codesake-dawn 1.0.6 → 1.1.0.rc1

data/Rakefile

@@ -14,16 +14,18 @@ Cucumber::Rake::Task.new(:features) do |t|
   t.fork = false
 end
 
-RSpec::Core::RakeTask.new do |t| 
+RSpec::Core::RakeTask.new do |t|
   t.rspec_opts = ["--color"]
 end
 
 
 task :default => [ :spec, :features, :kb ]
 task :test => :spec
+task :prepare => [:build, :'checksum:calculate', :'checksum:commit']
+task :release => [:prepare]
 
 desc "Create a new CVE test"
-task :cve, :name do |t,args| 
+task :cve, :name do |t,args|
   name      = args.name
   SRC_DIR   = "./lib/codesake/dawn/kb/"
   SPEC_DIR  = "./spec/lib/kb/"
@@ -87,7 +89,7 @@ end
 
 
 desc "Create a new Generic security check"
-task :check, :name do |t,args| 
+task :check, :name do |t,args|
   name      = args.name
   SRC_DIR   = "./lib/codesake/dawn/kb/"
   SPEC_DIR  = "./spec/lib/kb/"
@@ -165,3 +167,25 @@ task :kb do
   puts "KnowledgeBase.md file successfully generated"
 
 end
+
+require 'digest/sha2'
+namespace :checksum do
+
+desc 'Calculate gem checksum'
+task :calculate do
+  system 'mkdir -p checksum > /dev/null'
+  built_gem_path = "pkg/codesake-dawn-#{Codesake::Dawn::VERSION}.gem"
+  checksum = Digest::SHA512.new.hexdigest(File.read(built_gem_path))
+  checksum_path = "checksum/codesake-dawn-#{Codesake::Dawn::VERSION}.gem.sha512"
+  File.open(checksum_path, 'w' ) {|f| f.write(checksum) }
+
+  puts "#{checksum_path}: #{checksum}"
+end
+
+desc 'Add and commit latest checksum'
+task :commit do
+  checksum_path = "checksum/codesake-dawn-#{Codesake::Dawn::VERSION}.gem.sha512"
+  system "git add #{checksum_path}"
+  system "git commit -v #{checksum_path} -m \"Adding #{Codesake::Dawn::VERSION} checksum to repo\""
+end
+end

data/Roadmap.md

@@ -7,7 +7,7 @@ frameworks.
 
 This is an ongoing roadmap for the Codesake::Dawn source code review tool.
 
-_latest update: Fri Jan 17 08:09:29 CET 2014_
+_latest update: Thu Jan 30 08:39:13 CET 2014_
 
 ## Version 1.1.0
 
@@ -27,6 +27,29 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
 * CVE-2012-6109
 * CVE-2011-5036
 * CVE-2007-6183
+* adding test for RoRCheatSheet\_2
+* adding test for RoRCheatSheet\_3
+* adding test for RoRCheatSheet\_5
+* adding test for RoRCheatSheet\_6
+* adding test for RoRCheatSheet\_9
+* adding test for RoRCheatSheet\_10
+* adding test for RoRCheatSheet\_11
+* adding test for RoRCheatSheet\_12
+* adding test for RoRCheatSheet\_13
+* adding test for RoRCheatSheet\_14
+* adding test for RoRCheatSheet\_15
+* adding test for RoRCheatSheet\_16
+* add a check against deprecated ruby / gems version. I will handle MVC gems
+  right now.
+* Better bin/dawn script output formatting using some library like PrettyPrint
+  (this can involve a change in codesake-commons package). We will use tables
+  to create ascii organized reports.
+* Create a digital signature as described [here](http://rubygems.rubyforge.org/rubygems-update/Gem/Security.html)
+* bin/dawn refactoring using the new Reporting class to produce json, csv, html output
+* add config file with setting (css directory, report options, ...)
+
+## Version 1.2.0
+
 * move is\_vulnerable\_version? and is\_vulnerable\_patchlevel? to an adhoc
   class handling version comparison
 * add @rubysec vulnerability database integration using rake
@@ -34,56 +57,40 @@ _latest update: Fri Jan 17 08:09:29 CET 2014_
 * add a language check. It will handle a ruby script as input and a
   ruby\_parser line as unsafe pattern. It will compile the ruby and look for
   the unsafe pattern
-* add a check against deprecated ruby / gems version. I will handle MVC gems
-  right now.
-* Improving HTML output as described in issue #7
+* Add preliminary Cross Site Scripting detection for Ruby on Rails.
+* Issue #40: Support for string version modifiers
+* Issue #7: Improving HTML output and let the user the capability to provide a
+  basic layout to customize report
 * Add a --github option to Codesake::Dawn to clone a remote repository, perform
   a bundle install and do a code review.
 * Add support for github hooks
-* Add a ruby deprecation check, accordingly to https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
+* Add a ruby deprecation check, accordingly to
+  https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
 * Add a severity attribute to basic check. It must be calculated automatically
   on the cvss_score or it may be overriden upon check creation.
-* Better bin/dawn script output formatting using some library like PrettyPrint
-  (this can involve a change in codesake-commons package).
 
-## Version 1.2.0
+## Version 1.3.0
 
-* adding test for RoRCheatSheet\_2
-* adding test for RoRCheatSheet\_3
-* adding test for RoRCheatSheet\_5
-* adding test for RoRCheatSheet\_6
-* adding test for RoRCheatSheet\_9
-* adding test for RoRCheatSheet\_10
-* adding test for RoRCheatSheet\_11
-* adding test for RoRCheatSheet\_12
-* adding test for RoRCheatSheet\_13
-* adding test for RoRCheatSheet\_14
-* adding test for RoRCheatSheet\_15
-* adding test for RoRCheatSheet\_16
-* preliminary javascript support
+* Add support for ERB for in detect\_views 
+* Add preliminary javascript support
 * adding test for CVE-2011-4969  XSS in jquery < 1.6.2 
-
-## Version 1.5.0
-
 * add support for pure Rack applications
-* detect stored XSS in Rails applications
-* detect reflected XSS in Rails applications
-* detect insecure direct object reference in Rails applications
-* detect SQLi in Sinatra applications
-* detect SQLi in Padrino applications
-* detect sinks for XSS in Padrino applications
-* detect reflected XSS in Padrino applications
-* detect stored XSS in Sinatra applications
-* detect stored XSS in Padrino applications
-* detect insecure direct object reference in Sinatra applications
-* detect insecure direct object reference in Padrino applications
-* support ERB for in detect\_views (for both Sinatra and Padrino)
-* detect SQLi in Rails applications
-* automatic mitigation patch generation 
+* Cross Site Scripting detection: it must be done for all MVC frameworks
+  (including Rack) and it must cover either reflected than stored attack
+  patterns
+* Add premilinary SQL injection detection for Ruby on Rails
 
+## Version 1.5.0
 
-## Version 2.0.0
-* node.js support
+* Add insecure direct object reference detection for all MVC frameworks (including Rack)
+* SQL Injection detection: it must be done for all MVC frameworks (including Rack)
+* Add automatic mitigation patch generation 
 * SQLite3 integration for saving data. Each project will have its own SQLite
   database containing reviews, findings and all. A table with Codesake::Dawn version it
   created the database will be inserted as well
+* Add support for Javascript
+
+## Version 2.0.0
+
+* Add support for node.js
+* Add support for Go

data/bin/dawn

@@ -2,6 +2,9 @@
 
 require 'getoptlong'
 require 'json'
+require 'terminal-table'
+
+require 'justify'
 
 require 'codesake-commons'
 require 'codesake-dawn'
@@ -11,62 +14,123 @@ LIST_KNOWN_FRAMEWORK  = %w(rails sinatra padrino)
 VALID_OUTPUT_FORMAT   = %w(console json csv html)
 
 $logger  = Codesake::Commons::Logging.instance
-$logger.helo APPNAME, Codesake::Dawn::VERSION
 opts    = GetoptLong.new(
+  # report formatting options
+  [ '--ascii-tabular-report',   '-a',   GetoptLong::NO_ARGUMENT],
+  [ '--json',                   '-j',   GetoptLong::NO_ARGUMENT],
+  [ '--html',                   '-H',   GetoptLong::NO_ARGUMENT],
+
+  # MVC forcing
   [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
   [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
   [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
-  [ '--gem-lock',               '-G',   GetoptLong::OPTIONAL_ARGUMENT],  
-  [ '--list-known-framework',   '-f',   GetoptLong::NO_ARGUMENT],
-  [ '--list-knowledgebase',     '-k',   GetoptLong::OPTIONAL_ARGUMENT],
-  [ '--output',                 '-o',   GetoptLong::REQUIRED_ARGUMENT],
-  [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
-  [ '--debug',                  '-D',   GetoptLong::NO_ARGUMENT],
+
+  [ '--gem-lock',               '-G',   GetoptLong::REQUIRED_ARGUMENT],
   [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
   [ '--exit-on-warn',           '-z',   GetoptLong::NO_ARGUMENT],
+
+  # Disable checks by family type
+  [ '--disable-cve-bulletins',          GetoptLong::NO_ARGUMENT],
+  [ '--disable-code-quality',           GetoptLong::NO_ARGUMENT],
+  [ '--disable-code-style',             GetoptLong::NO_ARGUMENT],
+  [ '--disable-owasp-ror-cheatsheet',   GetoptLong::NO_ARGUMENT],
+  [ '--disable-owasp-top-10',           GetoptLong::NO_ARGUMENT],
+
+  # Search knowledge base
+  [ '--search-knowledge-base',  '-S',   GetoptLong::REQUIRED_ARGUMENT],
+  # List stuff
+  [ '--list-knowledge-base',            GetoptLong::NO_ARGUMENT],
+  [ '--list-known-framework',           GetoptLong::NO_ARGUMENT],
+  [ '--list-known-families',            GetoptLong::NO_ARGUMENT],
+  # please save output to file
+  [ '--file',                   '-F',   GetoptLong::REQUIRED_ARGUMENT],
+  # specify an alternate config file
+  [ '--config-file',            '-c',   GetoptLong::REQUIRED_ARGUMENT],
+
+  # service options
+  [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
+  [ '--debug',                  '-D',   GetoptLong::NO_ARGUMENT],
   [ '--version',                '-v',   GetoptLong::NO_ARGUMENT],
   [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
 )
+opts.quiet=true
+
 engine  = nil
-options = {:verbose=>false, :output=>"console", :count_only=>false, :dump_kb=>false, :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :debug=>false, :exit_on_warn => false}
 
-trap("INT")   { $logger.die('[INTERRUPTED]') }
+
+options = Codesake::Dawn::Core.read_conf(Codesake::Dawn::Core.find_conf(true))
 check = ""
 guess = {:name=>"", :version=>"", :connected_gems=>[]}
 
-
+begin
 opts.each do |opt, val|
   case opt
   when '--version'
     puts "#{Codesake::Dawn::VERSION} [#{Codesake::Dawn::CODENAME}]"
     Kernel.exit(0)
+  when '--config-file'
+    options = Codesake::Dawn::Core.read_conf(val)
+  when '--disable-cve-bulletins'
+    options[:enabled_checks].delete(:cve_bulletin)
+  when '--disable-code-quality'
+    options[:enabled_checks].delete(:code_quality)
+  when '--disable-code-style'
+    options[:enabled_checks].delete(:code_style)
+  when '--disable-owasp-ror-cheatsheet'
+    options[:enabled_checks].delete(:owasp_ror_cheatsheet)
+  when '--disable-owasp-top-10'
+    options[:enabled_checks].delete(:owasp_top_10_1)
+    options[:enabled_checks].delete(:owasp_top_10_2)
+    options[:enabled_checks].delete(:owasp_top_10_3)
+    options[:enabled_checks].delete(:owasp_top_10_4)
+    options[:enabled_checks].delete(:owasp_top_10_5)
+    options[:enabled_checks].delete(:owasp_top_10_6)
+    options[:enabled_checks].delete(:owasp_top_10_7)
+    options[:enabled_checks].delete(:owasp_top_10_8)
+    options[:enabled_checks].delete(:owasp_top_10_9)
+    options[:enabled_checks].delete(:owasp_top_10_10)
+  when '--list-known-families'
+    printf "Codesake::Dawn supports following check families:\n\n"
+    puts Codesake::Dawn::Kb::BasicCheck.families
+    Kernel.exit(0)
+  when '--json'
+    options[:output] = "json"
+  when '--ascii-tabular-report'
+    options[:output] = "tabular"
+  when '--html'
+    options[:output] = "html"
   when '--rails'
     options[:mvc]=:rails
   when '--sinatra'
     options[:mvc]=:sinatra
   when '--padrino'
     options[:mvc]=:padrino
+  when '--file'
+    options[:filename] = val
   when '--gem-lock'
     options[:gemfile_scan] = true
-    options[:gemfile_name] = val unless val.nil?
-    guess = Codesake::Dawn::Core.guess_mvc(val)
-    $logger.log "Guessed MVC: #{guess[:name]} v#{guess[:version]}"
-    
+    unless val.empty?
+      options[:gemfile_name] = val 
+      guess = Codesake::Dawn::Core.guess_mvc(val)
+    end
   when '--verbose'
     options[:verbose]=true
-  when '--output'
-    options[:output] = val unless VALID_OUTPUT_FORMAT.find_index(val).nil?
   when '--count-only'
-    options[:count_only] = true
+    options[:output] = "count"
   when '--debug'
     options[:debug] = true
   when '--exit-on-warn'
     options[:exit_on_warn] = true
 
-  when '--list-knowledgebase'
-    options[:dump_kb]=true
-    check = val unless val.nil?
-   
+  when '--search-knowledge-base'
+    found = Codesake::Dawn::KnowledgeBase.find(nil, val)
+    puts "#{val} found in knowledgebase." if found
+    puts "#{val} not found in knowledgebase" if ! found
+    Kernel.exit(0)
+
+  when '--list-knowledge-base'
+    puts Codesake::Dawn::Core.dump_knowledge_base(options[:verbose]) 
+    Kernel.exit(0)
   when '--list-known-framework'
     puts "Ruby MVC framework supported by #{APPNAME}:"
     LIST_KNOWN_FRAMEWORK.each do |mvc|
@@ -77,23 +141,21 @@ opts.each do |opt, val|
     Kernel.exit(Codesake::Dawn::Core.help)
   end
 end
+rescue GetoptLong::InvalidOption => e
 
-if options[:dump_kb]
-  puts Codesake::Dawn::Core.dump_knowledge_base(options[:verbose]) if check.empty?
-  if ! check.empty?
-    found = Codesake::Dawn::KnowledgeBase.find(nil, check)
-    puts "#{check} found in knowledgebase." if found
-    puts "#{check} not found in knowledgebase" if ! found
-  end
-
-  Kernel.exit(0)
+  $logger.helo APPNAME, Codesake::Dawn::VERSION
+  $logger.err e.message
+  Kernel.exit(Codesake::Dawn::Core.help)
 end
 
 target=ARGV.shift
 
+$logger.helo APPNAME, Codesake::Dawn::VERSION
+trap("INT")   { $logger.die('[INTERRUPTED]') }
 $logger.die("missing target") if target.nil? && options[:gemfile_name].nil?
 $logger.die("invalid directory (#{target})") if options[:gemfile_name].nil?  &&! Codesake::Dawn::Core.is_good_target?(target) 
 $logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
+$logger.log("security check enabled: #{options[:enabled_checks]}") if options[:debug]
 
 
 ## MVC auto detect.
@@ -105,13 +167,13 @@ unless options[:gemfile_scan]
   rescue ArgumentError => e
     $logger.die(e.message)
   end
+else
+  engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], guess) # if options[:gemfile_scan]
 end
 
-
 engine = Codesake::Dawn::Rails.new(target)                      if options[:mvc] == :rails && options[:gemfile_scan].nil?
 engine = Codesake::Dawn::Sinatra.new(target)                    if options[:mvc] == :sinatra && options[:gemfile_scan].nil?
 engine = Codesake::Dawn::Padrino.new(target)                    if options[:mvc] == :padrino && options[:gemfile_scan].nil? 
-engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], options[:debug], guess) if options[:gemfile_scan]
 
 $logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
 
@@ -123,67 +185,23 @@ if options[:exit_on_warn]
   end
 end
 
-if options[:count_only] 
-  ret = Codesake::Dawn::Core.dry_run(target, engine)
-
-  puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
-  puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
-  Kernel.exit(0)
-end
-
-if options[:output] == "json"
-  puts Codesake::Dawn::Core.output_json_run(target, engine) 
-  Kernel.exit(0)
+if options[:debug]
+  $logger.warn "putting engine in debug mode"
+  engine.debug = true
 end
 
 $logger.die "missing target framework option" if engine.nil?
-
-engine.load_knowledge_base
 $logger.warn "this is a development Codesake::Dawn version" if Codesake::Dawn::RELEASE == "(development)"
-
 $logger.die "nothing to do on #{target}" if ! options[:gemfile_scan] && ! engine.can_apply? 
 
-$logger.log "scanning #{target}"
-$logger.log "#{engine.name} v#{engine.get_mvc_version} detected" unless engine.name == "Gemfile.lock"
-$logger.log "#{engine.force} v#{engine.get_mvc_version} detected" if engine.name == "Gemfile.lock"
-$logger.log "applying all security checks" 
-if engine.apply_all 
-  $logger.log "#{engine.applied_checks} security checks applied - #{engine.skipped_checks} security checks skipped"
-else
-  $logger.err "no security checks in the knowledge base"
-end
-
-if engine.count_vulnerabilities != 0
-  $logger.log "#{engine.count_vulnerabilities} vulnerabilities found"
-  engine.vulnerabilities.each do |vuln|
-    $logger.err "#{vuln[:name]} check failed"
-    $logger.log "Description: #{vuln[:message]}" 
-    $logger.log "Solution: #{vuln[:remediation]}"
-    $logger.log "Evidence:"
-    vuln[:evidences].each do |evidence|
-      $logger.log "\t#{evidence}"
-    end
-  end
-  if engine.has_reflected_xss?
-    $logger.log "#{engine.reflected_xss.count} reflected XSS found"
-    engine.reflected_xss.each do |vuln|
-      $logger.log "request parameter \"#{vuln[:sink_source]}\" is used without escaping in #{vuln[:sink_view]}. It was read here: #{vuln[:sink_file]}@#{vuln[:sink_line]}"
-      $logger.err "evidence: #{vuln[:sink_evidence]}"
-    end
-  end
-
-else
-  $logger.ok "no vulnerabilities found."
-end
+engine.load_knowledge_base(options[:enabled_checks])
+ret = engine.apply_all
 
-if engine.mitigated_issues.count != 0
-  $logger.log "#{engine.mitigated_issues.count} mitigated vulnerabilities found"
-  engine.mitigated_issues.each do |vuln|
-    $logger.ok "#{vuln[:name]} mitigated"
-    vuln[:evidences].each do |evidence|
-      $logger.err evidence
-    end
-  end
+if options[:output] == "count" 
+  puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
+  puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
+  Kernel.exit(0)
 end
 
+Codesake::Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report
 $logger.bye