codesake-dawn 0.50 → 0.60
Sign up to get free protection for your applications and to get access to all the features.
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/Competitive_matrix.md +148 -0
- data/README.md +105 -14
- data/Rakefile +24 -17
- data/Roadmap.md +166 -9
- data/TODO.md +59 -0
- data/bin/dawn +60 -7
- data/codesake_dawn.gemspec +4 -1
- data/features/dawn_complains_about_an_incorrect_command_line.feature +21 -0
- data/features/dawn_scan_a_secure_sinatra_app.feature +31 -0
- data/features/step_definition/dawn_steps.rb +13 -0
- data/features/support/env.rb +1 -0
- data/lib/codesake/dawn/engine.rb +30 -1
- data/lib/codesake/dawn/kb/basic_check.rb +37 -1
- data/lib/codesake/dawn/kb/cve_2011_2931.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_2660.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_2661.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_2694.rb +2 -1
- data/lib/codesake/dawn/kb/cve_2012_2695.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_3465.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_6496.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2012_6497.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_0155.rb +2 -1
- data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0269.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0333.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_1655.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1800.rb +1 -1
- data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1855.rb +11 -4
- data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1857.rb +11 -4
- data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
- data/lib/codesake/dawn/kb/dependency_check.rb +21 -4
- data/lib/codesake/dawn/kb/pattern_match_check.rb +1 -0
- data/lib/codesake/dawn/kb/ruby_version_check.rb +50 -0
- data/lib/codesake/dawn/knowledge_base.rb +59 -8
- data/lib/codesake/dawn/version.rb +1 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +130 -0
- data/spec/lib/dawn/codesake_rails_engine_spec.rb +12 -0
- data/spec/lib/dawn/codesake_sinatra_engine_spec.rb +4 -0
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +39 -0
- data/spec/spec_helper.rb +1 -1
- metadata +100 -38
- data/.rvmrc +0 -48
- data/spec/lib/kb/codesake_cve_2013_1800_spec.rb +0 -66
- data/spec/lib/kb/codesake_cve_2013_1855_spec.rb +0 -16
- data/spec/lib/kb/cve_2011_2931_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_2660_spec.rb +0 -9
- data/spec/lib/kb/cve_2012_2661_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_2694_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_2695_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_3465_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_6496_spec.rb +0 -7
- data/spec/lib/kb/cve_2012_6497_spec.rb +0 -7
- data/spec/lib/kb/cve_2013_0155_spec.rb +0 -7
- data/spec/lib/kb/cve_2013_0269_spec.rb +0 -7
- data/spec/lib/kb/cve_2013_0333_spec.rb +0 -7
- data/spec/lib/kb/cve_2013_1857_spec.rb +0 -13
@@ -2,6 +2,7 @@
|
|
2
2
|
require "codesake/dawn/kb/basic_check"
|
3
3
|
require "codesake/dawn/kb/pattern_match_check"
|
4
4
|
require "codesake/dawn/kb/dependency_check"
|
5
|
+
require "codesake/dawn/kb/ruby_version_check"
|
5
6
|
|
6
7
|
# Q&A related checks
|
7
8
|
require "codesake/dawn/kb/not_revised_code"
|
@@ -19,12 +20,37 @@ require "codesake/dawn/kb/cve_2012_6496"
|
|
19
20
|
require "codesake/dawn/kb/cve_2012_6497"
|
20
21
|
|
21
22
|
# CVE - 2013
|
23
|
+
require "codesake/dawn/kb/cve_2013_0155"
|
24
|
+
require "codesake/dawn/kb/cve_2013_0156"
|
25
|
+
require "codesake/dawn/kb/cve_2013_0175"
|
26
|
+
require "codesake/dawn/kb/cve_2013_0233"
|
27
|
+
require "codesake/dawn/kb/cve_2013_0269"
|
28
|
+
require "codesake/dawn/kb/cve_2013_0276"
|
29
|
+
require "codesake/dawn/kb/cve_2013_0277"
|
30
|
+
require "codesake/dawn/kb/cve_2013_0284"
|
31
|
+
require "codesake/dawn/kb/cve_2013_0285"
|
32
|
+
require "codesake/dawn/kb/cve_2013_0333"
|
33
|
+
require "codesake/dawn/kb/cve_2013_1655"
|
34
|
+
require "codesake/dawn/kb/cve_2013_1656"
|
35
|
+
require "codesake/dawn/kb/cve_2013_1800"
|
36
|
+
require "codesake/dawn/kb/cve_2013_1801"
|
37
|
+
require "codesake/dawn/kb/cve_2013_1802"
|
38
|
+
require "codesake/dawn/kb/cve_2013_1821"
|
39
|
+
require "codesake/dawn/kb/cve_2013_1854"
|
22
40
|
require "codesake/dawn/kb/cve_2013_1855"
|
41
|
+
require "codesake/dawn/kb/cve_2013_1856"
|
23
42
|
require "codesake/dawn/kb/cve_2013_1857"
|
24
|
-
require "codesake/dawn/kb/
|
25
|
-
require "codesake/dawn/kb/
|
26
|
-
require "codesake/dawn/kb/
|
27
|
-
require "codesake/dawn/kb/
|
43
|
+
require "codesake/dawn/kb/cve_2013_1875"
|
44
|
+
require "codesake/dawn/kb/cve_2013_1898"
|
45
|
+
require "codesake/dawn/kb/cve_2013_1911"
|
46
|
+
require "codesake/dawn/kb/cve_2013_1933"
|
47
|
+
require "codesake/dawn/kb/cve_2013_1947"
|
48
|
+
require "codesake/dawn/kb/cve_2013_1948"
|
49
|
+
require "codesake/dawn/kb/cve_2013_2615"
|
50
|
+
require "codesake/dawn/kb/cve_2013_2616"
|
51
|
+
require "codesake/dawn/kb/cve_2013_2617"
|
52
|
+
require "codesake/dawn/kb/cve_2013_3221"
|
53
|
+
|
28
54
|
|
29
55
|
module Codesake
|
30
56
|
module Dawn
|
@@ -33,6 +59,7 @@ module Codesake
|
|
33
59
|
|
34
60
|
DEPENDENCY_CHECK = :dependency_check
|
35
61
|
PATTERN_MATCH_CHECK = :pattern_match_check
|
62
|
+
RUBY_VERSION_CHECK = :ruby_version_check
|
36
63
|
|
37
64
|
def initialize
|
38
65
|
@security_checks = Codesake::Dawn::KnowledgeBase.load_security_checks
|
@@ -91,12 +118,36 @@ module Codesake
|
|
91
118
|
Codesake::Dawn::Kb::CVE_2012_3465.new,
|
92
119
|
Codesake::Dawn::Kb::CVE_2012_6496.new,
|
93
120
|
Codesake::Dawn::Kb::CVE_2012_6497.new,
|
94
|
-
Codesake::Dawn::Kb::
|
95
|
-
Codesake::Dawn::Kb::
|
96
|
-
Codesake::Dawn::Kb::
|
121
|
+
Codesake::Dawn::Kb::CVE_2013_0155.new,
|
122
|
+
Codesake::Dawn::Kb::CVE_2013_0156.new,
|
123
|
+
Codesake::Dawn::Kb::CVE_2013_0175.new,
|
124
|
+
Codesake::Dawn::Kb::CVE_2013_0233.new,
|
97
125
|
Codesake::Dawn::Kb::CVE_2013_0269.new,
|
126
|
+
Codesake::Dawn::Kb::CVE_2013_0276.new,
|
127
|
+
Codesake::Dawn::Kb::CVE_2013_0277.new,
|
128
|
+
Codesake::Dawn::Kb::CVE_2013_0284.new,
|
129
|
+
Codesake::Dawn::Kb::CVE_2013_0285.new,
|
130
|
+
Codesake::Dawn::Kb::CVE_2013_0333.new,
|
131
|
+
Codesake::Dawn::Kb::CVE_2013_1655.new,
|
132
|
+
Codesake::Dawn::Kb::CVE_2013_1656.new,
|
133
|
+
Codesake::Dawn::Kb::CVE_2013_1800.new,
|
134
|
+
Codesake::Dawn::Kb::CVE_2013_1801.new,
|
135
|
+
Codesake::Dawn::Kb::CVE_2013_1802.new,
|
136
|
+
Codesake::Dawn::Kb::CVE_2013_1821.new,
|
137
|
+
Codesake::Dawn::Kb::CVE_2013_1854.new,
|
138
|
+
Codesake::Dawn::Kb::CVE_2013_1855.new,
|
139
|
+
Codesake::Dawn::Kb::CVE_2013_1856.new,
|
98
140
|
Codesake::Dawn::Kb::CVE_2013_1857.new,
|
99
|
-
Codesake::Dawn::Kb::
|
141
|
+
Codesake::Dawn::Kb::CVE_2013_1875.new,
|
142
|
+
Codesake::Dawn::Kb::CVE_2013_1898.new,
|
143
|
+
Codesake::Dawn::Kb::CVE_2013_1911.new,
|
144
|
+
Codesake::Dawn::Kb::CVE_2013_1933.new,
|
145
|
+
Codesake::Dawn::Kb::CVE_2013_1947.new,
|
146
|
+
Codesake::Dawn::Kb::CVE_2013_1948.new,
|
147
|
+
Codesake::Dawn::Kb::CVE_2013_2615.new,
|
148
|
+
Codesake::Dawn::Kb::CVE_2013_2616.new,
|
149
|
+
Codesake::Dawn::Kb::CVE_2013_2617.new,
|
150
|
+
Codesake::Dawn::Kb::CVE_2013_3221.new,
|
100
151
|
]
|
101
152
|
end
|
102
153
|
end
|
@@ -96,5 +96,135 @@ describe "The Codesake Dawn knowledge base" do
|
|
96
96
|
sc.class.should == Codesake::Dawn::Kb::CVE_2012_3465
|
97
97
|
end
|
98
98
|
|
99
|
+
it "must have test for CVE_2013_1854" do
|
100
|
+
sc = kb.find("CVE-2013-1854")
|
101
|
+
sc.should_not be_nil
|
102
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1854
|
103
|
+
end
|
104
|
+
|
105
|
+
it "must have test for CVE_2013_1856" do
|
106
|
+
sc = kb.find("CVE-2013-1856")
|
107
|
+
sc.should_not be_nil
|
108
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1856
|
109
|
+
end
|
110
|
+
|
111
|
+
it "must have test for CVE_2013_0276" do
|
112
|
+
sc = kb.find("CVE-2013-0276")
|
113
|
+
sc.should_not be_nil
|
114
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_0276
|
115
|
+
end
|
116
|
+
|
117
|
+
it "must have test for CVE_2013_0277" do
|
118
|
+
sc = kb.find("CVE-2013-0277")
|
119
|
+
sc.should_not be_nil
|
120
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_0277
|
121
|
+
end
|
122
|
+
|
123
|
+
it "must have test for CVE_2013_0156" do
|
124
|
+
sc = kb.find("CVE-2013-0156")
|
125
|
+
sc.should_not be_nil
|
126
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_0156
|
127
|
+
end
|
128
|
+
|
129
|
+
it "must have test for CVE-2013-2615" do
|
130
|
+
sc = kb.find("CVE-2013-2615")
|
131
|
+
sc.should_not be_nil
|
132
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_2615
|
133
|
+
end
|
134
|
+
|
135
|
+
it "must have test for CVE-2013-1875" do
|
136
|
+
sc = kb.find("CVE-2013-1875")
|
137
|
+
sc.should_not be_nil
|
138
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1875
|
139
|
+
end
|
140
|
+
|
141
|
+
it "must have test for CVE-2013-1655" do
|
142
|
+
sc = kb.find("CVE-2013-1655")
|
143
|
+
sc.should_not be_nil
|
144
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1655
|
145
|
+
end
|
146
|
+
it "must have test for CVE-2013-1656" do
|
147
|
+
sc = kb.find("CVE-2013-1656")
|
148
|
+
sc.should_not be_nil
|
149
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1656
|
150
|
+
end
|
151
|
+
|
152
|
+
it "must have test for CVE-2013-0175" do
|
153
|
+
sc = kb.find("CVE-2013-0175")
|
154
|
+
sc.should_not be_nil
|
155
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_0175
|
156
|
+
end
|
157
|
+
it "must have test for CVE-2013-0233" do
|
158
|
+
sc = kb.find("CVE-2013-0233")
|
159
|
+
sc.should_not be_nil
|
160
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_0233
|
161
|
+
end
|
162
|
+
it "must have test for CVE-2013-0284" do
|
163
|
+
sc = kb.find("CVE-2013-0284")
|
164
|
+
sc.should_not be_nil
|
165
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_0284
|
166
|
+
end
|
167
|
+
it "must have test for CVE-2013-0285" do
|
168
|
+
sc = kb.find("CVE-2013-0285")
|
169
|
+
sc.should_not be_nil
|
170
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_0285
|
171
|
+
end
|
172
|
+
it "must have test for CVE-2013-1801" do
|
173
|
+
sc = kb.find("CVE-2013-1801")
|
174
|
+
sc.should_not be_nil
|
175
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1801
|
176
|
+
end
|
177
|
+
it "must have test for CVE-2013-1802" do
|
178
|
+
sc = kb.find("CVE-2013-1802")
|
179
|
+
sc.should_not be_nil
|
180
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1802
|
181
|
+
end
|
182
|
+
it "must have test for CVE-2013-1821" do
|
183
|
+
sc = kb.find("CVE-2013-1821")
|
184
|
+
sc.should_not be_nil
|
185
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1821
|
186
|
+
end
|
187
|
+
it "must have test for CVE-2013-1898" do
|
188
|
+
sc = kb.find("CVE-2013-1898")
|
189
|
+
sc.should_not be_nil
|
190
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1898
|
191
|
+
end
|
192
|
+
it "must have test for CVE-2013-1911" do
|
193
|
+
sc = kb.find("CVE-2013-1911")
|
194
|
+
sc.should_not be_nil
|
195
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1911
|
196
|
+
end
|
197
|
+
it "must have test for CVE-2013-1933" do
|
198
|
+
sc = kb.find("CVE-2013-1933")
|
199
|
+
sc.should_not be_nil
|
200
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1933
|
201
|
+
end
|
202
|
+
it "must have test for CVE-2013-1947" do
|
203
|
+
sc = kb.find("CVE-2013-1947")
|
204
|
+
sc.should_not be_nil
|
205
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1947
|
206
|
+
end
|
207
|
+
it "must have test for CVE-2013-1948" do
|
208
|
+
sc = kb.find("CVE-2013-1948")
|
209
|
+
sc.should_not be_nil
|
210
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_1948
|
211
|
+
end
|
212
|
+
it "must have test for CVE-2013-2616" do
|
213
|
+
sc = kb.find("CVE-2013-2616")
|
214
|
+
sc.should_not be_nil
|
215
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_2616
|
216
|
+
end
|
217
|
+
it "must have test for CVE-2013-2617" do
|
218
|
+
sc = kb.find("CVE-2013-2617")
|
219
|
+
sc.should_not be_nil
|
220
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_2617
|
221
|
+
end
|
222
|
+
it "must have test for CVE-2013-3221" do
|
223
|
+
sc = kb.find("CVE-2013-3221")
|
224
|
+
sc.should_not be_nil
|
225
|
+
sc.class.should == Codesake::Dawn::Kb::CVE_2013_3221
|
226
|
+
end
|
227
|
+
|
228
|
+
|
99
229
|
|
100
230
|
end
|
@@ -0,0 +1,12 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe "The Codesake::Dawn engine for rails applications" do
|
4
|
+
before(:all){@engine = Codesake::Dawn::Rails.new}
|
5
|
+
|
6
|
+
it "detects the version used in the hello_world_3.1.0 application" do
|
7
|
+
@engine.set_target("./spec/support/hello_world_3.1.0")
|
8
|
+
@engine.ruby_version[:version].should == RUBY_VERSION
|
9
|
+
@engine.ruby_version[:patchlevel].should == "p#{RUBY_PATCHLEVEL}"
|
10
|
+
end
|
11
|
+
|
12
|
+
end
|
@@ -60,6 +60,10 @@ describe "The Codesake::Dawn engine for sinatra applications" do
|
|
60
60
|
@engine.target_is_dir?.should be_true
|
61
61
|
end
|
62
62
|
|
63
|
+
it "detects running ruby as the one to be checked against" do
|
64
|
+
@engine.ruby_version[:version].should == RUBY_VERSION
|
65
|
+
end
|
66
|
+
|
63
67
|
it "reports it's vulnerable to CVE-2013-1800" do
|
64
68
|
@engine.is_vulnerable_to?("CVE-2013-1800").should be_true
|
65
69
|
end
|
@@ -0,0 +1,35 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
describe "CVE-2013-0175 security check" do
|
4
|
+
let (:check) {Codesake::Dawn::Kb::CVE_2013_0175.new}
|
5
|
+
it "knows its name" do
|
6
|
+
check.name.should == "CVE-2013-0175"
|
7
|
+
end
|
8
|
+
it "has a 7.5 cvss score" do
|
9
|
+
check.cvss_score == 7.5
|
10
|
+
end
|
11
|
+
|
12
|
+
it "fires when multi_xml vulnerable gem it has been found" do
|
13
|
+
check.dependencies = [{:name=>"multi_xml", :version=>"0.5.2"}]
|
14
|
+
check.vuln?.should be_true
|
15
|
+
end
|
16
|
+
it "fires when Grape vulnerable gem it has been found" do
|
17
|
+
check.dependencies = [{:name=>"grape", :version=>"0.2.5"}]
|
18
|
+
check.vuln?.should be_true
|
19
|
+
end
|
20
|
+
it "fires when multi_xml gem is not vulnerable but Grape is" do
|
21
|
+
check.dependencies = [{:name=>"grape", :version=>"0.2.5"}, {:name=>"multi_xml", :version=>"0.5.3"}]
|
22
|
+
check.vuln?.should be_true
|
23
|
+
end
|
24
|
+
it "fires when multi_xml gem is vulnerable but Grape is not" do
|
25
|
+
check.dependencies = [{:name=>"grape", :version=>"0.2.6"}, {:name=>"multi_xml", :version=>"0.5.2"}]
|
26
|
+
check.vuln?.should be_true
|
27
|
+
end
|
28
|
+
|
29
|
+
it "doesn't fire when no vulnerabilities were found" do
|
30
|
+
check.dependencies = [{:name=>"grape", :version=>"0.2.6"}, {:name=>"multi_xml", :version=>"0.5.3"}]
|
31
|
+
check.vuln?.should be_false
|
32
|
+
end
|
33
|
+
|
34
|
+
|
35
|
+
end
|
@@ -0,0 +1,39 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
|
3
|
+
class Mockup
|
4
|
+
include Codesake::Dawn::Kb::RubyVersionCheck
|
5
|
+
|
6
|
+
def initialize
|
7
|
+
message = "This is a mock"
|
8
|
+
super(
|
9
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
10
|
+
:applies=>['sinatra', 'padrino', 'rails'],
|
11
|
+
:message=> message
|
12
|
+
)
|
13
|
+
|
14
|
+
self.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
|
15
|
+
end
|
16
|
+
end
|
17
|
+
|
18
|
+
describe "The security check for Ruby interpreter version" do
|
19
|
+
let (:check) {Mockup.new}
|
20
|
+
|
21
|
+
it "fires if ruby version is vulnerable" do
|
22
|
+
check.detected_ruby = {:version=>"1.9.2", :patchlevel=>"p10000"}
|
23
|
+
check.vuln?.should be_true
|
24
|
+
end
|
25
|
+
it "doesn't fire if ruby version is not vulnerable and patchlevel is not vulnerable" do
|
26
|
+
check.detected_ruby = {:version=>"1.9.4", :patchlevel=>"p10000"}
|
27
|
+
check.vuln?.should be_false
|
28
|
+
end
|
29
|
+
|
30
|
+
it "doesn't fire if ruby version is vulnerable and patchlevel is not vulnerable" do
|
31
|
+
check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p10000"}
|
32
|
+
check.vuln?.should be_false
|
33
|
+
end
|
34
|
+
|
35
|
+
it "fires if ruby version is vulnerable and patchlevel is vulnerable" do
|
36
|
+
check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p391"}
|
37
|
+
check.vuln?.should be_true
|
38
|
+
end
|
39
|
+
end
|
data/spec/spec_helper.rb
CHANGED
@@ -1 +1 @@
|
|
1
|
-
require '
|
1
|
+
require 'codesake-dawn'
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: codesake-dawn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: '0.
|
4
|
+
version: '0.60'
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,24 +9,24 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-05-
|
12
|
+
date: 2013-05-28 00:00:00.000000000 Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: codesake_commons
|
16
16
|
requirement: !ruby/object:Gem::Requirement
|
17
17
|
none: false
|
18
18
|
requirements:
|
19
|
-
- - ! '
|
19
|
+
- - ! '>='
|
20
20
|
- !ruby/object:Gem::Version
|
21
|
-
version: 0.
|
21
|
+
version: 0.67.0
|
22
22
|
type: :runtime
|
23
23
|
prerelease: false
|
24
24
|
version_requirements: !ruby/object:Gem::Requirement
|
25
25
|
none: false
|
26
26
|
requirements:
|
27
|
-
- - ! '
|
27
|
+
- - ! '>='
|
28
28
|
- !ruby/object:Gem::Version
|
29
|
-
version: 0.
|
29
|
+
version: 0.67.0
|
30
30
|
- !ruby/object:Gem::Dependency
|
31
31
|
name: cvss
|
32
32
|
requirement: !ruby/object:Gem::Requirement
|
@@ -75,6 +75,54 @@ dependencies:
|
|
75
75
|
- - ! '>='
|
76
76
|
- !ruby/object:Gem::Version
|
77
77
|
version: '0'
|
78
|
+
- !ruby/object:Gem::Dependency
|
79
|
+
name: tomdoc
|
80
|
+
requirement: !ruby/object:Gem::Requirement
|
81
|
+
none: false
|
82
|
+
requirements:
|
83
|
+
- - ! '>='
|
84
|
+
- !ruby/object:Gem::Version
|
85
|
+
version: '0'
|
86
|
+
type: :development
|
87
|
+
prerelease: false
|
88
|
+
version_requirements: !ruby/object:Gem::Requirement
|
89
|
+
none: false
|
90
|
+
requirements:
|
91
|
+
- - ! '>='
|
92
|
+
- !ruby/object:Gem::Version
|
93
|
+
version: '0'
|
94
|
+
- !ruby/object:Gem::Dependency
|
95
|
+
name: aruba
|
96
|
+
requirement: !ruby/object:Gem::Requirement
|
97
|
+
none: false
|
98
|
+
requirements:
|
99
|
+
- - ! '>='
|
100
|
+
- !ruby/object:Gem::Version
|
101
|
+
version: '0'
|
102
|
+
type: :development
|
103
|
+
prerelease: false
|
104
|
+
version_requirements: !ruby/object:Gem::Requirement
|
105
|
+
none: false
|
106
|
+
requirements:
|
107
|
+
- - ! '>='
|
108
|
+
- !ruby/object:Gem::Version
|
109
|
+
version: '0'
|
110
|
+
- !ruby/object:Gem::Dependency
|
111
|
+
name: simplecov
|
112
|
+
requirement: !ruby/object:Gem::Requirement
|
113
|
+
none: false
|
114
|
+
requirements:
|
115
|
+
- - ! '>='
|
116
|
+
- !ruby/object:Gem::Version
|
117
|
+
version: '0'
|
118
|
+
type: :development
|
119
|
+
prerelease: false
|
120
|
+
version_requirements: !ruby/object:Gem::Requirement
|
121
|
+
none: false
|
122
|
+
requirements:
|
123
|
+
- - ! '>='
|
124
|
+
- !ruby/object:Gem::Version
|
125
|
+
version: '0'
|
78
126
|
description: dawn is a security static source code analyzer for web applications written
|
79
127
|
in ruby. It supports major MVC frameworks like sinatra, padrino and ruby on rails.
|
80
128
|
dawn output is a list of security vulnerabilities affecting your code with a suggestion
|
@@ -87,14 +135,21 @@ extensions: []
|
|
87
135
|
extra_rdoc_files: []
|
88
136
|
files:
|
89
137
|
- .gitignore
|
90
|
-
- .
|
138
|
+
- .ruby-gemset
|
139
|
+
- .ruby-version
|
140
|
+
- Competitive_matrix.md
|
91
141
|
- Gemfile
|
92
142
|
- LICENSE.txt
|
93
143
|
- README.md
|
94
144
|
- Rakefile
|
95
145
|
- Roadmap.md
|
146
|
+
- TODO.md
|
96
147
|
- bin/dawn
|
97
148
|
- codesake_dawn.gemspec
|
149
|
+
- features/dawn_complains_about_an_incorrect_command_line.feature
|
150
|
+
- features/dawn_scan_a_secure_sinatra_app.feature
|
151
|
+
- features/step_definition/dawn_steps.rb
|
152
|
+
- features/support/env.rb
|
98
153
|
- lib/codesake-dawn.rb
|
99
154
|
- lib/codesake/dawn/engine.rb
|
100
155
|
- lib/codesake/dawn/kb/basic_check.rb
|
@@ -107,34 +162,48 @@ files:
|
|
107
162
|
- lib/codesake/dawn/kb/cve_2012_6496.rb
|
108
163
|
- lib/codesake/dawn/kb/cve_2012_6497.rb
|
109
164
|
- lib/codesake/dawn/kb/cve_2013_0155.rb
|
165
|
+
- lib/codesake/dawn/kb/cve_2013_0156.rb
|
166
|
+
- lib/codesake/dawn/kb/cve_2013_0175.rb
|
167
|
+
- lib/codesake/dawn/kb/cve_2013_0233.rb
|
110
168
|
- lib/codesake/dawn/kb/cve_2013_0269.rb
|
169
|
+
- lib/codesake/dawn/kb/cve_2013_0276.rb
|
170
|
+
- lib/codesake/dawn/kb/cve_2013_0277.rb
|
171
|
+
- lib/codesake/dawn/kb/cve_2013_0284.rb
|
172
|
+
- lib/codesake/dawn/kb/cve_2013_0285.rb
|
111
173
|
- lib/codesake/dawn/kb/cve_2013_0333.rb
|
174
|
+
- lib/codesake/dawn/kb/cve_2013_1655.rb
|
175
|
+
- lib/codesake/dawn/kb/cve_2013_1656.rb
|
112
176
|
- lib/codesake/dawn/kb/cve_2013_1800.rb
|
177
|
+
- lib/codesake/dawn/kb/cve_2013_1801.rb
|
178
|
+
- lib/codesake/dawn/kb/cve_2013_1802.rb
|
179
|
+
- lib/codesake/dawn/kb/cve_2013_1821.rb
|
180
|
+
- lib/codesake/dawn/kb/cve_2013_1854.rb
|
113
181
|
- lib/codesake/dawn/kb/cve_2013_1855.rb
|
182
|
+
- lib/codesake/dawn/kb/cve_2013_1856.rb
|
114
183
|
- lib/codesake/dawn/kb/cve_2013_1857.rb
|
184
|
+
- lib/codesake/dawn/kb/cve_2013_1875.rb
|
185
|
+
- lib/codesake/dawn/kb/cve_2013_1898.rb
|
186
|
+
- lib/codesake/dawn/kb/cve_2013_1911.rb
|
187
|
+
- lib/codesake/dawn/kb/cve_2013_1933.rb
|
188
|
+
- lib/codesake/dawn/kb/cve_2013_1947.rb
|
189
|
+
- lib/codesake/dawn/kb/cve_2013_1948.rb
|
190
|
+
- lib/codesake/dawn/kb/cve_2013_2615.rb
|
191
|
+
- lib/codesake/dawn/kb/cve_2013_2616.rb
|
192
|
+
- lib/codesake/dawn/kb/cve_2013_2617.rb
|
193
|
+
- lib/codesake/dawn/kb/cve_2013_3221.rb
|
115
194
|
- lib/codesake/dawn/kb/dependency_check.rb
|
116
195
|
- lib/codesake/dawn/kb/not_revised_code.rb
|
117
196
|
- lib/codesake/dawn/kb/pattern_match_check.rb
|
197
|
+
- lib/codesake/dawn/kb/ruby_version_check.rb
|
118
198
|
- lib/codesake/dawn/knowledge_base.rb
|
119
199
|
- lib/codesake/dawn/rails.rb
|
120
200
|
- lib/codesake/dawn/sinatra.rb
|
121
201
|
- lib/codesake/dawn/version.rb
|
122
202
|
- spec/lib/dawn/codesake_knowledgebase_spec.rb
|
203
|
+
- spec/lib/dawn/codesake_rails_engine_spec.rb
|
123
204
|
- spec/lib/dawn/codesake_sinatra_engine_spec.rb
|
124
|
-
- spec/lib/kb/
|
125
|
-
- spec/lib/kb/
|
126
|
-
- spec/lib/kb/cve_2011_2931_spec.rb
|
127
|
-
- spec/lib/kb/cve_2012_2660_spec.rb
|
128
|
-
- spec/lib/kb/cve_2012_2661_spec.rb
|
129
|
-
- spec/lib/kb/cve_2012_2694_spec.rb
|
130
|
-
- spec/lib/kb/cve_2012_2695_spec.rb
|
131
|
-
- spec/lib/kb/cve_2012_3465_spec.rb
|
132
|
-
- spec/lib/kb/cve_2012_6496_spec.rb
|
133
|
-
- spec/lib/kb/cve_2012_6497_spec.rb
|
134
|
-
- spec/lib/kb/cve_2013_0155_spec.rb
|
135
|
-
- spec/lib/kb/cve_2013_0269_spec.rb
|
136
|
-
- spec/lib/kb/cve_2013_0333_spec.rb
|
137
|
-
- spec/lib/kb/cve_2013_1857_spec.rb
|
205
|
+
- spec/lib/kb/codesake_cve_2013_0175_spec.rb
|
206
|
+
- spec/lib/kb/codesake_ruby_version_check_spec.rb
|
138
207
|
- spec/spec_helper.rb
|
139
208
|
- spec/support/hello_world_3.0.19/.gitignore
|
140
209
|
- spec/support/hello_world_3.0.19/Gemfile
|
@@ -316,7 +385,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
316
385
|
version: '0'
|
317
386
|
segments:
|
318
387
|
- 0
|
319
|
-
hash:
|
388
|
+
hash: 4144472411104473385
|
320
389
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
321
390
|
none: false
|
322
391
|
requirements:
|
@@ -325,31 +394,24 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
325
394
|
version: '0'
|
326
395
|
segments:
|
327
396
|
- 0
|
328
|
-
hash:
|
397
|
+
hash: 4144472411104473385
|
329
398
|
requirements: []
|
330
399
|
rubyforge_project:
|
331
|
-
rubygems_version: 1.8.
|
400
|
+
rubygems_version: 1.8.25
|
332
401
|
signing_key:
|
333
402
|
specification_version: 3
|
334
403
|
summary: dawn is a security static source code analyzer for sinatra, padrino and ruby
|
335
404
|
on rails web applicartions.
|
336
405
|
test_files:
|
406
|
+
- features/dawn_complains_about_an_incorrect_command_line.feature
|
407
|
+
- features/dawn_scan_a_secure_sinatra_app.feature
|
408
|
+
- features/step_definition/dawn_steps.rb
|
409
|
+
- features/support/env.rb
|
337
410
|
- spec/lib/dawn/codesake_knowledgebase_spec.rb
|
411
|
+
- spec/lib/dawn/codesake_rails_engine_spec.rb
|
338
412
|
- spec/lib/dawn/codesake_sinatra_engine_spec.rb
|
339
|
-
- spec/lib/kb/
|
340
|
-
- spec/lib/kb/
|
341
|
-
- spec/lib/kb/cve_2011_2931_spec.rb
|
342
|
-
- spec/lib/kb/cve_2012_2660_spec.rb
|
343
|
-
- spec/lib/kb/cve_2012_2661_spec.rb
|
344
|
-
- spec/lib/kb/cve_2012_2694_spec.rb
|
345
|
-
- spec/lib/kb/cve_2012_2695_spec.rb
|
346
|
-
- spec/lib/kb/cve_2012_3465_spec.rb
|
347
|
-
- spec/lib/kb/cve_2012_6496_spec.rb
|
348
|
-
- spec/lib/kb/cve_2012_6497_spec.rb
|
349
|
-
- spec/lib/kb/cve_2013_0155_spec.rb
|
350
|
-
- spec/lib/kb/cve_2013_0269_spec.rb
|
351
|
-
- spec/lib/kb/cve_2013_0333_spec.rb
|
352
|
-
- spec/lib/kb/cve_2013_1857_spec.rb
|
413
|
+
- spec/lib/kb/codesake_cve_2013_0175_spec.rb
|
414
|
+
- spec/lib/kb/codesake_ruby_version_check_spec.rb
|
353
415
|
- spec/spec_helper.rb
|
354
416
|
- spec/support/hello_world_3.0.19/.gitignore
|
355
417
|
- spec/support/hello_world_3.0.19/Gemfile
|