RubyGems - codesake-dawn - Versions diffs - 0.85 → 1.0.0.rc1 - Mend

codesake-dawn 0.85 → 1.0.0.rc1

Files changed (315) hide show

@@ -1,177 +0,0 @@
-# Competitive matrix between dawn and other security static code scanners
-This is the point where I try to answer the very good question: _dawn? it is a
-great tool but which are the differences between it and ( put your favorite
-tool here )?_
-Of course, as you may wonder, I'm the dawn author so I can be less impartial
-than a third party review that it is strongly encouraged and that it will put
-linked to this page (even in case you will make criticisms to my tool)
-## The competitors
-As [@presidentbeef](https://twitter.com/presidentbeef) pointed me out, there
-are a couple of security source code static analyzers (lets'call them SAST from
-this point) supporting ruby.
-* [brakeman scanner](http://brakemanscanner.org/)
-* [Excellent](https://github.com/simplabs/excellent)
-* [ror-sec-scanner](http://gitorious.org/code-scanner/ror-sec-scanner/)
-* [Scanny](https://github.com/openSUSE/scanny)
-* [dawn](https://github.com/codesake/codesake\_dawn)
-### Brakeman
-[Brakeman](http://brakemanscanner.org) is a good tool, it is mature and it is
-widespread among the community. It's approaching the second major release of
-its history.
-It is born to support [Ruby on Rails](http://rubyonrails.org) written web
-applications.
-### Dawn
-Dawn is born to support the application security startup I'm building,
-[codesake.com](http://codesake.com). Since community gives me a lot in all
-these years, the statica analyzer will be opensource and **I won't change this
-decision, ever**.
-Dawn supports web applications written using
-[Ruby on Rails](http://rubyonrails.org), [Sinatra](http://sinatrarb.com) and
-[Padrino](http://padrinorb.com)
-Since a lot of javascript code is used in the web applications nowadays, I'll
-introduce a preliminary support for javascript before launching version 1.0.
-Javascript support it will be focused on checking for reflected and DOM based
-Cross site scripting attacks.
-In a future (on version 1.5 accordingly to the Roadmap), node.js written web
-applications will be supported as well.
-## The comparison
-### Basic features
-|Feature                | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
-|-----------------------|---------------|-------------------|-------------|-------------------|-------------|
-| Version               | 0.70          | 1.9.5             |             |                   |             |
-| Production ready?     | NO            | YES               |             |                   |             |
-| Sinatra support       | YES           | NO                |             |                   |             |
-| Padrino support       | NO *planned*  | NO                |             |                   |             |
-| Rails support         | YES           | YES               |             |                   |             |
-| Node.js support       | NO *planned*  | NO                |             |                   |             |
-| Plain text output     | YES           | YES               |             |                   |             |
-| Json output           | YES           | YES               |             |                   |             |
-| HTML output           | NO            | YES               |             |                   |             |
-### CVE security checks
-| CVE Check             | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
-|-----------------------|---------------|-------------------|-------------|-------------------|-------------|
-| CVE-2010-1330         | YES           | NO                |             |                   |             |
-| CVE-2011-0446         | YES           | NO                |             |                   |             |
-| CVE-2011-0447         | YES           | NO                |             |                   |             |
-| CVE-2011-0995         | YES           | NO                |             |                   |             |
-| CVE-2011-2197         | YES           | NO                |             |                   |             |
-| CVE-2011-2929         | YES           | YES               |             |                   |             |
-| CVE-2011-2931         | YES           | YES               |             |                   |             |
-| CVE-2011-2932         | YES           | NO                |             |                   |             |
-| CVE-2011-3186         | YES           | NO                |             |                   |             |
-| CVE-2011-4815         | YES           | NO                |             |                   |             |
-| CVE-2012-1099         | YES           | NO                |             |                   |             |
-| CVE-2012-1241         | YES           | NO                |             |                   |             |
-| CVE-2012-2140         | YES           | NO                |             |                   |             |
-| CVE-2012-2660         | YES           | YES               |             |                   |             |
-| CVE-2012-2661         | YES           | YES               |             |                   |             |
-| CVE-2012-2694         | YES           | YES               |             |                   |             |
-| CVE-2012-2695         | YES           | YES               |             |                   |             |
-| CVE-2012-3424         | YES           | YES               |             |                   |             |
-| CVE-2012-3463         | YES           | YES               |             |                   |             |
-| CVE-2012-3464         | YES           | YES               |             |                   |             |
-| CVE-2012-3465         | YES           | YES               |             |                   |             |
-| CVE-2012-4464         | YES           | NO                |             |                   |             |
-| CVE-2012-4466         | YES           | NO                |             |                   |             |
-| CVE-2012-4481         | YES           | NO                |             |                   |             |
-| CVE-2012-4522         | YES           | NO                |             |                   |             |
-| CVE-2012-5370         | YES           | NO                |             |                   |             |
-| CVE-2012-5371         | YES           | NO                |             |                   |             |
-| CVE-2012-5380         | YES           | NO                |             |                   |             |
-| CVE-2012-6134         | YES           | NO                |             |                   |             |
-| CVE-2012-6496         | YES           | NO                |             |                   |             |
-| CVE-2012-5664         | NO            | YES               |             |                   |             |
-| CVE-2012-6497         | YES           | NO                |             |                   |             |
-| CVE-2013-1855         | YES           | YES               |             |                   |             |
-| CVE-2013-1800         | YES           | NO                |             |                   |             |
-| CVE-2013-0333         | YES           | YES               |             |                   |             |
-| CVE-2013-0269         | YES           | YES               |             |                   |             |
-| CVE-2013-1857         | YES           | YES               |             |                   |             |
-| CVE-2013-0155         | YES           | YES               |             |                   |             |
-| CVE-2013-0333         | YES           | YES               |             |                   |             |
-| CVE-2013-1854         | YES           | YES               |             |                   |             |
-| CVE-2013-1856         | YES           | YES               |             |                   |             |
-| CVE-2013-0276         | YES           | YES               |             |                   |             |
-| CVE-2013-0277         | YES           | YES               |             |                   |             |
-| CVE-2013-0156         | YES           | YES               |             |                   |             |
-| CVE-2013-2065 [0]     | NO            | NO                |             |                   |             |
-| CVE-2013-2090 [0]     | NO            | NO                |             |                   |             |
-| CVE-2013-2615         | YES           | NO                |             |                   |             |
-| CVE-2013-1875         | YES           | NO                |             |                   |             |
-| CVE-2013-1655         | YES           | NO                |             |                   |             |
-| CVE-2013-1656         | YES           | NO                |             |                   |             |
-| CVE-2013-0175         | YES           | NO                |             |                   |             |
-| CVE-2013-0233         | YES           | NO                |             |                   |             |
-| CVE-2013-0284         | YES           | NO                |             |                   |             |
-| CVE-2013-0285         | YES           | NO                |             |                   |             |
-| CVE-2013-1801         | YES           | NO                |             |                   |             |
-| CVE-2013-1802         | YES           | NO                |             |                   |             |
-| CVE-2013-1821         | YES           | NO                |             |                   |             |
-| CVE-2013-1898         | YES           | NO                |             |                   |             |
-| CVE-2013-1911         | YES           | NO                |             |                   |             |
-| CVE-2013-1933         | YES           | NO                |             |                   |             |
-| CVE-2013-1947         | YES           | NO                |             |                   |             |
-| CVE-2013-1948         | YES           | NO                |             |                   |             |
-| CVE-2013-2065         | YES           | NO                |             |                   |             |
-| CVE-2013-2616         | YES           | NO                |             |                   |             |
-| CVE-2013-2617         | YES           | NO                |             |                   |             |
-| CVE-2013-3221         | YES           | NO                |             |                   |             |
-| CVE-2013-4389         | YES           | NO                |             |                   |             |
-| CVE-2013-4491         | YES           | NO                |             |                   |             |
-| CVE-2013-4492         | YES           | NO                |             |                   |             |
-| CVE-2013-4562         | YES           | NO                |             |                   |             |
-| CVE-2013-6414         | YES           | NO                |             |                   |             |
-| CVE-2013-6415         | YES           | NO                |             |                   |             |
-| CVE-2013-6416         | YES           | NO                |             |                   |             |
-| CVE-2013-6417         | YES           | NO                |             |                   |             |
-[0] This CVE must be confirmed
-### Quality checks
-| Quality check         | Dawn          | Brakeman          | Excellent   | ror-sec-scanner   | Scanny      |
-|-----------------------|---------------|-------------------|-------------|-------------------|-------------|
-| Not revised code      | YES           | NO                |             |                   |             |
-### Application specific security checks
-| Security check              | Dawn          | Brakeman   | Excellent   | ror-sec-scanner   | Scanny      |
-|-----------------------------|---------------|------------|-------------|-------------------|-------------|
-| Reflected XSS               | YES (sinatra) | YES        |             |                   |             |
-| Stored XSS                  | NO            | YES        |             |                   |             |
-| DOM Based XSS               | NO            | NO         |             |                   |             |
-| SQL injection               | NO            | YES        |             |                   |             |
-| Broken authentication       | NO            | NO         |             |                   |             |
-| Insecure object reference   | NO            | NO         |             |                   |             |
-| CSRF                        | NO            | YES [1]    |             |                   |             |
-[1] Brakeman warns if an application does not use protect_from_forgery, but it
-doesn't warn about vulnerable forms (e.g. those not using view helpers) -
-[@presidentbeef](https://github.com/codesake/codesake_dawn/issues/2)
-## Third party reviews
-If you blogged, twitted or in any case if you compare dawn with other SAST
-available out there supporting ruby, please tell me and I'll add your review
-here.

data/TODO.md DELETED

@@ -1,64 +0,0 @@
-# Codesake Dawn Todo
-## #2 cloning target
-### Status: Open
-Add a --github option to dawn to clone a remote repository, perform a bundle
-install and do a code review.
-## #1 Introduce check dependency
-### Status: Closed
-CVE-2013-1655 introduces a security issue that depends on a particular gem only
-when running a particular Ruby interpreter version. For such a reason in
-BasicCheck class I introduced a ruby\_version attribute as a String and a
-is\_vulnerable\_ruby\_version? method to match this thing.
-CVE-2013-1821 introduces a security issue about the specific Ruby interpreter
-version, therefore I introduced a new kind of security check, the
-RubyVersionCheck. Since RubyVersionCheck includes also BasicCheck, it has 2
-attributes (filled in engine.rb apply and apply\_all methods that are almost
-the same. The ruby\_version and the detected\_ruby that it is an hash.
-This situation introduces a logical mess and the chances of having bugs in the
-future are very high. So it must be possible to declare a complex security
-check as a mixin of basic security checks, this way:
-``` ruby
-module Codesake
-	module Dawn
-		module Kb
-      class MyVeryComplexSecurityCheck
-        include ConditionalSecurityCheck # TODO: name check
-        def initialize
-          # since DependencyCheck and friends are module, I need to introduce
-          # also a scaffolding class including that module so I can create an instance of
-          # that.
-          a_dependency_check = Codesake::Dawn::Kb::BasicDependencyCheck.new
-          a_dependency_check.safe_dependencies = [{:name=>"puppet", :version=>['2.7.21', '3.1.1']}]
-          a_ruby_version_check = Codesake::Dawn::Kb::BasicRubyVersionCheck.new
-          a_ruby_version_check.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p195"}]
-          super({
-              :name=>"My very complex security check",
-              :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
-              :release_date => Date.new(2013, 5, 23),
-              :cwe=>"20",
-              :owasp=>"A9",
-              :applies=>["rails", "sinatra", "padrino"],
-              :kind=>Codesake::Dawn::KnowledgeBase::CONDITIONAL_CHECK,
-              # => there is no reason not to support multiple boolean operators
-              # when checking security checks in the chain for their vuln? return value
-              :condition=>:or,
-              :message=>message,
-              :mitigation=>"Please upgrade puppet gem to a newer version",
-              :aux_links=>["https://puppetlabs.com/security/cve/cve-2013-1655/"],
-              :security_checks = [a_dependency_check, a_ruby_version_check]
-          })
-        end
-      end
-		end
-	end
-end
-```

data/spec/support/hello_world_3.0.19/Gemfile DELETED

@@ -1,31 +0,0 @@
-source 'http://rubygems.org'
-gem 'rails', '3.0.19'
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-gem 'sqlite3'
-# Use unicorn as the web server
-# gem 'unicorn'
-# Deploy with Capistrano
-# gem 'capistrano'
-# To use debugger (ruby-debug for Ruby 1.8.7+, ruby-debug19 for Ruby 1.9.2+)
-# gem 'ruby-debug'
-# gem 'ruby-debug19', :require => 'ruby-debug'
-# Bundle the extra gems:
-# gem 'bj'
-# gem 'nokogiri'
-# gem 'sqlite3-ruby', :require => 'sqlite3'
-# gem 'aws-s3', :require => 'aws/s3'
-# Bundle gems for the local environment. Make sure to
-# put test-only gems in this group so their generators
-# and rake tasks are available in development mode:
-# group :development, :test do
-#   gem 'webrat'
-# end

data/spec/support/hello_world_3.0.19/README DELETED

@@ -1,256 +0,0 @@
-== Welcome to Rails
-Rails is a web-application framework that includes everything needed to create
-database-backed web applications according to the Model-View-Control pattern.
-This pattern splits the view (also called the presentation) into "dumb"
-templates that are primarily responsible for inserting pre-built data in between
-HTML tags. The model contains the "smart" domain objects (such as Account,
-Product, Person, Post) that holds all the business logic and knows how to
-persist themselves to a database. The controller handles the incoming requests
-(such as Save New Account, Update Product, Show Post) by manipulating the model
-and directing data to the view.
-In Rails, the model is handled by what's called an object-relational mapping
-layer entitled Active Record. This layer allows you to present the data from
-database rows as objects and embellish these data objects with business logic
-methods. You can read more about Active Record in
-link:files/vendor/rails/activerecord/README.html.
-The controller and view are handled by the Action Pack, which handles both
-layers by its two parts: Action View and Action Controller. These two layers
-are bundled in a single package due to their heavy interdependence. This is
-unlike the relationship between the Active Record and Action Pack that is much
-more separate. Each of these packages can be used independently outside of
-Rails. You can read more about Action Pack in
-link:files/vendor/rails/actionpack/README.html.
-== Getting Started
-1. At the command prompt, create a new Rails application:
-       <tt>rails new myapp</tt> (where <tt>myapp</tt> is the application name)
-2. Change directory to <tt>myapp</tt> and start the web server:
-       <tt>cd myapp; rails server</tt> (run with --help for options)
-3. Go to http://localhost:3000/ and you'll see:
-       "Welcome aboard: You're riding Ruby on Rails!"
-4. Follow the guidelines to start developing your application. You can find
-the following resources handy:
-* The Getting Started Guide: http://guides.rubyonrails.org/getting_started.html
-* Ruby on Rails Tutorial Book: http://www.railstutorial.org/
-== Debugging Rails
-Sometimes your application goes wrong. Fortunately there are a lot of tools that
-will help you debug it and get it back on the rails.
-First area to check is the application log files. Have "tail -f" commands
-running on the server.log and development.log. Rails will automatically display
-debugging and runtime information to these files. Debugging info will also be
-shown in the browser on requests from 127.0.0.1.
-You can also log your own messages directly into the log file from your code
-using the Ruby logger class from inside your controllers. Example:
-  class WeblogController < ActionController::Base
-    def destroy
-      @weblog = Weblog.find(params[:id])
-      @weblog.destroy
-      logger.info("#{Time.now} Destroyed Weblog ID ##{@weblog.id}!")
-    end
-  end
-The result will be a message in your log file along the lines of:
-  Mon Oct 08 14:22:29 +1000 2007 Destroyed Weblog ID #1!
-More information on how to use the logger is at http://www.ruby-doc.org/core/
-Also, Ruby documentation can be found at http://www.ruby-lang.org/. There are
-several books available online as well:
-* Programming Ruby: http://www.ruby-doc.org/docs/ProgrammingRuby/ (Pickaxe)
-* Learn to Program: http://pine.fm/LearnToProgram/ (a beginners guide)
-These two books will bring you up to speed on the Ruby language and also on
-programming in general.
-== Debugger
-Debugger support is available through the debugger command when you start your
-Mongrel or WEBrick server with --debugger. This means that you can break out of
-execution at any point in the code, investigate and change the model, and then,
-resume execution! You need to install ruby-debug to run the server in debugging
-mode. With gems, use <tt>sudo gem install ruby-debug</tt>. Example:
-  class WeblogController < ActionController::Base
-    def index
-      @posts = Post.find(:all)
-      debugger
-    end
-  end
-So the controller will accept the action, run the first line, then present you
-with a IRB prompt in the server window. Here you can do things like:
-  >> @posts.inspect
-  => "[#<Post:0x14a6be8
-          @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>,
-       #<Post:0x14a6620
-          @attributes={"title"=>"Rails", "body"=>"Only ten..", "id"=>"2"}>]"
-  >> @posts.first.title = "hello from a debugger"
-  => "hello from a debugger"
-...and even better, you can examine how your runtime objects actually work:
-  >> f = @posts.first
-  => #<Post:0x13630c4 @attributes={"title"=>nil, "body"=>nil, "id"=>"1"}>
-  >> f.
-  Display all 152 possibilities? (y or n)
-Finally, when you're ready to resume execution, you can enter "cont".
-== Console
-The console is a Ruby shell, which allows you to interact with your
-application's domain model. Here you'll have all parts of the application
-configured, just like it is when the application is running. You can inspect
-domain models, change values, and save to the database. Starting the script
-without arguments will launch it in the development environment.
-To start the console, run <tt>rails console</tt> from the application
-directory.
-Options:
-* Passing the <tt>-s, --sandbox</tt> argument will rollback any modifications
-  made to the database.
-* Passing an environment name as an argument will load the corresponding
-  environment. Example: <tt>rails console production</tt>.
-To reload your controllers and models after launching the console run
-<tt>reload!</tt>
-More information about irb can be found at:
-link:http://www.rubycentral.com/pickaxe/irb.html
-== dbconsole
-You can go to the command line of your database directly through <tt>rails
-dbconsole</tt>. You would be connected to the database with the credentials
-defined in database.yml. Starting the script without arguments will connect you
-to the development database. Passing an argument will connect you to a different
-database, like <tt>rails dbconsole production</tt>. Currently works for MySQL,
-PostgreSQL and SQLite 3.
-== Description of Contents
-The default directory structure of a generated Ruby on Rails application:
-  |-- app
-  |   |-- controllers
-  |   |-- helpers
-  |   |-- mailers
-  |   |-- models
-  |   `-- views
-  |       `-- layouts
-  |-- config
-  |   |-- environments
-  |   |-- initializers
-  |   `-- locales
-  |-- db
-  |-- doc
-  |-- lib
-  |   `-- tasks
-  |-- log
-  |-- public
-  |   |-- images
-  |   |-- javascripts
-  |   `-- stylesheets
-  |-- script
-  |-- test
-  |   |-- fixtures
-  |   |-- functional
-  |   |-- integration
-  |   |-- performance
-  |   `-- unit
-  |-- tmp
-  |   |-- cache
-  |   |-- pids
-  |   |-- sessions
-  |   `-- sockets
-  `-- vendor
-      `-- plugins
-app
-  Holds all the code that's specific to this particular application.
-app/controllers
-  Holds controllers that should be named like weblogs_controller.rb for
-  automated URL mapping. All controllers should descend from
-  ApplicationController which itself descends from ActionController::Base.
-app/models
-  Holds models that should be named like post.rb. Models descend from
-  ActiveRecord::Base by default.
-app/views
-  Holds the template files for the view that should be named like
-  weblogs/index.html.erb for the WeblogsController#index action. All views use
-  eRuby syntax by default.
-app/views/layouts
-  Holds the template files for layouts to be used with views. This models the
-  common header/footer method of wrapping views. In your views, define a layout
-  using the <tt>layout :default</tt> and create a file named default.html.erb.
-  Inside default.html.erb, call <% yield %> to render the view using this
-  layout.
-app/helpers
-  Holds view helpers that should be named like weblogs_helper.rb. These are
-  generated for you automatically when using generators for controllers.
-  Helpers can be used to wrap functionality for your views into methods.
-config
-  Configuration files for the Rails environment, the routing map, the database,
-  and other dependencies.
-db
-  Contains the database schema in schema.rb. db/migrate contains all the
-  sequence of Migrations for your schema.
-doc
-  This directory is where your application documentation will be stored when
-  generated using <tt>rake doc:app</tt>
-lib
-  Application specific libraries. Basically, any kind of custom code that
-  doesn't belong under controllers, models, or helpers. This directory is in
-  the load path.
-public
-  The directory available for the web server. Contains subdirectories for
-  images, stylesheets, and javascripts. Also contains the dispatchers and the
-  default HTML files. This should be set as the DOCUMENT_ROOT of your web
-  server.
-script
-  Helper scripts for automation and generation.
-test
-  Unit and functional tests along with fixtures. When using the rails generate
-  command, template test files will be generated for you and placed in this
-  directory.
-vendor
-  External libraries that the application depends on. Also includes the plugins
-  subdirectory. If the app has frozen rails, those gems also go here, under
-  vendor/rails/. This directory is in the load path.