Releasing NASL Plugin Changelog

Summary

Tenable Research is releasing the NASL Plugin Changelog to bring more transparency to our plugin lifecycle. This new Tenable.com view is located at the changelog tab on the Nessus plugin pages on Tenable.com (e.g. https://www.tenable.com/plugins/nessus/166965/changelog). It notes changes made on a plugin level that matter most to our customers based on a variety of metrics gathered across Tenable.

Plugin changes are released on a best-effort basis and are not guaranteed with every plugin release. Below is a dictionary of change categories currently surfacing under the Plugin Changelog. Please note that the mapping is accurate as of the time of publishing and is subject to change with future iterations.

List of Change Categories

Metadata changes 

• cve - one or more CVEs were added or removed
• cvss metrics - one or more cvss metrics were changed
• cvssv2 score source - the score source for the plugin's CVSSv2 score was changed
• cvssv3 score source - same as v2, above, but for the CVSSv3 score source
• cvssv2 severity - the CVSSv2 severity changed
• cvssv3 severity - the CVSSv3 severity changed
• cvss temporal metrics - the CVSS temporal metrics changed
• exploit attributes - the exploitability attributes changed
• iavm reference - an IAVM XREF was added or removed
• cisa reference - a CISA XREF was added or removed
• stig severity - the IAVM STIG severity changed
• plugin metadata - script_name, synopsis, description, solution, cpe, see_also, plugin date attributes, potential vulnerability

Plugin logic changes

• logic changes: code optimization
• detection: improved detection capability
• plugin categorization - a plugin had an agent attribute, os_inventory, or hardware_inventory attribute added or removed
• plugin requirements - the requirements (plugin dependencies) were changed
• required scan configuration - a precondition for this plugin was added or removed - 'report paranoia' is an example