codesake-dawn 1.1.3 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3cb817c04da264b3660491ef777d7587d0ef3fac
-  data.tar.gz: 45d432e7628eca11e300c2d15b65b1db181e39ee
+  metadata.gz: e522602b2fa152943afdffcd24542df92560031d
+  data.tar.gz: e6e6ec7e1b4ee9bdbc8ddbe44f89664a685022a0
 SHA512:
-  metadata.gz: 33261298a42ed1929845a29379f278b01bc445a892cb35c695568341aafe717a5b51b16333f99781fe67acde8dfd9ec35a0a2d7298de6f4f5ea2056bb3089f92
-  data.tar.gz: 086af2f4ac028b0443dc38fbf1f5cadf48f8bfae4015f572d0438d2ae0d3006e3edba384221ffa453e27be022d687fa4f9706e6e28960bcc10955856d20ebbe5
+  metadata.gz: cebd297a2651ce699f417ee3c392015cd816b51a94c7af558955fee6e87f3e7b640ea022919de994a0efbd568234f933a1089f4cda9e3b8d7332b6056e95ee37
+  data.tar.gz: 8b2227e6e41eed184e85e91d0e116cc3571c64fa0510b2685fa892ab0f58a447ed258aa80b361356d71b0d4ecc41bbffaea5e54e2644cde3094ec9799e5d4b29

data/Changelog.md

@@ -5,7 +5,31 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Fri Apr 18 07:55:10 CEST 2014_
+_latest update: Fri Jul 11 18:06:30 CEST 2014_
+
+## Version 1.2.0 - codename: Lightning McQueen (2014-07-14)
+
+* Adding a check for OSVDB-108569: information disclosure in backup_checksum
+  gem (issue #69)
+* Fix issue #74. Now BasicChack has its own cve, osvdb attributes and a rake
+  task will perform a sanity check if those values have been initialized
+* Fix issue #62 about codesake-dawn config filename
+* Adding a check for CVE-2013-2105: HTML injection in show_in_browser rubygem
+* Fixing issue #68. I moved some file variable operation after the check for
+  nil value. I can't reproduce on my station the offending bug :-(
+* Adding a check for OSVDB-108570: arbitrary command execution for
+  backup_checksum gem (issue #70)
+* Adding a check for OSVDB-108530: remote code execution for kajam gem (issue
+  #71)
+* Adding a check for OSVDB-108563: remote code execution in gyazo rubygem
+  (issue #72)
+* Adding a check for CVE-2014-3482: SQL Injection on Rails 3.2.x due to
+  PostgreSQL adapter for active record (issue #73)
+* Adding a check for CVE-2014-3483: Ruby on Rails 4.x SQL Injection due to
+  PostgreSQL adapter (issue #75)
+* Fix issue #76 about codesake-dawn gem name being changed. On November 1st,
+  2014 we will rename the codesake-dawn name to just 'dawn' cleaning up also
+  the namespace.
 
 ## Version 1.1.3 - codename: Lightning McQueen (2014-05-06)
 

data/KnowledgeBase.md

@@ -1,6 +1,6 @@
 # Codesake::Dawn Knowledge base
 
-The knowledge base library for Codesake::Dawn version 1.1.0 contains 171 security checks.
+The knowledge base library for Codesake::Dawn version 1.2.0 contains 180 security checks.
 ---
 * Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
 * [CVE-2004-0755](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0755): The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.
@@ -127,6 +127,7 @@ The knowledge base library for Codesake::Dawn version 1.1.0 contains 171 securit
 * [CVE-2013-1948](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1948): converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.
 * [CVE-2013-2065](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065): Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised.
 * [CVE-2013-2090](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2090): Ruby Gem Creme Fraiche version 0.6 suffers from a remote command injection vulnerability due to unsanitized input.
+* [CVE-2013-2105](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2105): The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.
 * [CVE-2013-2119](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2119): Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.
 * [CVE-2013-2512](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2512): ftpd Gem for Ruby contains a flaw that is triggered when handling a specially crafted option or filename that contains a shell character. This may allow a remote attacker to inject arbitrary commands
 * [CVE-2013-2513](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2513): flash_tool Gem for Ruby contains a flaw that is triggered during the handling of downloaded files that contain shell characters. With a specially crafted file, a context-dependent attacker can execute arbitrary commands.
@@ -163,11 +164,24 @@ XML documents with carefully crafted entity expansion strings which can cause th
 * [CVE-2014-0080](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0080): SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving  (backslash) characters that are not properly handled in operations on array columns.
 * [CVE-2014-0081](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0081): Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper.
 * [CVE-2014-0082](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0082): actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
+* [CVE-2014-0130](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0130): The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name.  This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.
 * [CVE-2014-1233](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1233): The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.
 * [CVE-2014-1234](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234): The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.
 * [CVE-2014-2322](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2322): Arabic Prawn Gem for Ruby contains a flaw in the ib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands.
 * [CVE-2014-2525](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2525): 
 * [CVE-2014-2538](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2538): rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
+* [CVE-2014-3482](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482): Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstrings. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
+* [CVE-2014-3483](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483): Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
+* [OSVDB-105971](http://osvdb.org/show/osvdb/105971): sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.
+* OSVDB-105971: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.
+* [OSVDB-108569](http://osvdb.org/show/osvdb/108569): backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information.
+* OSVDB-108569: backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information.
+* [OSVDB-108570](http://osvdb.org/show/osvdb/108570): backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
+* OSVDB-108570: backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
+* [OSVDB-108530](http://osvdb.org/show/osvdb/108530): kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
+* OSVDB-108530: kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
+* [OSVDB-108563](http://osvdb.org/show/osvdb/108563): gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
+* OSVDB-108563: gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
 * Owasp Ror CheatSheet: Command Injection: Ruby offers a function called "eval" which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection.
 * Owasp Ror CheatSheet: Cross Site Request Forgery: Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request.
 * Owasp Ror CheatSheet: Session management: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session.
@@ -196,4 +210,4 @@ Setting this to true will essentially strip out any host information.
 This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
 
 
-_Last updated: Tue 01 Apr 08:13:46 CEST 2014_
+_Last updated: Tue 08 Jul 17:59:10 CEST 2014_

data/README.md

@@ -18,6 +18,7 @@ MVC (Model View Controller) frameworks, like:
 [![Dependency Status](https://gemnasium.com/codesake/codesake-dawn.png)](https://gemnasium.com/codesake/codesake-dawn)
 [![Coverage Status](https://coveralls.io/repos/codesake/codesake-dawn/badge.png)](https://coveralls.io/r/codesake/codesake-dawn)
 [![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/codesake/codesake-dawn/trend.png)](https://bitdeli.com/free "Bitdeli Badge")
+[![Inline docs](http://inch-ci.org/github/codesake/codesake-dawn.png?branch=master)](http://inch-ci.org/github/codesake/codesake-dawn)
 
 ---
 

data/Rakefile

@@ -156,8 +156,17 @@ task :check, :name do |t,args|
 
 end
 
+namespace :kb do
+  desc 'Check information lint'
+  task :lint do
+    Codesake::Dawn::KnowledgeBase.new.all.each do |check|
+      l = check.lint
+      puts "check #{check.name} has this attribute(s) with a nil value: #{l.to_s}" unless l.size == 0
+    end
+
+  end
 desc 'Creates a KnowledgeBase.md file'
-task :kb do
+task :create do
   checks = Codesake::Dawn::KnowledgeBase.new.all
   open("KnowledgeBase.md", "w") do |file|
     file.puts "# Codesake::Dawn Knowledge base"
@@ -165,6 +174,7 @@ task :kb do
     file.puts "---"
     checks.each do |c|
       file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
+      file.puts "* [#{c.name}](#{c.osvdb_link}): #{c.message}" if c.name.start_with?('OSVDB')
       file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
     end
 
@@ -173,6 +183,7 @@ task :kb do
   puts "KnowledgeBase.md file successfully generated"
 
 end
+end
 
 require 'digest/sha2'
 namespace :checksum do

data/checksum/codesake-dawn-1.1.3.gem.sha512

@@ -0,0 +1 @@
+997e78626b78d655ae4b733483883b9e82b24969b167cbca606524665a20189af4ebeabf3c1dffb1000a1e2e70c80bcf39130dfd9e1f0aaeabf7de6ef329d594

data/codesake-dawn.gemspec

@@ -19,11 +19,11 @@ Gem::Specification.new do |gem|
 
   gem.cert_chain  = ['certs/paolo_at_codesake_dot_com.pem']
   gem.signing_key = File.expand_path("~/.ssh/paolo_at_codesake_dot_com-private_key.pem") if $0 =~ /gem\z/
-  gem.post_install_message = "Thank you for installing Codesake::Dawn security source code scanner for Ruby. Start securing your code by running \"dawn project_folder\" right now or just run \"dawn --help\" if you want to explore all possible command line flags."
+  gem.post_install_message = "Thank you for installing \"dawn\", a security source code scanner for Ruby. Start securing your code by running \"dawn project_folder\" right now or just run \"dawn --help\" if you want to explore all possible command line flags.\n\n**PLEASE READ THIS** On November 1st, 2014 codesake-dawn gem will change the name in 'dawn'. On this date the first 'dawn' gem will be published and 'codesake-dawn' will be just a placeholder requiring the new gem."
 
   gem.required_ruby_version = '>= 1.9.2'
 
-  gem.add_dependency "codesake-commons", "~> 0.95.0"
+  gem.add_dependency "codesake-commons", "~> 1.0.0"
   gem.add_dependency 'cvss'
   gem.add_dependency 'haml'
   gem.add_dependency 'parser'

data/doc/dawn_1_2_announcement.md

@@ -0,0 +1,69 @@
+## Press announcement
+
+Today, the XXX ?nd 2014, the second minor Codesake::Dawn rubygem version it has
+been released.
+This will be the last release of the codesake-dawn gem with this name. Starting
+form November, 7th we will rename the gem to just dawn.
+
+Codesake::Dawn is a source code scanner designed to review your code for
+security issues.
+
+Codesake::Dawn is able to scan your ruby standalone programs but its main usage
+is to deal with web applications. It supports applications written using majors
+MVC (Model View Controller) frameworks, like:
+
+* [Ruby on Rails](http://rubyonrails.org)
+* [Sinatra](http://www.sinatrarb.com)
+* [Padrino](http://www.padrinorb.com)
+
+Codesake::Dawn version 1.2 has 180 security checks loaded in its knowledge
+base. Most of them are CVE or OSVDB bulletins applying to gems or the ruby
+interpreter itself. There are also some check coming from Owasp Ruby on Rails
+cheatsheet.
+
+Writing safe code it's important, but sometimes security issues are introduced
+by third party code your application relies on. As example, consider a SQL
+Injection vulnerability introduced by Ruby on Rails framework.
+
+Despite the effort you spend in sanitizing inputs, your web application
+inherits the vulnerability suffering as well. An attacker can easily exploit it
+and break into your database unless you upgrade the offended gem.
+
+There is a comprehensive set of command line flags you can read more by issuing
+```dawn --list-knowledge-base``` flag or by reading [project
+README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file.
+
+The list of security checks included in version 1.2.0 can be found online at:
+[http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base).
+
+You can use [facilities provided by
+github](https://github.com/codesake/codesake-dawn/issues) to submit bug
+reports, product enhancements, new security checks you want to me to add in
+future releases and even success stories.
+
+Now it's time for you to install Codesake::Dawn version 1.2.0 with the
+following command and start reviewing your code for security issues:
+
+```
+$ gem install -P MediumSecurity codesake-dawn
+```
+
+You can find the announcement on the web here: [http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/](http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/)
+Enjoy it!
+Paolo - paolo@codesake.com
+
+## Twitter announcement
+
+### version 1.2.0
+@dawnscanner version 1.2.0 is out. 180 security checks and some bug fixes. Read the announcement: http://dawn.codesake.com/blog/announce-codesake-dawn-v1-2-0-released/ #ruby #rails #sinatra #padrina #security #scanner
+
+## Linkedin announcement
+
+### version 1.2.0
+@dawnscanner version 1.2.0 is out. Read the announcement online. Codesake::Dawn makes security code review fun for ruby developers, it scans 180 CVE and OSVDB bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install codesake-dawn
+$ have fun
+
+## HN Link
+## Reddit

data/lib/codesake/dawn/core.rb

@@ -134,16 +134,22 @@ module Codesake
         # on the current directory with the default configuration.
         conf = {"config"=>{:verbose=>false, :output=>"console", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Codesake::Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}}
 
-        File.open(File.expand_path('~') +'/.'+conf_name, 'w') do |f|
-          f.write(YAML.dump(conf))
+        # Calculate the conf file path
+        conf_path = File.expand_path('~') +'/.'+conf_name
+
+        # Open the conf file and write our default config to it
+        File.open(conf_path, 'w') do |f|
+          rv = f.write(YAML.dump(conf))
         end
+
+        conf_path
       end
 
       def self.read_conf(file=nil)
         conf = {:verbose=>false, :output=>"console", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Codesake::Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
-        file = file.chop if file.end_with? '/'
         begin
           return conf if file.nil?
+          file = file.chop if (not file.nil? and file.end_with? '/')
           return conf if ! File.exist?(file)
         rescue => e
           $logger.err "it seems you've found a bug in core.rb@#{__LINE__}: #{e.message}"

data/lib/codesake/dawn/kb/basic_check.rb

@@ -8,6 +8,8 @@ module Codesake
         include Codesake::Dawn::Utils
 
         attr_reader :name
+        attr_reader :cve
+        attr_reader :osvdb
         attr_reader :cvss
         attr_reader :cwe
         attr_reader :owasp
@@ -86,6 +88,8 @@ module Codesake
           @name         = options[:name]
           @cvss         = options[:cvss]
           @cwe          = options[:cwe]
+          @cve          = options[:cve]
+          @osvdb        = options[:osvdb]
           @owasp        = options[:owasp]
           @release_date = options[:release_date]
           @applies      = options[:applies] unless options[:applies].nil?
@@ -192,6 +196,9 @@ module Codesake
         def rubysec_advisories_link
           "http://www.rubysec.com/advisories/#{@name}/"
         end
+        def osvdb_link
+          "http://osvdb.org/show/osvdb/#{@osvdb}"
+        end
 
         def cvss_score
           return Cvss::Engine.new.score(self.cvss) unless self.cvss.nil?
@@ -202,6 +209,19 @@ module Codesake
           self.mitigated
         end
 
+        # Performs a self check against some core values from being not nil
+        #
+        # @return an Array with attributes with a nil value
+        def lint
+          ret = []
+          ret << :cve if @cve.nil?
+          ret << :osvdb if @osvdb.nil?
+          ret << :cvss if @cvss.nil?
+          ret << :severity if @severity == :none
+          ret << :priority if @priority == :none
+
+          ret
+        end
       end
     end
   end

data/lib/codesake/dawn/kb/cve_2013_2105.rb

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-05-12
+			class CVE_2013_2105
+				include DependencyCheck
+
+				def initialize
+          message = "The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html."
+           super({
+            :name=>"CVE-2013-2105",
+            :cvss=>"AV:L/AC:M/AU:N/C:N/I:P/A:P",
+            :release_date => Date.new(2014, 4, 22),
+            :cwe=>"59",
+            :owasp=>"A9",
+            :applies=>["sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade show_in_browser version at least to 0.0.4. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["http://xforce.iss.net/xforce/xfdb/84378"]
+           })
+           self.safe_dependencies = [{:name=>"show_in_browser", :version=>['0.0.4']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2014_0036.rb

@@ -10,7 +10,7 @@ module Codesake
 
            super({
             :name=>"CVE-2014-0036",
-            :cvss=>"",
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
             :release_date => Date.new(2014, 3, 5),
             :cwe=>"20",
             :owasp=>"A9",

data/lib/codesake/dawn/kb/cve_2014_0130.rb

@@ -9,7 +9,7 @@ module Codesake
           message = "The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name.  This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server."
           super({
             :name=>"CVE-2014-0130",
-            :cvss=>"",
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:N",
             :release_date => Date.new(2014, 5, 6),
             :cwe=>"",
             :owasp=>"A9",

data/lib/codesake/dawn/kb/cve_2014_2322.rb

@@ -11,7 +11,7 @@ module Codesake
 
            super({
             :name=>"CVE-2014-2322",
-            :cvss=>"",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
             :release_date => Date.new(2014, 3, 10),
             :cwe=>"",
             :owasp=>"A9",

data/lib/codesake/dawn/kb/cve_2014_3482.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class CVE_2014_3482
+				include DependencyCheck
+
+				def initialize
+          message = "Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstrings. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data."
+           super({
+            :name=> "CVE-2014-3482",
+            :cve=>"CVE-2014-3482",
+            :osvdb=>"108664",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2014, 7, 2),
+            :cwe=>"",
+            :owasp=>"A1",
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails version at least to 3.2.19. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/"]
+           })
+           self.safe_dependencies = [{:name=>"rails", :version=>['3.2.19']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2014_3483.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-07
+			class CVE_2014_3483
+				include DependencyCheck
+
+				def initialize
+          message = "Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data."
+           super({
+            :name=>"CVE-2014-3483",
+            :cve=>"2014-3483",
+            :osvdb=>"108665",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2014, 7, 2),
+            :cwe=>"",
+            :owasp=>"A1",
+            :applies=>["rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails at least to version 4.0.7 or 4.1.3. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links=>["http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/"]
+           })
+           self.safe_dependencies = [{:name=>"rails", :version=>['4.0.7', '4.1.3']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/osvdb_105971.rb

@@ -10,7 +10,9 @@ module Codesake
 
            super({
             :name=> "OSVDB-105971",
-            :cvss=>"",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :cve=>"2014-2888",
+            :osvdb=> "105971",
             :release_date => Date.new(2014, 4, 16),
             :cwe=>"",
             :owasp=>"A9",

data/lib/codesake/dawn/kb/osvdb_108530.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class OSVDB_108530
+				include DependencyCheck
+
+				def initialize
+          message = "kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
+           super({
+            :name=> "OSVDB-108530",
+            :cvss=>"",
+            :osvdb=>"108530",
+            :release_date => Date.new(2014, 6, 30),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"We are not currently aware of a solution for this vulnerability. Keep track on kajam gem updates",
+            :aux_links=>["http://www.vapid.dhs.org/advisories/kajam-1.0.3.rc2-2nd-vuln.html"]
+           })
+           self.safe_dependencies = [{:name=>"kajam", :version=>['1.0.3.rc3']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/osvdb_108563.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class OSVDB_108563
+				include DependencyCheck
+
+				def initialize
+          message = "gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
+           super({
+            :name=> "OSVDB-108563",
+            :cvss=>"",
+            :cve=>"",
+            :osvdb=>"108563",
+            :release_date => Date.new(2014, 6, 30),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check gyazo rubygem for updates and apply them as soon as possible",
+            :aux_links=>["http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html"],
+           })
+           self.safe_dependencies = [{:name=>"gyazo", :version=>['1.0.1']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/osvdb_108569.rb

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class OSVDB_108569
+				include DependencyCheck
+
+				def initialize
+          message = "backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information."
+
+           super({
+            :name=> "OSVDB-108569",
+            :osvdb=> "108569",
+            :cvss=>"",
+            :release_date => Date.new(2014, 6, 30),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check backup_checksum gem for security updates.",
+            :aux_links=>["http://www.vapid.dhs.org/advisories/backup_checksum-3.0.23.html"]
+           })
+           self.safe_dependencies = [{:name=>"backup_checksum", :version=>['3.0.24']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/osvdb_108570.rb

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-07-04
+			class OSVDB_108570
+				include DependencyCheck
+
+				def initialize
+          message = "backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands."
+           super({
+            :name=> "OSVDB-108570",
+            :cvss=>"",
+            :osvdb=> "108570",
+            :release_date => Date.new(2014, 6, 30),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rack", "sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"We are not currently aware of a solution for this vulnerability. Please check backup_checksum rubygem for upgrades",
+            :aux_links=>["http://www.vapid.dhs.org/advisories/backup_checksum-3.0.23.html"]
+           })
+           self.safe_dependencies = [{:name=>"backup_checksum", :version=>['3.0.24']}]
+
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/version_check.rb

@@ -275,7 +275,9 @@ module Codesake
           # if the safe_version_rc is 0 then the detected_version_rc is
           # vulnerable by design, since the safe version is a stable and we
           # detected a rc.
+          debug_me "entering is_vulnerable_rc?: s=#{safe_version_rc}, d=#{detected_version_rc}"
           return true if safe_version_rc == 0 && detected_version_rc != 0
+          return false if safe_version_rc != 0 && detected_version_rc == 0
           return false if safe_version_rc <= detected_version_rc
           return true if safe_version_rc > detected_version_rc
 

data/lib/codesake/dawn/knowledge_base.rb

@@ -173,6 +173,7 @@ require "codesake/dawn/kb/cve_2013_1947"
 require "codesake/dawn/kb/cve_2013_1948"
 require "codesake/dawn/kb/cve_2013_2065"
 require "codesake/dawn/kb/cve_2013_2090"
+require "codesake/dawn/kb/cve_2013_2105"
 require "codesake/dawn/kb/cve_2013_2119"
 require "codesake/dawn/kb/cve_2013_2512"
 require "codesake/dawn/kb/cve_2013_2513"
@@ -217,10 +218,16 @@ require "codesake/dawn/kb/cve_2014_1234"
 require "codesake/dawn/kb/cve_2014_2322"
 require "codesake/dawn/kb/cve_2014_2525"
 require "codesake/dawn/kb/cve_2014_2538"
+require "codesake/dawn/kb/cve_2014_3482"
+require "codesake/dawn/kb/cve_2014_3483"
 
 # OSVDB
 
 require "codesake/dawn/kb/osvdb_105971"
+require "codesake/dawn/kb/osvdb_108569"
+require "codesake/dawn/kb/osvdb_108570"
+require "codesake/dawn/kb/osvdb_108530"
+require "codesake/dawn/kb/osvdb_108563"
 
 
 module Codesake
@@ -420,6 +427,7 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2013_1948.new,
           Codesake::Dawn::Kb::CVE_2013_2065.new,
           Codesake::Dawn::Kb::CVE_2013_2090.new,
+          Codesake::Dawn::Kb::CVE_2013_2105.new,
           Codesake::Dawn::Kb::CVE_2013_2119.new,
           Codesake::Dawn::Kb::CVE_2013_2512.new,
           Codesake::Dawn::Kb::CVE_2013_2513.new,
@@ -461,9 +469,15 @@ module Codesake
           Codesake::Dawn::Kb::CVE_2014_2322.new,
           Codesake::Dawn::Kb::CVE_2014_2525.new,
           Codesake::Dawn::Kb::CVE_2014_2538.new,
+          Codesake::Dawn::Kb::CVE_2014_3482.new,
+          Codesake::Dawn::Kb::CVE_2014_3483.new,
 
           # OSVDB Checks are still here since are all about dependencies
-          Codesake::Dawn::Kb::OSVDB_105971.new
+          Codesake::Dawn::Kb::OSVDB_105971.new,
+          Codesake::Dawn::Kb::OSVDB_108569.new,
+          Codesake::Dawn::Kb::OSVDB_108570.new,
+          Codesake::Dawn::Kb::OSVDB_108530.new,
+          Codesake::Dawn::Kb::OSVDB_108563.new,
         ]
         # END @cve_security_checks array
         # START @owasp_ror_cheatsheet_checks array

data/lib/codesake/dawn/version.rb

@@ -19,10 +19,10 @@ module Codesake
     # |   "Luigi"       |  7.0.0  |
     # | "Doc Hudson"    |  8.0.0  |
 
-    VERSION   = "1.1.3"
+    VERSION   = "1.2.0"
     CODENAME  = "Lightning McQueen"
     # RELEASE   = "(development)"
-    RELEASE   = "20140506"
+    RELEASE   = "20140714"
 
   end
 end

data/spec/lib/dawn/codesake_core_spec.rb

@@ -0,0 +1,9 @@
+require 'spec_helper'
+
+describe "The Codesake::Core" do
+  describe "#find_conf" do
+    it "returns path name if true passed" do
+      Codesake::Dawn::Core.find_conf(true).should_not be_nil
+    end
+  end
+end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -860,32 +860,32 @@ describe "The Codesake Dawn knowledge base" do
     sc = kb.find("CVE-2014-0082")
     sc.should_not   be_nil
     sc.class.should == Codesake::Dawn::Kb::CVE_2014_0082
-end
+  end
   it "must have test for CVE-2014-2322" do
-      sc = kb.find("CVE-2014-2322")
-        sc.should_not   be_nil
-          sc.class.should == Codesake::Dawn::Kb::CVE_2014_2322
+    sc = kb.find("CVE-2014-2322")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2014_2322
   end
 
   it "must have test for CVE-2014-0036" do
-      sc = kb.find("CVE-2014-0036")
-        sc.should_not   be_nil
-          sc.class.should == Codesake::Dawn::Kb::CVE_2014_0036
+    sc = kb.find("CVE-2014-0036")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2014_0036
   end
   it "must have test for CVE-2014-2538" do
-      sc = kb.find("CVE-2014-2538")
-        sc.should_not   be_nil
-          sc.class.should == Codesake::Dawn::Kb::CVE_2014_2538
+    sc = kb.find("CVE-2014-2538")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2014_2538
   end
   it "must have test for CVE-2013-4203" do
-      sc = kb.find("CVE-2013-4203")
-        sc.should_not   be_nil
-          sc.class.should == Codesake::Dawn::Kb::CVE_2013_4203
+    sc = kb.find("CVE-2013-4203")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_4203
   end
   it "must have test for CVE-2014-2525" do
-      sc = kb.find("CVE-2014-2525")
-        sc.should_not   be_nil
-          sc.class.should == Codesake::Dawn::Kb::CVE_2014_2525
+    sc = kb.find("CVE-2014-2525")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2014_2525
   end
   it "must have test for OSVDB_105971" do
     sc = kb.find("OSVDB-105971")
@@ -894,8 +894,47 @@ end
   end
 
   it "must have test for CVE-2014-0130" do
-      sc = kb.find("CVE-2014-0130")
+    sc = kb.find("CVE-2014-0130")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2014_0130
+  end
+  it "must have test for CVE-2013-2105" do
+    sc = kb.find("CVE-2013-2105")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::CVE_2013_2105
+  end
+  it "must have test for OSVDB-108569" do
+    sc = kb.find("OSVDB-108569")
+    sc.should_not   be_nil
+    sc.class.should == Codesake::Dawn::Kb::OSVDB_108569
+  end
+
+  it "must have test for OSVDB-108570" do
+      sc = kb.find("OSVDB-108570")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::OSVDB_108570
+  end
+
+  it "must have test for OSVDB-108530" do
+      sc = kb.find("OSVDB-108530")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::OSVDB_108530
+  end
+  it "must have test for OSVDB-108563" do
+      sc = kb.find("OSVDB-108563")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::OSVDB_108563
+  end
+
+  it "must have test for CVE-2014-3482" do
+      sc = kb.find("CVE-2014-3482")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_3482
+  end
+
+  it "must have test for CVE-2014-3483" do
+      sc = kb.find("CVE-2014-3483")
         sc.should_not   be_nil
-          sc.class.should == Codesake::Dawn::Kb::CVE_2014_0130
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_3483
   end
 end

data/spec/lib/kb/codesake_version_check_spec.rb

@@ -94,7 +94,7 @@ describe "The version check should" do
       @check.is_vulnerable_version?('2.3.0', '2.3.0.rc9').should be_true
     end
     it "reports a safe condition when a rc version is safe and the stable version is detected" do
-      @check.is_vulnerable_version?('2.3.0.rc9', '2.3.0').should be_true
+      @check.is_vulnerable_version?('2.3.0.rc9', '2.3.0').should be_false
     end
     it "reports a vulnerability when a previous rc version is detected" do
       @check.is_vulnerable_version?('2.3.0', '2.2.10.rc2').should be_true

data/spec/lib/kb/cve_2013_2105_spec.rb

@@ -0,0 +1,11 @@
+require 'spec_helper'
+describe "The CVE-2013-2105 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2013_2105.new
+		# @check.debug = true
+	end
+  it "is reported when show_in_browser vulnerable version is reported (0.0.3)" do
+    @check.dependencies = [{:name=>'show_in_browser', :version=>'0.0.3'}]
+    @check.vuln?.should   be_true
+  end
+end

data/spec/lib/kb/cve_2014_0036_spec.rb

@@ -4,7 +4,6 @@ describe "The CVE-2014-0036 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2014_0036.new
 		# @check.debug = true
 	end
-  it "must be filled with CVSS information"
   it "is reported when a vulnerable rbovirt gem version is detected (0.0.23)" do
     @check.dependencies = [{:name=>"rbovirt", :version=>'0.0.23'}]
     @check.vuln?.should   be_true

data/spec/lib/kb/cve_2014_0130_spec.rb

@@ -16,5 +16,4 @@ describe "The CVE-2014-0130 vulnerability" do
     @check.dependencies = [{:name=>"rails", :version=>'3.2.17'}]
     @check.vuln?.should   be_true
   end
-  it "must be filled with CVSS information"
 end

data/spec/lib/kb/cve_2014_2322_spec.rb

@@ -4,7 +4,6 @@ describe "The CVE-2014-2322 vulnerability" do
 		@check = Codesake::Dawn::Kb::CVE_2014_2322.new
 		# @check.debug = true
 	end
-  it "must be filled with CVSS information"
   it "is reported when a vulnerable arabic prawn gem version is found (0.0.1)" do
     @check.dependencies = [{:name=>"Arabic-Prawn", :version=>'0.0.1'}]
     @check.vuln?.should   be_true

data/spec/lib/kb/cve_2014_3482_spec.rb

@@ -0,0 +1,15 @@
+require 'spec_helper'
+describe "The CVE-2014-3482 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_3482.new
+		# @check.debug = true
+	end
+  it "is reported when a vulnerable version it has been found (3.2.18)" do
+    @check.dependencies = [{:name=>"rails", :version=>"3.2.18"}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a safe version it has been found (3.2.19)" do
+    @check.dependencies = [{:name=>"rails", :version=>"3.2.19"}]
+    @check.vuln?.should   be_false
+  end
+end

data/spec/lib/kb/cve_2014_3483_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+describe "The CVE-2014-3483 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_3483.new
+		# @check.debug = true
+	end
+  it "is reported when a rails gem version 4.0.6 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>"4.0.6"}]
+    @check.vuln?.should   be_true
+  end
+  it "is reported when a rails gem version 4.1.2 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>"4.1.2"}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a rails gem version 4.0.7 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>"4.0.7"}]
+    @check.vuln?.should   be_false
+  end
+  it "is not reported when a rails gem version 4.1.3 is detected" do
+    @check.dependencies = [{:name=>"rails", :version=>"4.1.3"}]
+    @check.vuln?.should   be_false
+  end
+end

data/spec/lib/kb/osvdb_105971_spec.rb

@@ -12,6 +12,4 @@ describe "The OSVDB_105971 vulnerability" do
     @check.dependencies = [{:name=>"sfpagent", :version=>"0.4.15"}]
     @check.vuln?.should   be_false
   end
-  it "must be filled with CVE identifier"
-  it "must be filled with CVSS information"
 end

data/spec/lib/kb/osvdb_108530_spec.rb

@@ -0,0 +1,22 @@
+require 'spec_helper'
+describe "The OSVDB-108530 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::OSVDB_108530.new
+		# @check.debug = true
+	end
+  it "is reported when a vulnerable version it has been found (1.0.3.rc2)" do
+    @check.dependencies = [{:name=>"kajam", :version=>"1.0.3.rc2"}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a safe version it has been found (1.0.3)" do
+    @check.dependencies = [{:name=>"kajam", :version=>"1.0.3"}]
+    @check.vuln?.should   be_false
+  end
+  it "is not reported when a safe version it has been found (1.0.4)" do
+    @check.dependencies = [{:name=>"kajam", :version=>"1.0.4"}]
+    @check.vuln?.should   be_false
+  end
+
+  it "must be filled with CVE identifier"
+  it "must be filled with CVSS information"
+end

data/spec/lib/kb/osvdb_108563_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper'
+describe "The OSVDB-108563 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::OSVDB_108563.new
+		# @check.debug = true
+	end
+
+  it "is reported when a vulnerable version it has been found (1.0.0)" do
+    @check.dependencies = [{:name=>"gyazo", :version=>"1.0.0"}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a safe version it has been found (0.4.15)" do
+    @check.dependencies = [{:name=>"gyazo", :version=>"1.0.1"}]
+    @check.vuln?.should   be_false
+  end
+  it "must be filled with CVE identifier"
+  it "must be filled with CVSS information"
+end

data/spec/lib/kb/osvdb_108569_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+describe "The OSVDB-108569 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::OSVDB_108569.new
+		# @check.debug = true
+	end
+  it "is reported when a vulnerable backup_checksum gem version it has been found (3.0.23)" do
+    @check.dependencies = [{:name=>"backup_checksum", :version=>"3.0.23"}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a safe backup_checksum gem version it has been found (3.0.24)" do
+    @check.dependencies = [{:name=>"backup_checksum", :version=>"3.0.24"}]
+    @check.vuln?.should   be_false
+  end
+  it "must be filled with CVE identifier"
+  it "must be filled with CVSS information"
+end

data/spec/lib/kb/osvdb_108570_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+describe "The OSVDB-108570 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::OSVDB_108570.new
+		# @check.debug = true
+	end
+  it "is reported when a vulnerable version it has been found (3.0.23)" do
+    @check.dependencies = [{:name=>"backup_checksum", :version=>"3.0.23"}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a safe version it has been found (0.4.15)" do
+    @check.dependencies = [{:name=>"backup_checksum", :version=>"3.0.24"}]
+    @check.vuln?.should   be_false
+  end
+  it "must be filled with CVE identifier"
+  it "must be filled with CVSS information"
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 1.1.3
+  version: 1.2.0
 platform: ruby
 authors:
 - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
   Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
   1LyVQIFlhF6nL0casp0ixer8N60=
   -----END CERTIFICATE-----
-date: 2014-05-06 00:00:00.000000000 Z
+date: 2014-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons
@@ -38,14 +38,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.95.0
+        version: 1.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.95.0
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: cvss
   requirement: !ruby/object:Gem::Requirement
@@ -286,10 +286,12 @@ files:
 - checksum/codesake-dawn-1.1.0.rc1.gem.sha512
 - checksum/codesake-dawn-1.1.1.gem.sha512
 - checksum/codesake-dawn-1.1.2.gem.sha512
+- checksum/codesake-dawn-1.1.3.gem.sha512
 - codesake-dawn.gemspec
 - doc/codesake-dawn.yaml.sample
 - doc/dawn_1_0_announcement.md
 - doc/dawn_1_1_announcement.md
+- doc/dawn_1_2_announcement.md
 - features/dawn_complains_about_an_incorrect_command_line.feature.disabled
 - features/dawn_scan_a_secure_sinatra_app.feature.disabled
 - features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled
@@ -423,6 +425,7 @@ files:
 - lib/codesake/dawn/kb/cve_2013_1948.rb
 - lib/codesake/dawn/kb/cve_2013_2065.rb
 - lib/codesake/dawn/kb/cve_2013_2090.rb
+- lib/codesake/dawn/kb/cve_2013_2105.rb
 - lib/codesake/dawn/kb/cve_2013_2119.rb
 - lib/codesake/dawn/kb/cve_2013_2512.rb
 - lib/codesake/dawn/kb/cve_2013_2513.rb
@@ -464,11 +467,17 @@ files:
 - lib/codesake/dawn/kb/cve_2014_2322.rb
 - lib/codesake/dawn/kb/cve_2014_2525.rb
 - lib/codesake/dawn/kb/cve_2014_2538.rb
+- lib/codesake/dawn/kb/cve_2014_3482.rb
+- lib/codesake/dawn/kb/cve_2014_3483.rb
 - lib/codesake/dawn/kb/dependency_check.rb
 - lib/codesake/dawn/kb/deprecation_check.rb
 - lib/codesake/dawn/kb/not_revised_code.rb
 - lib/codesake/dawn/kb/operating_system_check.rb
 - lib/codesake/dawn/kb/osvdb_105971.rb
+- lib/codesake/dawn/kb/osvdb_108530.rb
+- lib/codesake/dawn/kb/osvdb_108563.rb
+- lib/codesake/dawn/kb/osvdb_108569.rb
+- lib/codesake/dawn/kb/osvdb_108570.rb
 - lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb
 - lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb
 - lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb
@@ -492,6 +501,7 @@ files:
 - lib/codesake/dawn/utils.rb
 - lib/codesake/dawn/version.rb
 - lib/tasks/codesake-dawn_tasks.rake
+- spec/lib/dawn/codesake_core_spec.rb
 - spec/lib/dawn/codesake_knowledgebase_spec.rb
 - spec/lib/dawn/codesake_padrino_engine_disabled.rb
 - spec/lib/dawn/codesake_rails_engine_disabled.rb
@@ -522,6 +532,7 @@ files:
 - spec/lib/kb/cve_2013_1655_spec.rb
 - spec/lib/kb/cve_2013_1756_spec.rb
 - spec/lib/kb/cve_2013_2090_spec.rb
+- spec/lib/kb/cve_2013_2105_spec.rb
 - spec/lib/kb/cve_2013_2119_spec.rb
 - spec/lib/kb/cve_2013_2512_spec.rb
 - spec/lib/kb/cve_2013_2513_spec.rb
@@ -544,7 +555,13 @@ files:
 - spec/lib/kb/cve_2014_1234_spec.rb
 - spec/lib/kb/cve_2014_2322_spec.rb
 - spec/lib/kb/cve_2014_2538_spec.rb
+- spec/lib/kb/cve_2014_3482_spec.rb
+- spec/lib/kb/cve_2014_3483_spec.rb
 - spec/lib/kb/osvdb_105971_spec.rb
+- spec/lib/kb/osvdb_108530_spec.rb
+- spec/lib/kb/osvdb_108563_spec.rb
+- spec/lib/kb/osvdb_108569_spec.rb
+- spec/lib/kb/osvdb_108570_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/spec_helper.rb
 - support/bootstrap.js
@@ -553,9 +570,10 @@ files:
 homepage: http://dawn.codesake.com
 licenses: []
 metadata: {}
-post_install_message: Thank you for installing Codesake::Dawn security source code
-  scanner for Ruby. Start securing your code by running "dawn project_folder" right
-  now or just run "dawn --help" if you want to explore all possible command line flags.
+post_install_message: |-
+  Thank you for installing "dawn", a security source code scanner for Ruby. Start securing your code by running "dawn project_folder" right now or just run "dawn --help" if you want to explore all possible command line flags.
+
+  **PLEASE READ THIS** On November 1st, 2014 codesake-dawn gem will change the name in 'dawn'. On this date the first 'dawn' gem will be published and 'codesake-dawn' will be just a placeholder requiring the new gem.
 rdoc_options: []
 require_paths:
 - lib
@@ -583,6 +601,7 @@ test_files:
 - features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled
 - features/step_definition/dawn_steps.rb
 - features/support/env.rb
+- spec/lib/dawn/codesake_core_spec.rb
 - spec/lib/dawn/codesake_knowledgebase_spec.rb
 - spec/lib/dawn/codesake_padrino_engine_disabled.rb
 - spec/lib/dawn/codesake_rails_engine_disabled.rb
@@ -613,6 +632,7 @@ test_files:
 - spec/lib/kb/cve_2013_1655_spec.rb
 - spec/lib/kb/cve_2013_1756_spec.rb
 - spec/lib/kb/cve_2013_2090_spec.rb
+- spec/lib/kb/cve_2013_2105_spec.rb
 - spec/lib/kb/cve_2013_2119_spec.rb
 - spec/lib/kb/cve_2013_2512_spec.rb
 - spec/lib/kb/cve_2013_2513_spec.rb
@@ -635,6 +655,12 @@ test_files:
 - spec/lib/kb/cve_2014_1234_spec.rb
 - spec/lib/kb/cve_2014_2322_spec.rb
 - spec/lib/kb/cve_2014_2538_spec.rb
+- spec/lib/kb/cve_2014_3482_spec.rb
+- spec/lib/kb/cve_2014_3483_spec.rb
 - spec/lib/kb/osvdb_105971_spec.rb
+- spec/lib/kb/osvdb_108530_spec.rb
+- spec/lib/kb/osvdb_108563_spec.rb
+- spec/lib/kb/osvdb_108569_spec.rb
+- spec/lib/kb/osvdb_108570_spec.rb
 - spec/lib/kb/owasp_ror_cheatsheet_disabled.rb
 - spec/spec_helper.rb