codesake-dawn 1.0.0.rc2 → 1.0.0

data/lib/codesake/dawn/kb/pattern_match_check.rb

@@ -14,6 +14,14 @@ module Codesake
         # if pattern attack is nor present.
         attr_reader   :negative_search
 
+        EXCLUSION_LIST = [
+          "tags",
+          "vendor/bundle", 
+          "features",
+          "specs",
+          "test"
+        ]
+
         def initialize(options={})
           super(options)
           @attack_pattern   = options[:attack_pattern]
@@ -23,12 +31,20 @@ module Codesake
           @glob = File.join(@glob, options[:glob]) unless options[:glob].nil?
         end
 
+        def must_exclude?(filename)
+          EXCLUSION_LIST.each do |ex|
+            debug_me "skipping #{filename}" if filename.start_with?(ex)
+            return true if filename.start_with?(ex)
+          end
+          return false
+        end
+
         def vuln?
           Dir.glob(File.join("#{root_dir}", @glob)).each do |filename|
             debug_me("#{File.basename(__FILE__)}@#{__LINE__}: analyzing #{filename}: search is #{@negative_search}")
             matches = []
             begin
-              matches = run(load_file(filename)) if File.exists?(filename) and File.file?(filename) and ! File.binary?(filename)
+              matches = run(load_file(filename)) if File.exists?(filename) && File.file?(filename) && ! File.binary?(filename) && ! must_exclude?(filename)
             rescue ArgumentError => e
               puts "Skipping pattern match check for #{filename}: #{e.message}"
             end

data/lib/codesake/dawn/knowledge_base.rb

@@ -102,11 +102,14 @@ require "codesake/dawn/kb/cve_2011_4319"
 require "codesake/dawn/kb/cve_2011_4815"
 
 # CVE - 2012
+require "codesake/dawn/kb/cve_2012_1098"
 require "codesake/dawn/kb/cve_2012_1099"
 require "codesake/dawn/kb/cve_2012_1241"
+require "codesake/dawn/kb/cve_2012_2139"
 require "codesake/dawn/kb/cve_2012_2140"
 require "codesake/dawn/kb/cve_2012_2660"
 require "codesake/dawn/kb/cve_2012_2661"
+require "codesake/dawn/kb/cve_2012_2671"
 require "codesake/dawn/kb/cve_2012_2694"
 require "codesake/dawn/kb/cve_2012_2695"
 require "codesake/dawn/kb/cve_2012_3424"
@@ -127,6 +130,7 @@ require "codesake/dawn/kb/cve_2012_6497"
 # CVE - 2013
 require "codesake/dawn/kb/cve_2013_0155"
 require "codesake/dawn/kb/cve_2013_0156"
+require "codesake/dawn/kb/cve_2013_0162"
 require "codesake/dawn/kb/cve_2013_0175"
 require "codesake/dawn/kb/cve_2013_0233"
 require "codesake/dawn/kb/cve_2013_0256"
@@ -139,6 +143,7 @@ require "codesake/dawn/kb/cve_2013_0285"
 require "codesake/dawn/kb/cve_2013_0333"
 require "codesake/dawn/kb/cve_2013_1655"
 require "codesake/dawn/kb/cve_2013_1656"
+require "codesake/dawn/kb/cve_2013_1756"
 require "codesake/dawn/kb/cve_2013_1800"
 require "codesake/dawn/kb/cve_2013_1801"
 require "codesake/dawn/kb/cve_2013_1802"
@@ -307,11 +312,14 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2011_3187.new, 
           Codesake::Dawn::Kb::CVE_2011_4319.new, 
           Codesake::Dawn::Kb::CVE_2011_4815.new, 
+          Codesake::Dawn::Kb::CVE_2012_1098.new, 
           Codesake::Dawn::Kb::CVE_2012_1099.new, 
           Codesake::Dawn::Kb::CVE_2012_1241.new, 
+          Codesake::Dawn::Kb::CVE_2012_2139.new, 
           Codesake::Dawn::Kb::CVE_2012_2140.new, 
           Codesake::Dawn::Kb::CVE_2012_2660.new, 
           Codesake::Dawn::Kb::CVE_2012_2661.new, 
+          Codesake::Dawn::Kb::CVE_2012_2671.new, 
           Codesake::Dawn::Kb::CVE_2012_2694.new, 
           Codesake::Dawn::Kb::CVE_2012_2695.new, 
           Codesake::Dawn::Kb::CVE_2012_3424.new, 
@@ -330,6 +338,7 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2012_6497.new,
           Codesake::Dawn::Kb::CVE_2013_0155.new,
           Codesake::Dawn::Kb::CVE_2013_0156.new,
+          Codesake::Dawn::Kb::CVE_2013_0162.new,
           Codesake::Dawn::Kb::CVE_2013_0175.new,
           Codesake::Dawn::Kb::CVE_2013_0233.new,
           Codesake::Dawn::Kb::CVE_2013_0256.new,
@@ -342,6 +351,7 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2013_0333.new,
           Codesake::Dawn::Kb::CVE_2013_1655.new,
           Codesake::Dawn::Kb::CVE_2013_1656.new,
+          Codesake::Dawn::Kb::CVE_2013_1756.new,
           Codesake::Dawn::Kb::CVE_2013_1800.new,
           Codesake::Dawn::Kb::CVE_2013_1801.new,
           Codesake::Dawn::Kb::CVE_2013_1802.new,

data/lib/codesake/dawn/version.rb

@@ -6,13 +6,16 @@ module Codesake
     #
     # Future releases
     #
-    # "Tow Mater"       - v 1.2.0
-    # "Finn McMissile"  - v 1.3.0
-    # "Fillmore"        - v 1.4.0
+    # "Tow Mater"       
+    # "Finn McMissile"  
+    # "Fillmore"        
+    # "Holly Shiftwell" 
+    # "Guido"           
+    # "Luigi"           
 
-    VERSION   = "1.0.0.rc2"
+    VERSION   = "1.0.0"
     CODENAME  = "Lightning McQueen"
-    RELEASE   = "20140114"
+    RELEASE   = "20140121"
 
   end
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -742,5 +742,30 @@ end
   sc = kb.find("CVE-2013-0256")
   sc.should_not   be_nil
   sc.class.should == Codesake::Dawn::Kb::CVE_2013_0256
+end
+  it "must have test for CVE-2013-0162" do
+  sc = kb.find("CVE-2013-0162")
+  sc.should_not   be_nil
+  sc.class.should == Codesake::Dawn::Kb::CVE_2013_0162
+end
+  it "must have test for CVE-2012-2671" do
+  sc = kb.find("CVE-2012-2671")
+  sc.should_not   be_nil
+  sc.class.should == Codesake::Dawn::Kb::CVE_2012_2671
+end
+  it "must have test for CVE-2012-2139" do
+  sc = kb.find("CVE-2012-2139")
+  sc.should_not   be_nil
+  sc.class.should == Codesake::Dawn::Kb::CVE_2012_2139
+end
+  it "must have test for CVE-2012-1098" do
+  sc = kb.find("CVE-2012-1098")
+  sc.should_not   be_nil
+  sc.class.should == Codesake::Dawn::Kb::CVE_2012_1098
+end
+  it "must have test for CVE-2013-1756" do
+  sc = kb.find("CVE-2013-1756")
+  sc.should_not   be_nil
+  sc.class.should == Codesake::Dawn::Kb::CVE_2013_1756
 end
 end

data/spec/lib/kb/codesake_cve_2013_4457_spec.rb

@@ -32,6 +32,7 @@ describe "The CVE-2013-4457 vulnerability" do
 
   it "is skipped if non vulnerable version of cocaine rubygem is detected" do
     @check.dependencies=[{:name=>"cocaine", :version=>'0.3.2'}]
+    # @check.debug = true
     @check.vuln?.should   be_false
   end
 

data/spec/lib/kb/codesake_dependency_version_check_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+class DependencyMockup
+  include Codesake::Dawn::Kb::DependencyCheck
+
+  def initialize
+    message = "This is a mock"
+    super(
+      :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK, 
+      :applies=>['sinatra', 'padrino', 'rails'],
+      :message=> message
+    )
+    # self.debug = true
+
+    self.safe_dependencies = [{:name=>'this_gem', :version=>['0.3.0', '1.3.3', '2.3.3', '2.4.2', '9.4.31.2']}]
+  end
+end
+
+
+describe "The security check for gem dependency should" do
+  before(:all) do
+    @check = DependencyMockup.new
+  end
+  # let (:check) {Mockup.new}
+
+  it "fires if vulnerable 0.2.9 version is detected" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'0.2.9'}]
+    @check.vuln?.should    be_true
+  end
+  it "doesn't fire if not vulnerable 0.4.0 version is found" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'0.4.0'}]
+    @check.vuln?.should    be_false
+  end
+
+  it "fires if vulnerable 1.3.2 version is found" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'1.3.2'}]
+    @check.vuln?.should    be_true
+  end
+
+  it "doesn't fire if not vulnerable 1.4.2 version is found" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'1.4.2'}]
+    @check.vuln?.should    be_false
+  end
+
+  it "fires when a non vulnerable version is found but there is a fixed version with higher minor release" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'2.3.3'}]
+    @check.vuln?.should    be_true
+  end
+  it "should tell me there is a fixed version with 2 as major and 4 as minor release number" do
+    @check.is_there_an_higher_minor_version?(['0.3.0', '1.3.3', '2.3.3', '2.4.2', '9.4.31.2'], '2.3.3').should  be_true
+  end
+  it "doesn't fires when a non vulnerable version is found and there is a fixed version with higher minor release but I asked to honor the minor version (useful with rails gem)" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'2.3.3'}]
+    @check.save_minor_fixes = true
+    @check.vuln?.should    be_false
+  end
+  it "fires when a vulnerable version (2.3.2) is found even if I asked to save minors..." do
+    @check.dependencies = [{:name=>"this_gem", :version=>'2.3.2'}]
+    @check.save_minor_fixes = true
+    @check.vuln?.should    be_true
+
+  end
+
+
+end

data/spec/lib/kb/cve_2011_2705_spec.rb

@@ -4,5 +4,32 @@ describe "The CVE-2011-2705 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2011_2705.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires when ruby 1.8.7-p351 is detected" do
+    @check.detected_ruby ={:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p351"}
+    @check.vuln?.should be_true
+  end
+  it "fires when ruby 1.9.0 any patchlevel is detected" do
+    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p351"}
+    @check.vuln?.should be_true
+  end
+  it "fires when ruby 1.9.1 any patchlevel is detected" do
+    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p351"}
+    @check.vuln?.should be_true
+  end
+  it "fires when ruby 1.9.2-p289 is detected" do
+    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"p289"}
+    @check.vuln?.should be_true
+  end
+  it "doesn't fire when ruby 1.8.7-p352 is detected" do
+    @check.detected_ruby ={:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p352"}
+    @check.vuln?.should be_false
+  end
+  it "doesn't fire when ruby 1.9.2-p290 is detected" do
+    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"p290"}
+    @check.vuln?.should be_false
+  end
+  it "doesn't fire when ruby 1.9.3-p290 is detected" do
+    @check.detected_ruby ={:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p290"}
+    @check.vuln?.should be_false
+  end
 end

data/spec/lib/kb/cve_2011_2930_spec.rb

@@ -4,5 +4,29 @@ describe "The CVE-2011-2930 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2011_2930.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires when vulnerable rails version is used (2.3.12)" do
+    @check.dependencies = [{:name=>"rails", :version=>'2.3.12'}]
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable rails version is used (3.0.9)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.0.9'}]
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable rails version is used (3.1.0)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.1.0'}]
+    @check.vuln?.should   be_true
+  end
+  it "doesn't fire when safe rails version is used (2.3.14)" do
+    @check.dependencies = [{:name=>"rails", :version=>'2.3.14'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when safe rails version is used (3.0.10)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.0.10'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when safe rails version is used (3.1.1.)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.1.1'}]
+    @check.vuln?.should   be_false
+  end
+          # self.safe_dependencies = [{:name=>"rails", :version=>['2.3.13', '3.0.10', '3.1.1']}]
 end

data/spec/lib/kb/cve_2011_3009_spec.rb

@@ -1,8 +1,25 @@
 require 'spec_helper'
+
 describe "The CVE-2011-3009 vulnerability" do
 	before(:all) do
 		@check = Codesake::Dawn::Kb::CVE_2011_3009.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires if ruby version is vulnerable (1.8.6-p111)" do
+    @check.detected_ruby = {:engine=>'ruby', :version=>"1.8.6", :patchlevel=>"p111"}
+    @check.vuln?.should    be_true
+  end
+  it "fires if ruby version is vulnerable (1.8.5-p111)" do
+    @check.detected_ruby = {:engine=>'ruby', :version=>"1.8.5", :patchlevel=>"p111"}
+    @check.vuln?.should    be_true
+  end
+  it "doesn't fire if ruby version is not vulnerable (1.8.6-p112)" do
+    @check.detected_ruby = {:engine=>'ruby', :version=>"1.8.6", :patchlevel=>"p112"}
+    @check.vuln?.should    be_false
+  end
+  it "doesn't fire if ruby version is not vulnerable (1.9.2-p112)" do
+    @check.detected_ruby = {:engine=>'ruby', :version=>"1.9.2", :patchlevel=>"p112"}
+    @check.vuln?.should    be_false
+  end
+
 end

data/spec/lib/kb/cve_2011_3187_spec.rb

@@ -4,5 +4,21 @@ describe "The CVE-2011-3187 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2011_3187.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires when vulnerable rails version it has been found (3.0.5)" do
+    @check.dependencies = [{:name=>'rails', :version=>'3.0.5'}]
+    @check.vuln?.should be_true
+  end
+  it "doesn't fire when safe rails version it has been found (3.0.6)" do
+    @check.dependencies = [{:name=>'rails', :version=>'3.0.6'}]
+    @check.vuln?.should be_false
+  end
+  it "doesn't fire when safe rails version it has been found (3.1.6)" do
+    @check.dependencies = [{:name=>'rails', :version=>'3.1.6'}]
+    @check.vuln?.should be_false
+  end
+  it "doesn't fire when safe rails version it has been found (2.3.16)" do
+    @check.dependencies = [{:name=>'rails', :version=>'2.3.16'}]
+    @check.vuln?.should be_false
+  end
+          # self.safe_dependencies = [{:name=>"rails", :version=>['3.0.6']}]
 end

data/spec/lib/kb/cve_2011_4319_spec.rb

@@ -4,5 +4,41 @@ describe "The CVE-2011-4319 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2011_4319.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires when vulnerable rails version it has been found (2.3.12)" do
+    @check.dependencies = [{:name=>"rails", :version=>'2.3.12'}]
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable rails version it has been found (3.0.10)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.0.10'}]
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable rails version it has been found (3.1.1)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.0.10'}]
+    @check.vuln?.should   be_true
+  end
+  it "doesn't fire when safe rails version it has been found (2.3.13)" do
+    @check.dependencies = [{:name=>"rails", :version=>'2.3.13'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when safe rails version it has been found (2.3.14)" do
+    @check.dependencies = [{:name=>"rails", :version=>'2.3.14'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when safe rails version it has been found (3.0.11)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.0.11'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when safe rails version it has been found (3.0.12)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.0.12'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when safe rails version it has been found (3.1.2)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.1.2'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when safe rails version it has been found (3.2.0)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.0'}]
+    @check.vuln?.should   be_false
+  end
+          # self.safe_dependencies = [{:name=>"rails", :version=>['2.3.13', '3.0.11', '3.1.2']}]
 end

data/spec/lib/kb/cve_2012_1098_spec.rb

@@ -0,0 +1,36 @@
+require 'spec_helper'
+describe "The CVE-2012-1098 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2012_1098.new
+		# @check.debug = true
+	end
+  it "fires when vulnerable rails version it has been found (3.0.11)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.0.11'}]
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable rails version it has been found (3.1.3)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.1.3'}]
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable rails version it has been found (3.2.1)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.1'}]
+    @check.vuln?.should   be_true
+  end
+  it "doesn't fire when non vulnerable rails version it has been found (3.2.2)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.2'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when non vulnerable rails version it has been found (3.2.4)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.2.4'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when non vulnerable rails version it has been found (3.1.4)" do
+    @check.dependencies = [{:name=>"rails", :version=>'3.1.4'}]
+    # @check.debug = true
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when rails version older than 3.x.y it has been found" do
+    @check.dependencies = [{:name=>"rails", :version=>'2.3.12'}]
+    @check.vuln?.should   be_false
+  end
+end

data/spec/lib/kb/cve_2012_2139_spec.rb

@@ -0,0 +1,20 @@
+require 'spec_helper'
+describe "The CVE-2012-2139 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2012_2139.new
+		# @check.debug = true
+	end
+  it "is reported when mail_gem version 2.4.3 is used" do
+    @check.dependencies = [{:name=>"mail_gem", :version=>"2.4.3"}]
+    @check.vuln?.should be_true
+  end
+  it "is reported when mail_gem version 2.3.3 is used" do
+    @check.dependencies = [{:name=>"mail_gem", :version=>"2.3.3"}]
+    @check.vuln?.should be_true
+  end
+
+  it "is not reported when mail_gem version 2.4.4 is used" do
+    @check.dependencies = [{:name=>"mail_gem", :version=>"2.4.4"}]
+    @check.vuln?.should be_false
+  end
+end