection of a vulnerability is.
With the introduction of the QoD, the Paranoid parameter in the scan configuration was removed without replacement. Previously, a scan configuration without this parameter only used VTs with a QoD of at least 70 %. Now all VTs are used and executed in a scan configuration.
On the details page of a VT, actions include opening the corresponding manual chapter, showing the list of all VTs, exporting the VT, creating a note or an override for the VT, showing the corresponding results, and showing the corresponding vulnerability.
4. SCAP (CVE, CPE, CVSS)โ
NIST provides the National Vulnerability Database (NVD), a data repository for the vulnerability management of the US government. Its goal is the standardized provision of data for automated processing, which supports vulnerability management and verifies the implementation of compliance guidelines (ยง14.2). The NVD provides several databases, including checklists, vulnerabilities, misconfigurations, products, and threat metrics.
The NVD uses the Security Content Automation Protocol (SCAP) โ a combination of interoperable standards, currently specified in version 1.3. SCAP groups its components into languages (such as XCCDF, OVAL, OCIL, Asset Identification, and ARF), collections (CCE, CPE, CVE), metrics (CVSS, CCSS), and integrity (TMSAD).
The Greenbone Enterprise Appliance uses CVE, CPE, and CVSS. Using these standards guarantees interoperability with other systems and allows results to be compared. The appliance has been validated by NIST with respect to SCAP version 1.0.
CVE (Common Vulnerabilities and Exposures)โ
To avoid multiple naming of the same vulnerability by different organizations and to ensure a uniform naming convention, MITRE founded the CVE project. Every vulnerability is assigned a unique identifier consisting of the release year and a simple number, which serves as a central reference (ยง14.2.1).
MITRE's CVE database is not a vulnerability database. Instead, it links vulnerability databases and other systems and enables the comparison of security tools and services. The CVE database does not contain detailed technical information or information about risk, impact, or remediation โ only the identification number with status, a short description, and references to reports and recommendations. The NVD refers to the CVE database and complements it with information on elimination, severity, potential impact, and affected products. Greenbone refers to the CVE database of the NVD, and the appliance combines CVE information, VTs, and CERT-Bund / DFN-CERT advisories.
All existing CVEs are displayed by selecting SecInfo > CVEs in the menu bar.
The availability of a CVE on the appliance depends on its availability in the NVD. Once published there, it takes 1โ2 working days to appear in SecInfo. The Severity column may show N/A when the CVE has been published but no vulnerability analysis / severity assessment has been carried out yet (shown as Undergoing Analysis in the related NVD entry), or because of the 1โ2 working-day delay between assessment and display.
The CVSS Base Vector column shows the CVSS vector used for calculating the severity of a CVE, including the CVSS version defined for the CVE. Clicking the vector opens the CVSSv2/CVSSv3 Base Score Calculator with the corresponding fields pre-filled, depending on which CVSS version is used. The details page provides the Information and User Tags registers and an export action.
CPE (Common Platform Enumeration)โ
The CPE is modelled after CVE. It is a structured naming scheme for applications, operating systems, and hardware devices. CPE was initiated by MITRE and is maintained by NIST as part of the NVD, and it is based on the generic syntax of the Uniform Resource Identifier (URI). Combining CPE and CVE enables the conclusion of existing vulnerabilities when a platform or product is discovered (ยง14.2.2).
CPE is composed of the following components:
- Naming โ Describes the logical structure of well-formed names (WFNs), their binding to URIs and formatted character strings, and their conversion.
- Name Matching โ Describes methods to compare WFNs with each other, allowing a test of whether some or all WFNs refer to the same product.
- Dictionary โ A repository of CPE names and metadata; every name defines a single class of an IT product. The dictionary specification describes processes such as searching for a specific name or for entries of a more general class.
- Applicability Language โ Describes the creation of complex logical expressions using WFNs, which can tag checklists, guidelines, or other documents to describe for which products they are relevant.
All existing CPEs are displayed by selecting SecInfo > CPEs in the menu bar. As with CVEs, availability depends on the NVD, with a 1โ2 working-day delay. The details page provides the Information and User Tags registers and an export action.
CVSS (Common Vulnerability Scoring System)โ
The CVSS is an industry standard for describing the severity of security risks in computer systems. Security risks are rated and compared using different criteria, allowing the creation of a priority list of countermeasures. The CVSS is developed by the CVSS Special Interest Group (CVSS-SIG) of the Forum of Incident Response and Security Teams (FIRST). The current CVSS score version is 4.0 (ยง14.2.3).
GOS 22.04 supports CVSS v3.0/v3.1; the extent of support depends on the Greenbone Enterprise Feed. VTs and CVEs may contain CVSS v2 and/or CVSS v3.0/v3.1 data:
- If a VT or CVE contains both CVSS v2 and CVSS v3.0/v3.1 data, the CVSS v3.0/v3.1 data is always used and shown.
- The CVSS Base Vector shown in the details preview and on the details page of a VT can be v2, v3.0, or v3.1.
- The CVSS Base Vector shown in the table on the CVEs page can be v2, v3.0, or v3.1. Clicking it opens the CVSSv2/CVSSv3 Base Score Calculator with the input boxes pre-filled.
The CVSS score supports three metric groups:
- Base score metrics โ Test the exploitability of a vulnerability and its impact on the target system. Access, complexity, and requirement of authentication are rated, plus whether confidentiality, integrity, or availability is threatened.
- Temporal score metrics โ Test whether completed example code exists, whether the vendor has supplied a patch, and whether the vulnerability is confirmed. The score changes drastically over time.
- Environmental score metrics โ Describe the effect of a vulnerability within an organization, taking damage, target distribution, confidentiality, integrity, and availability into account; this assessment strongly depends on the environment in which the vulnerable product is used.
Because the base score metrics are generally meaningful and can be determined permanently, the appliance provides them as part of the SecInfo data. The CVSS calculator can be opened by selecting Help > CVSS Calculator in the menu bar, which displays both the version 2.0 and the version 3.0/3.1 calculators.
CVSS v2.0 vs v3.0/3.1 base-score metricsโ
The two CVSS versions supported by the calculator use different base-score formulas and metrics. The table below compares the metrics and their constant values as documented in the manual (ยง14.2.3.1 and ยง14.2.3.2). The manual does not define severity-rating bands (such as Low / Medium / High thresholds), so none are stated here.
| Aspect | CVSS v2.0 (ยง14.2.3.1) | CVSS v3.0/3.1 (ยง14.2.3.2) |
|---|---|---|
| Exploitability inputs | Access Vector, Access Complexity, Authentication | Attack Vector, Attack Complexity, Privileges Required, User Interaction |
| Access / Attack Vector | local 0.395, adjacent 0.646, network 1.0 | network 0.85, adjacent 0.62, local 0.55, physical 0.2 |
| Access / Attack Complexity | high 0.35, medium 0.61, low 0.71 | low 0.77, high 0.44 |
| Authentication / Privileges Required | multiple 0.45, single 0.56, none 0.704 | none 0.85, low 0.62 (0.68 if Scope is Changed), high 0.27 (0.5 if Scope is Changed) |
| User Interaction | not part of v2.0 | none 0.85, required 0.62 |
| Confidentiality / Integrity / Availability impact | none 0.0, partial 0.275, complete 0.660 | none 0.0, low 0.22, high 0.56 |
| Scope concept | not present | Unchanged or Changed, affecting the impact and base-score formulas |
The v2.0 base score is calculated as:
BaseScore = roundTo1Decimal( ( ( 0.6 * Impact ) + ( 0.4 * Exploitability ) - 1.5 ) * f( Impact ) )
Impact = 10.41 * (1 - (1 - ConfImpact) * (1 - IntegImpact) * (1 - AvailImpact))
Exploitability = 20 * AccessVector * AccessComplexity * Authentication
The function f( Impact ) is 0 if the impact is 0; in all other cases its value is 1.176.
The v3.0/3.1 base score is calculated as:
If Impact <= 0, BaseScore = 0
If Scope is "Unchanged": BaseScore = Roundup( Minimum( (Impact + Exploitability), 10 ) )
If Scope is "Changed": BaseScore = Roundup( Minimum( 1.08 * (Impact + Exploitability), 10 ) )
ISS = 1 - ((1 - Confidentiality) * (1 - Integrity) * (1 - Availability))
If Scope is "Unchanged": Impact = 6.42 * ISS
If Scope is "Changed": Impact = 7.52 * (ISS - 0.029) - 3.25 * (ISS - 0.02)^15
Exploitability = 8.22 * AttackVector * AttackComplexity * PrivilegesRequired * UserInteraction
5. CERT-Bund Advisoriesโ
The CERT-Bund, the Computer Emergency Response Team of the German Federal Office for Information Security (BSI), is the central point of contact for preventive and reactive measures regarding security-related computer incidents (ยง14.3). Its work includes creating and publishing recommendations for preventive measures, pointing out vulnerabilities in hardware and software products, proposing measures to address known vulnerabilities, supporting public agencies' responses to IT security incidents, recommending mitigation measures, and working closely with the National IT Situation Centre and the National IT Crisis Response Centre.
The CERT-Bund offers a warning and information service (German: Warn- und Informationsdienst, "WID") with two types of information:
- Advisories โ Available only to federal agencies as a closed list; they describe current information about security-critical incidents and detailed remediation measures.
- Short Information โ Short descriptions of current security risks and vulnerabilities. This information is not always verified and may be incomplete or even inaccurate.
The Greenbone Enterprise Feed contains the CERT-Bund Short Information in both the old format (up to June 2022) and the new format (from June 2022). There are only very minor differences in the advisory metadata between the formats, which can be used interchangeably for all use cases:
- Old-format information follows the scheme
CB-K<YY>/<ID>, for exampleCB-K22/0704. - New-format information follows the scheme
WID-SEC-<YYYY>-<ID>, for exampleWID-SEC-2022-0311.
All existing CERT-Bund advisories are displayed by selecting SecInfo > CERT-Bund Advisories in the menu bar. The details page provides the Information and User Tags registers and an export action.
6. DFN-CERT Advisoriesโ
While individual VTs, CVEs, and CPEs are created primarily to be processed by computer systems, the DFN-CERT publishes new advisories regularly (ยง14.4). The DFN-CERT is responsible for hundreds of universities and research institutions associated with the German Research and Education Network (DFN) and also provides key security services to government and industry.
An advisory describes especially critical security risks that require fast reaction. The DFN-CERT advisory service includes the categorization, distribution, and rating of advisories issued by different software vendors and distributors. Advisories are obtained by the Greenbone Enterprise Appliance and stored in the database for reference.
All existing DFN-CERT advisories are displayed by selecting SecInfo > DFN-CERT Advisories in the menu bar. The details page provides the Information and User Tags registers and an export action.