codesake-dawn 1.0.0.rc2 → 1.0.0

data/spec/lib/kb/cve_2012_2671_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+describe "The CVE-2012-2671 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2012_2671.new
+		# @check.debug = true
+	end
+  it "is reported when ruby-cache version 0.5 is used" do
+    @check.dependencies = [{:name=>"rack-cache", :version=>'0.5'}]
+    @check.vuln?.should be_true
+  end
+  it "is reported when ruby-cache version 0.8 is used" do
+    @check.dependencies = [{:name=>"rack-cache", :version=>'0.8'}]
+    @check.vuln?.should be_true
+  end
+  it "is reported when ruby-cache version 1.1.1 is used" do
+    @check.dependencies = [{:name=>"rack-cache", :version=>'1.1.1'}]
+    @check.vuln?.should be_true
+  end
+  it "is not reported when ruby-cache version 1.1.2 is used" do
+    @check.dependencies = [{:name=>"rack-cache", :version=>'1.1.2'}]
+    @check.vuln?.should be_false
+  end
+end

data/spec/lib/kb/cve_2013_0162_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+describe "The CVE-2013-0162 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2013_0162.new
+		# @check.debug = true
+	end
+  it "is reported when ruby_parser version 1.x is used" do
+    @check.dependencies = [{:name=>"ruby_parser", :version=>'1.4.5'}]
+    @check.vuln?.should be_true
+  end
+  it "is reported when ruby_parser version 2.x is used" do
+    @check.dependencies = [{:name=>"ruby_parser", :version=>'2.4.5'}]
+    @check.vuln?.should be_true
+  end
+  it "is reported when ruby_parser version 3.0.x is used" do
+    @check.dependencies = [{:name=>"ruby_parser", :version=>'3.0.5'}]
+    @check.vuln?.should be_true
+  end
+  it "is not reported when ruby_parser version 3.1.1 is used" do
+    @check.dependencies = [{:name=>"ruby_parser", :version=>'3.1.1'}]
+    @check.vuln?.should be_false
+  end
+end

data/spec/lib/kb/cve_2013_0256_spec.rb

@@ -4,5 +4,38 @@ describe "The CVE-2013-0256 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2013_0256.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires when vulnerable ruby (1.9.3-p382) and rdoc version (2.3.0) has been found" do
+    @check.options={:detected_ruby=>{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"381"}, :dependencies=>[{:name=>"rdoc", :version=>'2.3.0'}, :root_dir=>"."]}
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable ruby (1.9.2-p342) and rdoc version (2.3.0) has been found" do
+    @check.options={:detected_ruby=>{:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"342"}, :dependencies=>[{:name=>"rdoc", :version=>'2.3.0'}, :root_dir=>"."]}
+    @check.vuln?.should   be_true
+  end
+
+  it "fires when vulnerable ruby (1.9.3-p382) and rdoc version (3.12) has been found" do
+    @check.options={:detected_ruby=>{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"381"}, :dependencies=>[{:name=>"rdoc", :version=>'3.12'}, :root_dir=>"."]}
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable ruby (1.9.2-p342) and rdoc version (3.12) has been found" do
+    @check.options={:detected_ruby=>{:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"342"}, :dependencies=>[{:name=>"rdoc", :version=>'3.12'}, :root_dir=>"."]}
+    @check.vuln?.should   be_true
+  end
+
+  it "doesn't fire when not vulnerable ruby (1.9.3-p383) is found but vulnerable rdoc version (3.12) has been found" do
+    @check.options={:detected_ruby=>{:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"342"}, :dependencies=>[{:name=>"rdoc", :version=>'3.99'}, :root_dir=>"."]}
+    @check.vuln?.should   be_false
+  end
+
+  it "doesn't fire when vulnerable ruby (1.9.3-p382) is found but not vulnerable rdoc version (3.13) has been found" do
+    @check.options={:detected_ruby=>{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"322"}, :dependencies=>[{:name=>"rdoc", :version=>'3.13'}, :root_dir=>"."]}
+    @check.vuln?.should   be_false
+  end
+
+          # self.safe_dependencies = [{:name=>"rdoc", :version=>['2.3.1', '3.13', '4.0.0']}]
+
+          # self.safe_rubies = [
+          #   {:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p383"}, 
+          #   {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p0"}
+          # ]
 end

data/spec/lib/kb/cve_2013_0263_spec.rb

@@ -4,5 +4,8 @@ describe "The CVE-2013-0263 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2013_0263.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "is not reported when rack version 1.4.5 is used" do
+    @check.dependencies = [{:name=>"rack", :version=>'1.4.5'}]
+    @check.vuln?.should be_false
+  end
 end

data/spec/lib/kb/cve_2013_1756_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+describe "The CVE-2013-1756 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2013_1756.new
+		# @check.debug = true
+	end
+  it "is reported when dragonfly version 0.9.12 is used" do
+    @check.dependencies = [{:name=>"dragonfly", :version=>'0.9.12'}]
+    @check.vuln?.should be_true
+  end
+  it "is reported when dragonfly version 0.8.12 is used" do
+    @check.dependencies = [{:name=>"dragonfly", :version=>'0.8.12'}]
+    @check.vuln?.should be_true
+  end
+  it "is reported when dragonfly version 0.7.12 is used" do
+    @check.dependencies = [{:name=>"dragonfly", :version=>'0.7.12'}]
+    @check.vuln?.should be_true
+  end
+  it "is not reported when dragonfly version 0.9.13 is used" do
+    @check.dependencies = [{:name=>"dragonfly", :version=>'0.9.13'}]
+    @check.vuln?.should be_false
+  end
+end

data/spec/lib/kb/cve_2013_2090_spec.rb

@@ -4,5 +4,17 @@ describe "The CVE-2013-2090 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2013_2090.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires when vulnerable cremefraiche version is used" do
+    @check.dependencies = [{:name=>"cremefraiche", :version=>'0.6.1'}]
+    @check.vuln?.should   be_true
+  end
+  it "doesn't fire when not vulnerable cremefraiche version is used" do
+    @check.dependencies = [{:name=>"cremefraiche", :version=>'0.6.2'}]
+    @check.vuln?.should   be_false
+  end
+  it "fires when 0.5 and previous versions are found. We must check that cremefraiche version 0.5.2 version is vulnerable"
+  # it "doesn't fire when an older not vulnerable cremefraiche version is used" do
+  #   @check.dependencies = [{:name=>"cremefraiche", :version=>'0.5.2'}]
+  #   @check.vuln?.should   be_false
+  # end
 end

data/spec/lib/kb/cve_2013_2119_spec.rb

@@ -4,5 +4,24 @@ describe "The CVE-2013-2119 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2013_2119.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires when vulnerable passenger version is used" do
+    @check.dependencies = [{:name=>"passenger", :version=>"4.0.4"}]
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable passenger version is used" do
+    @check.dependencies = [{:name=>"passenger", :version=>"4.0.0"}]
+    @check.vuln?.should   be_true
+  end
+  it "fires when vulnerable passenger version is used" do
+    @check.dependencies = [{:name=>"passenger", :version=>"3.0.20"}]
+    @check.vuln?.should   be_true
+  end
+  it "doesn't fire when not vulnerable passenger version is used" do
+    @check.dependencies = [{:name=>"passenger", :version=>"4.0.5"}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when not vulnerable passenger version is used" do
+    @check.dependencies = [{:name=>"passenger", :version=>"3.0.21"}]
+    @check.vuln?.should   be_false
+  end
 end

data/spec/lib/kb/cve_2013_5647_spec.rb

@@ -4,5 +4,16 @@ describe "The CVE-2013-5647 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2013_5647.new
 		# @check.debug = true
 	end
-	it "needs some test..."
+  it "fires when vulnerable sounder 1.0.1 version is userd" do
+    @check.dependencies = [{:name=>"sounder", :version=>'1.0.1'}]
+    @check.vuln?.should   be_true
+  end
+  it "doesn't fire when sounder not vulnerable version is used" do
+    @check.dependencies = [{:name=>"sounder", :version=>'1.0.2'}]
+    @check.vuln?.should   be_false
+  end
+  it "doesn't fire when a very old sounder version is used" do
+    @check.dependencies = [{:name=>"sounder", :version=>'0.9.2'}]
+    @check.vuln?.should   be_false
+  end
 end

data/spec/lib/kb/cve_2013_6459_spec.rb

@@ -1,8 +1,15 @@
 require 'spec_helper'
 describe "The CVE-2013-6459 vulnerability" do
-	before(:all) do
-		@check = Codesake::Dawn::Kb::CVE_2013_6459.new
-		# @check.debug = true
-	end
-	it "needs some test..."
+  before(:all) do
+    @check = Codesake::Dawn::Kb::CVE_2013_6459.new
+    # @check.debug = true
+  end
+  it "fires when will_paginage 3.0.4 vulnerable version is used" do
+    @check.dependencies = [{:name=>"will_paginate", :version=>'3.0.4'}]
+    @check.vuln?.should be_true
+  end
+  it "doesn't fires when will_paginage 3.0.5 safe version is used" do
+    @check.dependencies = [{:name=>"will_paginate", :version=>'3.0.5'}]
+    @check.vuln?.should be_false
+  end
 end

data/spec/lib/kb/cve_2013_7086_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 describe "The CVE-2013-7086 vulnerability" do
 	before(:all) do
 		@check = Codesake::Dawn::Kb::CVE_2013_7086.new
-		@check.debug = true
+		# @check.debug = true
 	end
 	it "is detected for gem 1.0.5.3" do
     @check.dependencies = [{:name=>"webbynode", :version=>'1.0.5.3'}]

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 1.0.0.rc2
+  version: 1.0.0
 platform: ruby
 authors:
 - Paolo Perego
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-01-14 00:00:00.000000000 Z
+date: 2014-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.89.0
+        version: 0.90.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.89.0
+        version: 0.90.0
 - !ruby/object:Gem::Dependency
   name: cvss
   requirement: !ruby/object:Gem::Requirement
@@ -208,8 +208,8 @@ dependencies:
         version: '0'
 description: dawn is a security static source code analyzer for web applications written
   in ruby. It supports major MVC frameworks like sinatra, padrino and ruby on rails.
-  dawn output is a list of security vulnerabilities affecting your code with a suggestion
-  on how to mitigate all of them.
+  dawn output is a list of security vulnerabilities affecting your code. It provides
+  more than 140 security checks with their own mitigation suggestion.
 email:
 - thesp0nge@gmail.com
 executables:
@@ -223,12 +223,14 @@ files:
 - .travis.yml
 - Changelog.md
 - Gemfile
+- KnowledgeBase.md
 - LICENSE.txt
 - README.md
 - Rakefile
 - Roadmap.md
 - bin/dawn
 - codesake-dawn.gemspec
+- doc/dawn_1_0_announcement.md
 - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
 - features/dawn_scan_a_secure_sinatra_app.feature.disabled
 - features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled
@@ -299,11 +301,14 @@ files:
 - lib/codesake/dawn/kb/cve_2011_3187.rb
 - lib/codesake/dawn/kb/cve_2011_4319.rb
 - lib/codesake/dawn/kb/cve_2011_4815.rb
+- lib/codesake/dawn/kb/cve_2012_1098.rb
 - lib/codesake/dawn/kb/cve_2012_1099.rb
 - lib/codesake/dawn/kb/cve_2012_1241.rb
+- lib/codesake/dawn/kb/cve_2012_2139.rb
 - lib/codesake/dawn/kb/cve_2012_2140.rb
 - lib/codesake/dawn/kb/cve_2012_2660.rb
 - lib/codesake/dawn/kb/cve_2012_2661.rb
+- lib/codesake/dawn/kb/cve_2012_2671.rb
 - lib/codesake/dawn/kb/cve_2012_2694.rb
 - lib/codesake/dawn/kb/cve_2012_2695.rb
 - lib/codesake/dawn/kb/cve_2012_3424.rb
@@ -322,6 +327,7 @@ files:
 - lib/codesake/dawn/kb/cve_2012_6497.rb
 - lib/codesake/dawn/kb/cve_2013_0155.rb
 - lib/codesake/dawn/kb/cve_2013_0156.rb
+- lib/codesake/dawn/kb/cve_2013_0162.rb
 - lib/codesake/dawn/kb/cve_2013_0175.rb
 - lib/codesake/dawn/kb/cve_2013_0233.rb
 - lib/codesake/dawn/kb/cve_2013_0256.rb
@@ -334,6 +340,7 @@ files:
 - lib/codesake/dawn/kb/cve_2013_0333.rb
 - lib/codesake/dawn/kb/cve_2013_1655.rb
 - lib/codesake/dawn/kb/cve_2013_1656.rb
+- lib/codesake/dawn/kb/cve_2013_1756.rb
 - lib/codesake/dawn/kb/cve_2013_1800.rb
 - lib/codesake/dawn/kb/cve_2013_1801.rb
 - lib/codesake/dawn/kb/cve_2013_1802.rb
@@ -401,57 +408,20 @@ files:
 - spec/lib/kb/codesake_cve_2013_1655_spec.rb
 - spec/lib/kb/codesake_cve_2013_4457_spec.rb
 - spec/lib/kb/codesake_cve_2013_6416_spec.rb
+- spec/lib/kb/codesake_dependency_version_check_spec.rb
 - spec/lib/kb/codesake_ruby_version_check_spec.rb
-- spec/lib/kb/cve_2004_0983_spec.rb
-- spec/lib/kb/cve_2005_1992_spec.rb
-- spec/lib/kb/cve_2005_2337_spec.rb
-- spec/lib/kb/cve_2006_1931_spec.rb
-- spec/lib/kb/cve_2006_2582_spec.rb
-- spec/lib/kb/cve_2006_3694_spec.rb
-- spec/lib/kb/cve_2006_4112_spec.rb
-- spec/lib/kb/cve_2006_5467_spec.rb
-- spec/lib/kb/cve_2006_6303_spec.rb
-- spec/lib/kb/cve_2006_6852_spec.rb
-- spec/lib/kb/cve_2006_6979_spec.rb
-- spec/lib/kb/cve_2007_0469_spec.rb
-- spec/lib/kb/cve_2007_5162_spec.rb
-- spec/lib/kb/cve_2007_5379_spec.rb
-- spec/lib/kb/cve_2007_5380_spec.rb
-- spec/lib/kb/cve_2007_5770_spec.rb
-- spec/lib/kb/cve_2007_6077_spec.rb
-- spec/lib/kb/cve_2007_6612_spec.rb
-- spec/lib/kb/cve_2008_1145_spec.rb
-- spec/lib/kb/cve_2008_1891_spec.rb
-- spec/lib/kb/cve_2008_2376_spec.rb
-- spec/lib/kb/cve_2008_2662_spec.rb
-- spec/lib/kb/cve_2008_2663_spec.rb
-- spec/lib/kb/cve_2008_2664_spec.rb
-- spec/lib/kb/cve_2008_2725_spec.rb
-- spec/lib/kb/cve_2008_3655_spec.rb
-- spec/lib/kb/cve_2008_3657_spec.rb
-- spec/lib/kb/cve_2008_3790_spec.rb
-- spec/lib/kb/cve_2008_3905_spec.rb
-- spec/lib/kb/cve_2008_4094_spec.rb
-- spec/lib/kb/cve_2008_4310_spec.rb
-- spec/lib/kb/cve_2008_5189_spec.rb
-- spec/lib/kb/cve_2008_7248_spec.rb
-- spec/lib/kb/cve_2009_4078_spec.rb
-- spec/lib/kb/cve_2009_4124_spec.rb
-- spec/lib/kb/cve_2009_4214_spec.rb
-- spec/lib/kb/cve_2010_2489_spec.rb
-- spec/lib/kb/cve_2010_3933_spec.rb
-- spec/lib/kb/cve_2011_0188_spec.rb
-- spec/lib/kb/cve_2011_0739_spec.rb
-- spec/lib/kb/cve_2011_1004_spec.rb
-- spec/lib/kb/cve_2011_1005_spec.rb
-- spec/lib/kb/cve_2011_2686_spec.rb
 - spec/lib/kb/cve_2011_2705_spec.rb
 - spec/lib/kb/cve_2011_2930_spec.rb
 - spec/lib/kb/cve_2011_3009_spec.rb
 - spec/lib/kb/cve_2011_3187_spec.rb
 - spec/lib/kb/cve_2011_4319_spec.rb
+- spec/lib/kb/cve_2012_1098_spec.rb
+- spec/lib/kb/cve_2012_2139_spec.rb
+- spec/lib/kb/cve_2012_2671_spec.rb
+- spec/lib/kb/cve_2013_0162_spec.rb
 - spec/lib/kb/cve_2013_0256_spec.rb
 - spec/lib/kb/cve_2013_0263_spec.rb
+- spec/lib/kb/cve_2013_1756_spec.rb
 - spec/lib/kb/cve_2013_2090_spec.rb
 - spec/lib/kb/cve_2013_2119_spec.rb
 - spec/lib/kb/cve_2013_5647_spec.rb
@@ -473,16 +443,16 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>'
+  - - '>='
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: dawn is a security static source code analyzer for sinatra, padrino and ruby
-  on rails web applicartions.
+  on rails web applications.
 test_files:
 - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
 - features/dawn_scan_a_secure_sinatra_app.feature.disabled
@@ -497,57 +467,20 @@ test_files:
 - spec/lib/kb/codesake_cve_2013_1655_spec.rb
 - spec/lib/kb/codesake_cve_2013_4457_spec.rb
 - spec/lib/kb/codesake_cve_2013_6416_spec.rb
+- spec/lib/kb/codesake_dependency_version_check_spec.rb
 - spec/lib/kb/codesake_ruby_version_check_spec.rb
-- spec/lib/kb/cve_2004_0983_spec.rb
-- spec/lib/kb/cve_2005_1992_spec.rb
-- spec/lib/kb/cve_2005_2337_spec.rb
-- spec/lib/kb/cve_2006_1931_spec.rb
-- spec/lib/kb/cve_2006_2582_spec.rb
-- spec/lib/kb/cve_2006_3694_spec.rb
-- spec/lib/kb/cve_2006_4112_spec.rb
-- spec/lib/kb/cve_2006_5467_spec.rb
-- spec/lib/kb/cve_2006_6303_spec.rb
-- spec/lib/kb/cve_2006_6852_spec.rb
-- spec/lib/kb/cve_2006_6979_spec.rb
-- spec/lib/kb/cve_2007_0469_spec.rb
-- spec/lib/kb/cve_2007_5162_spec.rb
-- spec/lib/kb/cve_2007_5379_spec.rb
-- spec/lib/kb/cve_2007_5380_spec.rb
-- spec/lib/kb/cve_2007_5770_spec.rb
-- spec/lib/kb/cve_2007_6077_spec.rb
-- spec/lib/kb/cve_2007_6612_spec.rb
-- spec/lib/kb/cve_2008_1145_spec.rb
-- spec/lib/kb/cve_2008_1891_spec.rb
-- spec/lib/kb/cve_2008_2376_spec.rb
-- spec/lib/kb/cve_2008_2662_spec.rb
-- spec/lib/kb/cve_2008_2663_spec.rb
-- spec/lib/kb/cve_2008_2664_spec.rb
-- spec/lib/kb/cve_2008_2725_spec.rb
-- spec/lib/kb/cve_2008_3655_spec.rb
-- spec/lib/kb/cve_2008_3657_spec.rb
-- spec/lib/kb/cve_2008_3790_spec.rb
-- spec/lib/kb/cve_2008_3905_spec.rb
-- spec/lib/kb/cve_2008_4094_spec.rb
-- spec/lib/kb/cve_2008_4310_spec.rb
-- spec/lib/kb/cve_2008_5189_spec.rb
-- spec/lib/kb/cve_2008_7248_spec.rb
-- spec/lib/kb/cve_2009_4078_spec.rb
-- spec/lib/kb/cve_2009_4124_spec.rb
-- spec/lib/kb/cve_2009_4214_spec.rb
-- spec/lib/kb/cve_2010_2489_spec.rb
-- spec/lib/kb/cve_2010_3933_spec.rb
-- spec/lib/kb/cve_2011_0188_spec.rb
-- spec/lib/kb/cve_2011_0739_spec.rb
-- spec/lib/kb/cve_2011_1004_spec.rb
-- spec/lib/kb/cve_2011_1005_spec.rb
-- spec/lib/kb/cve_2011_2686_spec.rb
 - spec/lib/kb/cve_2011_2705_spec.rb
 - spec/lib/kb/cve_2011_2930_spec.rb
 - spec/lib/kb/cve_2011_3009_spec.rb
 - spec/lib/kb/cve_2011_3187_spec.rb
 - spec/lib/kb/cve_2011_4319_spec.rb
+- spec/lib/kb/cve_2012_1098_spec.rb
+- spec/lib/kb/cve_2012_2139_spec.rb
+- spec/lib/kb/cve_2012_2671_spec.rb
+- spec/lib/kb/cve_2013_0162_spec.rb
 - spec/lib/kb/cve_2013_0256_spec.rb
 - spec/lib/kb/cve_2013_0263_spec.rb
+- spec/lib/kb/cve_2013_1756_spec.rb
 - spec/lib/kb/cve_2013_2090_spec.rb
 - spec/lib/kb/cve_2013_2119_spec.rb
 - spec/lib/kb/cve_2013_5647_spec.rb