codesake-dawn 1.1.0.rc1 → 1.1.0.rc2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: e6f5635154af886b9fe241f81237d26881b8d355
4
- data.tar.gz: 4876b2d24472a2ed3e593433b0cfde0e0eb41242
3
+ metadata.gz: b45bb6703fbdd7c1adc81a3b6289b44c02804ddc
4
+ data.tar.gz: 8ba2c9dab525a8c1c1c036283d1d94ea115a76eb
5
5
  SHA512:
6
- metadata.gz: 9196f5452bc7611b064b2d2f9cd08e301495b91c15531272d9edba5ec98428f7578c98916499c8844c65e1eb2f727574a9eca50160f9bda93e67fbad1914e84a
7
- data.tar.gz: e7128f118a790d48eb7139d7ce429cf28de1fcca516397ced49bc621e295c3ccc4d0e37bc58d64f2522abcb5ed85e89136749b360e3cf6eeba4ef372662cc2e5
6
+ metadata.gz: 815e5aeef96ebbbc166cddba61e3495ed87c4293f035518be5aa7e69e2e1e14e40ca338c8f5ed06a003bd16b99ad2fd9c17fe023c04facfa2275d286c82d93ab
7
+ data.tar.gz: 8aad05efc5b55b5a21fb094a28138bd7d586de4e332fbb6556767787fd08e27478e8535f5257b10e8af13013beeb2ef8c78b93e22fb04a98ecfcce08a94cb6ef
Binary file
data.tar.gz.sig CHANGED
Binary file
@@ -18,6 +18,7 @@ _latest update: Sun Mar 23 23:06:38 CET 2014_
18
18
  * Added a check for CVE-2013-2512
19
19
  * Added a check for CVE-2013-2513
20
20
  * Added a check for CVE-2013-2516
21
+ * Added a check for CVE-2013-4203
21
22
  * Added a check for CVE-2013-4413
22
23
  * Added a check for CVE-2013-4489
23
24
  * Added a check for CVE-2013-4593
@@ -52,8 +53,10 @@ _latest update: Sun Mar 23 23:06:38 CET 2014_
52
53
  or just old. I enabled only check against ruby
53
54
  * Added a --seach-knowledge-base removing the optional parameter to
54
55
  --list-knowledge-base that is just for listing.
55
- * Renamed '--list-knowledgebase' to '--list-knowledge-base' and '-k' short option was removed
56
- * Added a --list-known-families option printing out Codesake::Dawn supported check family name
56
+ * Renamed '--list-knowledgebase' to '--list-knowledge-base' and '-k' short
57
+ option was removed
58
+ * Added a --list-known-families option printing out Codesake::Dawn supported
59
+ check family name
57
60
  * Removed '-f' short option for list-known-framework
58
61
  * Added family and severity to Owasp RoR Cheatsheet files
59
62
  * Add a method to return severity level. If it's provided by check constructor
@@ -72,6 +75,8 @@ _latest update: Sun Mar 23 23:06:38 CET 2014_
72
75
  preferences in a .codesake-dawn.yaml file in your home directory (or you can
73
76
  use the --config-file option to specify the file you want to use). It returns
74
77
  an embedded default configuration if the supplied filename doesn't exist.
78
+ * Nokogiri DoS security checks discovered in December 2013, now have their own
79
+ CVE: CVE-2013-6460 and CVE-2013-6461
75
80
 
76
81
  ## Version 1.0.6 - codename: Lightning McQueen (2014-03-23)
77
82
 
data/README.md CHANGED
@@ -20,29 +20,11 @@ MVC (Model View Controller) frameworks, like:
20
20
 
21
21
  ---
22
22
 
23
- Codesake::Dawn version 1.0 has 142 security checks loaded in its knowledge
24
- base. Most of them are CVE bulletins, that applies to gems, framework or the
25
- ruby interpreter itself.
23
+ Codesake::Dawn version 1.1 has 169 security checks loaded in its knowledge
24
+ base. Most of them are CVE bulletins applying to gems or the ruby interpreter
25
+ itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
26
26
 
27
- You can dump all security checks in the knowledge base by using the -k
28
- flag:
29
-
30
- ```
31
- $ dawn -k|--list-knowledge-base
32
- ```
33
-
34
- Useful in scripts, you can even supply a parameter to ```-k``` flag to check if
35
- a security control has been implemented or not.
36
-
37
- ```
38
- $ dawn -k CVE-2013-6421
39
- 07:59:30 [*] dawn v1.0.0 is starting up
40
- CVE-2013-6421 found in knowledgebase.
41
-
42
- $ dawn -k this_test_does_not_exist
43
- 08:02:17 [*] dawn v1.0.0 is starting up
44
- this_test_does_not_exist not found in knowledgebase
45
- ```
27
+ ## An overall introduction
46
28
 
47
29
  When you run Codesake::Dawn on your code it parses your project Gemfile.lock
48
30
  looking for the gems used and it tries to detect the ruby interpreter version
@@ -192,6 +174,28 @@ rake dawn:run # Execute codesake-dawn on the current directory
192
174
  ...
193
175
  ```
194
176
 
177
+ ### Interacting with the knowledge base
178
+
179
+ You can dump all security checks in the knowledge base this way
180
+
181
+ ```
182
+ $ dawn --list-knowledge-base
183
+ ```
184
+
185
+ Useful in scripts, you can use ```--search-knowledge-base``` or ```-S``` with
186
+ as parameter the check name you want to see if it's implemented as a security
187
+ control or not.
188
+
189
+ ```
190
+ $ dawn -S CVE-2013-6421
191
+ 07:59:30 [*] dawn v1.1.0 is starting up
192
+ CVE-2013-6421 found in knowledgebase.
193
+
194
+ $ dawn -S this_test_does_not_exist
195
+ 08:02:17 [*] dawn v1.1.0 is starting up
196
+ this_test_does_not_exist not found in knowledgebase
197
+ ```
198
+
195
199
  ### Codesake::Dawn security scan in action
196
200
 
197
201
  As output, Codesake::Dawn will put all security checks that are failed during the scan.
@@ -271,17 +275,15 @@ Mailing list: [https://groups.google.com/forum/#!forum/codesake-dawn](https://gr
271
275
 
272
276
  ## Supporters
273
277
 
274
- To me as project leader it's very important to have feedbacks.
278
+ Feedbacks are great and we really love to hear your voice.
275
279
 
276
280
  If you're a proud codesake-dawn user, if you find it useful, if you integrated
277
281
  it in your release process and if you want to openly support the project you
278
- can put your reference here.
279
-
280
- You can support the project by forking the repo, adding a success story, a
281
- statement saying how do you feel the tool or your company logo as well and then
282
- submitting a pull request.
282
+ can put your reference here. Just open an
283
+ [issue](https://github.com/codesake-dawn/issues/new) with a statement saying
284
+ how do you feel the tool and your company logo if any.
283
285
 
284
- More easily you can drop an email to [me](mailto:thesp0nge@gmail.com) sending a
286
+ More easily you can drop an email to [paolo@codesake.com](mailto:paolo@codesake.com) sending a
285
287
  statement about your success story and I'll put on the
286
288
  [website](http://dawn.codesake.com/success-stories).
287
289
 
data/Rakefile CHANGED
@@ -24,13 +24,19 @@ task :test => :spec
24
24
  task :prepare => [:build, :'checksum:calculate', :'checksum:commit']
25
25
  task :release => [:prepare]
26
26
 
27
+ # namespace :check do
28
+ # desc "Create a dependency check"
29
+ # task :dependency, :name do |t, args|
30
+ # end
31
+
32
+ # end
27
33
  desc "Create a new CVE test"
28
34
  task :cve, :name do |t,args|
29
35
  name = args.name
30
36
  SRC_DIR = "./lib/codesake/dawn/kb/"
31
37
  SPEC_DIR = "./spec/lib/kb/"
32
38
 
33
- raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
39
+ raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.new.find(nil, name).nil?
34
40
  raise "### Invalid CVE title: #{name}" if name.nil? or name.empty? or /CVE-\d{4}-\d{4}/.match(name).nil?
35
41
  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
36
42
  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
@@ -189,3 +195,45 @@ task :commit do
189
195
  system "git commit -v #{checksum_path} -m \"Adding #{Codesake::Dawn::VERSION} checksum to repo\""
190
196
  end
191
197
  end
198
+
199
+ ###############################################################################
200
+ # ruby-advisory-rb integration
201
+ ###############################################################################
202
+
203
+ namespace :rubysec do
204
+ desc 'Find new CVE bulletins to add to Codesake::Dawn'
205
+ task :find do
206
+ git_url = 'git@github.com:rubysec/ruby-advisory-db.git'
207
+ target_dir = './tmp/'
208
+ system "mkdir -p #{target_dir}"
209
+ system "rm -rf #{target_dir}ruby-advisory-db"
210
+ system "git clone #{git_url} #{target_dir}ruby-advisory-db"
211
+ list = []
212
+ Dir.glob("#{target_dir}ruby-advisory-db/gems/*/*.yml") do |path|
213
+ advisory = YAML.load_file(path)
214
+ if advisory['cve']
215
+ cve = "CVE-"+advisory['cve']
216
+ # Exclusion
217
+ # CVE-2007-6183 is a vulnerability in gnome2 ruby binding. Not a gem, I don't care
218
+ # CVE-2013-1878 is a duplicate of CVE-2013-2617 that is in knowledge base
219
+ # CVE-2013-1876 is a duplicate of CVE-2013-2615 that is in knowledge base
220
+ exclusion = ["CVE-2007-6183", "CVE-2013-1876", "CVE-2013-1878"]
221
+ if exclusion.include?(cve)
222
+ puts "#{cve} is in the exclusion list"
223
+ else
224
+ found = Codesake::Dawn::KnowledgeBase.find(nil, cve)
225
+ puts "#{cve} NOT in dawn v#{Codesake::Dawn::VERSION} knowledge base" unless found
226
+ list << cve unless found
227
+ end
228
+ end
229
+ end
230
+ unless list.empty?
231
+ File.open("missing_rubyadvisory_cvs_#{Time.now.strftime("%Y%m%d")}.txt", "w") do |f|
232
+ f.puts "Missing CVE bulletins - v#{Codesake::Dawn::VERSION} - #{Time.now.strftime("%d %B %Y")}"
233
+ f.puts list
234
+ end
235
+ end
236
+ system "rm -rf #{target_dir}ruby-advisory-db"
237
+
238
+ end
239
+ end
data/bin/dawn CHANGED
@@ -129,7 +129,7 @@ opts.each do |opt, val|
129
129
  Kernel.exit(0)
130
130
 
131
131
  when '--list-knowledge-base'
132
- puts Codesake::Dawn::Core.dump_knowledge_base(options[:verbose])
132
+ puts Codesake::Dawn::Core.dump_knowledge_base(options[:verbose])
133
133
  Kernel.exit(0)
134
134
  when '--list-known-framework'
135
135
  puts "Ruby MVC framework supported by #{APPNAME}:"
@@ -0,0 +1 @@
1
+ 4b4c2cef33f0631d3c33eb70112bc87e30651e448733697542a643614ebe8df8cd4e42ee1a9eb043029f0b51a6fd1353ed4c7965d053e5bb8509bf3cfff772e0
@@ -118,6 +118,7 @@ module Codesake
118
118
  @check_family = :cve if !options[:name].nil? && options[:name].start_with?('CVE-')
119
119
 
120
120
  if $logger.nil?
121
+ require 'codesake-commons'
121
122
  $logger = Codesake::Commons::Logging.instance
122
123
  $logger.helo "dawn-basic-check", Codesake::Dawn::VERSION
123
124
  end
@@ -0,0 +1,27 @@
1
+ module Codesake
2
+ module Dawn
3
+ module Kb
4
+ # Automatically created with rake on 2014-03-28
5
+ class CVE_2013_4203
6
+ include DependencyCheck
7
+
8
+ def initialize
9
+ message = "The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors."
10
+ super({
11
+ :name=>"CVE-2013-4203",
12
+ :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
13
+ :release_date => Date.new(2013, 10, 11),
14
+ :cwe=>"94",
15
+ :owasp=>"A9",
16
+ :applies=>["rails", "sinatra", "padrino"],
17
+ :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
+ :message=>message,
19
+ :mitigation=>"Please upgrade rgpg at least to version 0.2.3. As a general rule, using the latest stable rails version is recommended.",
20
+ :aux_links=>["http://www.openwall.com/lists/oss-security/2013/08/03/2"]
21
+ })
22
+ self.safe_dependencies = [{:name=>"rgpg", :version=>['0.2.3']}]
23
+ end
24
+ end
25
+ end
26
+ end
27
+ end
@@ -2,13 +2,13 @@ module Codesake
2
2
  module Dawn
3
3
  module Kb
4
4
 
5
- class NokogiriDos20131217_a
5
+ class CVE_2013_6460_a
6
6
  include DependencyCheck
7
7
 
8
8
  def initialize
9
9
  message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used"
10
10
  super({
11
- :name=>"NokogiriDos20131217_a",
11
+ :name=>"CVE_2013_6460_a",
12
12
  :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
13
13
  })
14
14
  self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.1', '1.5.11']}]
@@ -16,12 +16,12 @@ module Codesake
16
16
 
17
17
  end
18
18
 
19
- class NokogiriDos20131217_b
19
+ class CVE_2013_6460_b
20
20
  include RubyVersionCheck
21
21
  def initialize
22
22
  message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used with JRuby"
23
23
  super({
24
- :name=>"NokogiriDos20131217_b",
24
+ :name=>"CVE_2013_6460_b",
25
25
  :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
26
26
  })
27
27
  self.safe_rubies = [ {:engine=>"jruby", :version=>"99.99.99", :patchlevel=>"p999"}]
@@ -29,15 +29,15 @@ module Codesake
29
29
  end
30
30
  end
31
31
 
32
- class NokogiriDos20131217
32
+ class CVE_2013_6460
33
33
  include ComboCheck
34
34
 
35
35
  def initialize
36
36
  message = "There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory. Nokogiri users on JRuby using the native Java extension. Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash."
37
37
 
38
38
  super({
39
- :name=>"Nokogiri - Denial of service - 20131217",
40
- :cvss=>"",
39
+ :name=>"CVE-2013-6460",
40
+ :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",
41
41
  :release_date => Date.new(2013, 12, 15),
42
42
  :cwe=>"",
43
43
  :owasp=>"A9",
@@ -45,12 +45,9 @@ module Codesake
45
45
  :kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
46
46
  :message=>message,
47
47
  :mitigation=>"Please upgrade nokogiri gem to a newer version",
48
- :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA"],
49
- :checks=>[NokogiriDos20131217_a.new, NokogiriDos20131217_b.new]
48
+ :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA", "https://access.redhat.com/security/cve/CVE-2013-6460"],
49
+ :checks=>[CVE_2013_6460_a.new, CVE_2013_6460_b.new]
50
50
  })
51
-
52
-
53
-
54
51
  end
55
52
  end
56
53
  end
@@ -2,13 +2,13 @@ module Codesake
2
2
  module Dawn
3
3
  module Kb
4
4
 
5
- class Nokogiri_EntityExpansion_Dos_20131217_a
5
+ class CVE_2013_6461_a
6
6
  include DependencyCheck
7
7
 
8
8
  def initialize
9
9
  message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used"
10
10
  super({
11
- :name=>"Nokogiri_EntityExpansion_Dos_20131217_a",
11
+ :name=>"CVE_2013_6461_a",
12
12
  :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
13
13
  })
14
14
  self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.1', '1.5.11']}]
@@ -16,27 +16,27 @@ module Codesake
16
16
 
17
17
  end
18
18
 
19
- class Nokogiri_EntityExpansion_Dos_20131217_b
19
+ class CVE_2013_6461_b
20
20
  include RubyVersionCheck
21
21
  def initialize
22
22
  message = "Vulnerability arises when Nokogiri version 1.6.0 and 1.5.x (x<11) is used with JRuby"
23
23
  super({
24
- :name=>"Nokogiri_EntityExpansion_Dos_20131217_b",
24
+ :name=>"CVE_2013_6461_b",
25
25
  :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
26
26
  })
27
27
  self.safe_rubies = [ {:engine=>"jruby", :version=>"99.99.99", :patchlevel=>"p999"}]
28
28
  end
29
29
  end
30
30
 
31
- class Nokogiri_EntityExpansion_Dos_20131217
31
+ class CVE_2013_6461
32
32
  include ComboCheck
33
33
 
34
34
  def initialize
35
35
  message = "There is an entity expansion vulnerability in Nokogiri when using JRuby. Nokogiri users on JRuby using the native Java extension. Attackers can send
36
36
  XML documents with carefully crafted entity expansion strings which can cause the server to run out of memory and crash."
37
37
  super({
38
- :name=>"Nokogiri - Entity expasion denial of service - 20131217",
39
- :cvss=>"",
38
+ :name=>"CVE-2013-6461",
39
+ :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",
40
40
  :release_date => Date.new(2013, 12, 15),
41
41
  :cwe=>"",
42
42
  :owasp=>"A9",
@@ -45,7 +45,7 @@ XML documents with carefully crafted entity expansion strings which can cause th
45
45
  :message=>message,
46
46
  :mitigation=>"Please upgrade nokogiri gem to a newer version",
47
47
  :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA"],
48
- :checks=>[Nokogiri_EntityExpansion_Dos_20131217_a.new, Nokogiri_EntityExpansion_Dos_20131217_b.new]
48
+ :checks=>[CVE_2013_6461_a.new, CVE_2013_6461_b.new]
49
49
  })
50
50
 
51
51
 
@@ -31,13 +31,6 @@ require 'codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files'
31
31
  # https://groups.google.com/forum/#!topic/ruby-security-ann/flHbLMb07tE
32
32
  require "codesake/dawn/kb/simpleform_xss_20131129"
33
33
 
34
- # Two different denial of service issues affecting Nokogiri gem when using Jruby interpreter
35
- # December, 17 2013
36
- #
37
- # https://groups.google.com/forum/#!topic/ruby-security-ann/DeJpjTAg1FA
38
- require "codesake/dawn/kb/nokogiri_dos_20131217"
39
- require "codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217"
40
-
41
34
  # CVE - 2004
42
35
  require "codesake/dawn/kb/cve_2004_0755"
43
36
  require "codesake/dawn/kb/cve_2004_0983"
@@ -189,6 +182,7 @@ require "codesake/dawn/kb/cve_2013_2616"
189
182
  require "codesake/dawn/kb/cve_2013_2617"
190
183
  require "codesake/dawn/kb/cve_2013_3221"
191
184
  require "codesake/dawn/kb/cve_2013_4164"
185
+ require "codesake/dawn/kb/cve_2013_4203"
192
186
  require "codesake/dawn/kb/cve_2013_4389"
193
187
  require "codesake/dawn/kb/cve_2013_4413"
194
188
  require "codesake/dawn/kb/cve_2013_4457"
@@ -207,6 +201,8 @@ require "codesake/dawn/kb/cve_2013_6416"
207
201
  require "codesake/dawn/kb/cve_2013_6417"
208
202
  require "codesake/dawn/kb/cve_2013_6421"
209
203
  require "codesake/dawn/kb/cve_2013_6459"
204
+ require "codesake/dawn/kb/cve_2013_6460"
205
+ require "codesake/dawn/kb/cve_2013_6461"
210
206
  require "codesake/dawn/kb/cve_2013_7086"
211
207
 
212
208
  # CVE - 2014
@@ -425,6 +421,7 @@ module Codesake
425
421
  Codesake::Dawn::Kb::CVE_2013_2617.new,
426
422
  Codesake::Dawn::Kb::CVE_2013_3221.new,
427
423
  Codesake::Dawn::Kb::CVE_2013_4164.new,
424
+ Codesake::Dawn::Kb::CVE_2013_4203.new,
428
425
  Codesake::Dawn::Kb::CVE_2013_4389.new,
429
426
  Codesake::Dawn::Kb::CVE_2013_4413.new,
430
427
  Codesake::Dawn::Kb::CVE_2013_4457.new,
@@ -443,6 +440,8 @@ module Codesake
443
440
  Codesake::Dawn::Kb::CVE_2013_6417.new,
444
441
  Codesake::Dawn::Kb::CVE_2013_6421.new,
445
442
  Codesake::Dawn::Kb::CVE_2013_6459.new,
443
+ Codesake::Dawn::Kb::CVE_2013_6460.new,
444
+ Codesake::Dawn::Kb::CVE_2013_6461.new,
446
445
  Codesake::Dawn::Kb::CVE_2013_7086.new,
447
446
  Codesake::Dawn::Kb::CVE_2014_0036.new,
448
447
  Codesake::Dawn::Kb::CVE_2014_0080.new,
@@ -471,8 +470,6 @@ module Codesake
471
470
  @aux_checks =
472
471
  [
473
472
  Codesake::Dawn::Kb::SimpleForm_Xss_20131129.new,
474
- Codesake::Dawn::Kb::NokogiriDos20131217.new,
475
- Codesake::Dawn::Kb::Nokogiri_EntityExpansion_Dos_20131217.new,
476
473
  ]
477
474
 
478
475
  ret = []
@@ -17,11 +17,12 @@ module Codesake
17
17
  # |"Holly Shiftwell"| 5.0.0 |
18
18
  # | "Guido" | 6.0.0 |
19
19
  # | "Luigi" | 7.0.0 |
20
+ # | "Doc Hudson" | 8.0.0 |
20
21
 
21
- VERSION = "1.1.0.rc1"
22
+ VERSION = "1.1.0.rc2"
22
23
  CODENAME = "Lightning McQueen"
23
24
  #RELEASE = "(development)"
24
- RELEASE = "20140326"
25
+ RELEASE = "20140328"
25
26
 
26
27
  end
27
28
  end
@@ -427,15 +427,15 @@ describe "The Codesake Dawn knowledge base" do
427
427
  sc.class.should == Codesake::Dawn::Kb::CVE_2013_6417
428
428
  end
429
429
 
430
- it "must have test for NokogiriDos20131217_1" do
431
- sc = kb.find("Nokogiri - Denial of service - 20131217")
430
+ it "must have test for CVE-2013-6460" do
431
+ sc = kb.find("CVE-2013-6460")
432
432
  sc.should_not be_nil
433
- sc.class.should == Codesake::Dawn::Kb::NokogiriDos20131217
433
+ sc.class.should == Codesake::Dawn::Kb::CVE_2013_6460
434
434
  end
435
- it "must have test for Nokogiri_EntityExpansion_Dos_20131217" do
436
- sc = kb.find("Nokogiri - Entity expasion denial of service - 20131217")
435
+ it "must have test for CVE-2013-6461" do
436
+ sc = kb.find("CVE-2013-6461")
437
437
  sc.should_not be_nil
438
- sc.class.should == Codesake::Dawn::Kb::Nokogiri_EntityExpansion_Dos_20131217
438
+ sc.class.should == Codesake::Dawn::Kb::CVE_2013_6461
439
439
  end
440
440
  it "must have test for CVE-2013-4478" do
441
441
  sc = kb.find("CVE-2013-4478")
@@ -877,4 +877,9 @@ end
877
877
  sc.should_not be_nil
878
878
  sc.class.should == Codesake::Dawn::Kb::CVE_2014_2538
879
879
  end
880
+ it "must have test for CVE-2013-4203" do
881
+ sc = kb.find("CVE-2013-4203")
882
+ sc.should_not be_nil
883
+ sc.class.should == Codesake::Dawn::Kb::CVE_2013_4203
884
+ end
880
885
  end
@@ -0,0 +1,15 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2013-4203 vulnerability" do
3
+ before(:all) do
4
+ @check = Codesake::Dawn::Kb::CVE_2013_4203.new
5
+ # @check.debug = true
6
+ end
7
+ it "is reported when a vulnerable rgpg version is detected (0.2.2)" do
8
+ @check.dependencies = [{:name=>"rgpg", :version=>"0.2.2"}]
9
+ @check.vuln?.should be_true
10
+ end
11
+ it "is not reported when a safe rgpg version is detected (0.2.3)" do
12
+ @check.dependencies = [{:name=>"rgpg", :version=>"0.2.3"}]
13
+ @check.vuln?.should be_false
14
+ end
15
+ end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: codesake-dawn
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.1.0.rc1
4
+ version: 1.1.0.rc2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
30
30
  Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
31
31
  1LyVQIFlhF6nL0casp0ixer8N60=
32
32
  -----END CERTIFICATE-----
33
- date: 2014-03-27 00:00:00.000000000 Z
33
+ date: 2014-03-28 00:00:00.000000000 Z
34
34
  dependencies:
35
35
  - !ruby/object:Gem::Dependency
36
36
  name: codesake-commons
@@ -282,6 +282,7 @@ files:
282
282
  - bin/dawn
283
283
  - certs/paolo_at_codesake_dot_com.pem
284
284
  - checksum/.placeholder
285
+ - checksum/codesake-dawn-1.1.0.rc1.gem.sha512
285
286
  - codesake-dawn.gemspec
286
287
  - doc/codesake-dawn.yaml.sample
287
288
  - doc/dawn_1_0_announcement.md
@@ -427,6 +428,7 @@ files:
427
428
  - lib/codesake/dawn/kb/cve_2013_2617.rb
428
429
  - lib/codesake/dawn/kb/cve_2013_3221.rb
429
430
  - lib/codesake/dawn/kb/cve_2013_4164.rb
431
+ - lib/codesake/dawn/kb/cve_2013_4203.rb
430
432
  - lib/codesake/dawn/kb/cve_2013_4389.rb
431
433
  - lib/codesake/dawn/kb/cve_2013_4413.rb
432
434
  - lib/codesake/dawn/kb/cve_2013_4457.rb
@@ -445,6 +447,8 @@ files:
445
447
  - lib/codesake/dawn/kb/cve_2013_6417.rb
446
448
  - lib/codesake/dawn/kb/cve_2013_6421.rb
447
449
  - lib/codesake/dawn/kb/cve_2013_6459.rb
450
+ - lib/codesake/dawn/kb/cve_2013_6460.rb
451
+ - lib/codesake/dawn/kb/cve_2013_6461.rb
448
452
  - lib/codesake/dawn/kb/cve_2013_7086.rb
449
453
  - lib/codesake/dawn/kb/cve_2014_0036.rb
450
454
  - lib/codesake/dawn/kb/cve_2014_0080.rb
@@ -456,8 +460,6 @@ files:
456
460
  - lib/codesake/dawn/kb/cve_2014_2538.rb
457
461
  - lib/codesake/dawn/kb/dependency_check.rb
458
462
  - lib/codesake/dawn/kb/deprecation_check.rb
459
- - lib/codesake/dawn/kb/nokogiri_dos_20131217.rb
460
- - lib/codesake/dawn/kb/nokogiri_entityexpansion_dos_20131217.rb
461
463
  - lib/codesake/dawn/kb/not_revised_code.rb
462
464
  - lib/codesake/dawn/kb/operating_system_check.rb
463
465
  - lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb
@@ -517,6 +519,7 @@ files:
517
519
  - spec/lib/kb/cve_2013_2512_spec.rb
518
520
  - spec/lib/kb/cve_2013_2513_spec.rb
519
521
  - spec/lib/kb/cve_2013_2516_spec.rb
522
+ - spec/lib/kb/cve_2013_4203_spec.rb
520
523
  - spec/lib/kb/cve_2013_4413_spec.rb
521
524
  - spec/lib/kb/cve_2013_4489_spec.rb
522
525
  - spec/lib/kb/cve_2013_4593_spec.rb
@@ -605,6 +608,7 @@ test_files:
605
608
  - spec/lib/kb/cve_2013_2512_spec.rb
606
609
  - spec/lib/kb/cve_2013_2513_spec.rb
607
610
  - spec/lib/kb/cve_2013_2516_spec.rb
611
+ - spec/lib/kb/cve_2013_4203_spec.rb
608
612
  - spec/lib/kb/cve_2013_4413_spec.rb
609
613
  - spec/lib/kb/cve_2013_4489_spec.rb
610
614
  - spec/lib/kb/cve_2013_4593_spec.rb
metadata.gz.sig CHANGED
Binary file