codesake-dawn 1.0.6 → 1.1.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 533e7cbdaed92f7f1dfd4e9edf9e0f7a3a7eface
-  data.tar.gz: ab8a1b8696885fd7e4974b4e2b290306450da5e3
+  metadata.gz: e6f5635154af886b9fe241f81237d26881b8d355
+  data.tar.gz: 4876b2d24472a2ed3e593433b0cfde0e0eb41242
 SHA512:
-  metadata.gz: 5c1065fe087482d80c4d8cbaf8d40be918c2fc076097e2fbc45425c5cd9f77e3d60088bac26ee759a9f04e582c00a93b031fc76e27e050106c9406b110bf2ab6
-  data.tar.gz: 742f0d74ab39c0301ecc29a60dbc564bb1e12fb793796970d8229a4bd14b4487ba4eac6272684ab81eaf033fc8d0ffb64e4a460f6e812e06e2481c2e746a9c3f
+  metadata.gz: 9196f5452bc7611b064b2d2f9cd08e301495b91c15531272d9edba5ec98428f7578c98916499c8844c65e1eb2f727574a9eca50160f9bda93e67fbad1914e84a
+  data.tar.gz: e7128f118a790d48eb7139d7ce429cf28de1fcca516397ced49bc621e295c3ccc4d0e37bc58d64f2522abcb5ed85e89136749b360e3cf6eeba4ef372662cc2e5

checksums.yaml.gz.sig

@@ -0,0 +1,2 @@
+LϬ=�4Y�O��p5O,͚�b�qTLOQ(�
+�k�Yr���g�@%�O�����w

data.tar.gz.sig

@@ -0,0 +1,4 @@
+��$
+�ߓ�<�G��WO�Q_�����"ލF�b�	�W@f�q�үrs"$�S+hy|��4�:�-]�v�[�U����N#�E.�׳tI�ˢr��1�H�!��>�Q�Q�#_d����
+t0Y��8��}�|��fj	*����
+{�c15k�S$��sc�\:R�'��r��������f�b-�J�:\��π�i��
��z��s�p�k��;�^����=�s@]��yl3)�T��L2�/��J�m�)

data/.travis.yml

@@ -1,6 +1,8 @@
 language: ruby
 rvm:
-  - 1.9.2
-  - 1.9.3
-  - 2.0.0
   - 2.1.0
+  - 2.0.0
+  - 1.9.3
+  - 1.9.2
+  - ruby-head
+  - rbx

data/Changelog.md

@@ -5,7 +5,73 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Sun Mar 23 22:36:42 CET 2014_
+_latest update: Sun Mar 23 23:06:38 CET 2014_
+
+## Version 1.1.0 - codename: Lightning McQueen (2014-xx-xx)
+
+* Added a check for CVE-2011-5036
+* Added a check for CVE-2012-6109
+* Added a check for CVE-2013-0183
+* Added a check for CVE-2013-0184
+* Added a check for CVE-2013-0262
+* Added a check for CVE-2013-1607
+* Added a check for CVE-2013-2512
+* Added a check for CVE-2013-2513
+* Added a check for CVE-2013-2516
+* Added a check for CVE-2013-4413
+* Added a check for CVE-2013-4489
+* Added a check for CVE-2013-4593
+* Added a check for CVE-2013-5671
+* Added a check for CVE-2014-0080
+* Added remaining compliance checks against Owasp Ruby on Rails cheatsheet.
+  Some other checks in the cheatsheet can't be turned into a Codesake::Dawn
+  test, so all the cheatsheet content is covered since now.
+* Added a --ascii-tabular-report (-a) to produce a report formatted with ascii
+  tables. A bit of bin/dawn refactoring was necessary.
+* Added a --json (-j) to produce JSON reports
+* Added a --html (-h) to produce HTML reports
+* Added a --file (-F) flag to save report to supplied filename
+* Added Codesake::Dawn gem signature as described in
+  http://guides.rubygems.org/security/. README is modified accordingly with new
+  installation suggestions. Added also gem SHA512 checksum in repository.
+* Added a not_affected attribute to dependency check to flag as not vulnerable
+  previous versions
+* CVE-2013-2090: we were uncertain about previous cremefraiche version if they
+  were vulnerable or not. Gem author, yanked all previous version but the
+  latest released 29 January 2014. We removed the rspec check for version <
+  0.6.x
+* basic_check.rb: due to the great @rubysec guys work, the link to their site
+  is provided as well. True to be told, there are some CVE valid but not found
+  on NVID website, so having @rubysec link is even more accurate in those
+  situations.
+* New Codesake::Dawn::Kb::VersionCheck class to provide version specific
+  checks, supporting beta version number, release candidate and pre. Fully
+  integrated with DepedencyCheck and RubyVersionCheck
+* Issue #34. I added a deprecation check. However I haven't found an official
+  link saying which are MVC gem version to be considered officially deprecated
+  or just old. I enabled only check against ruby
+* Added a --seach-knowledge-base removing the optional parameter to
+  --list-knowledge-base that is just for listing.
+* Renamed '--list-knowledgebase' to '--list-knowledge-base' and '-k' short option was removed
+* Added a --list-known-families option printing out Codesake::Dawn supported check family name
+* Removed '-f' short option for list-known-framework
+* Added family and severity to Owasp RoR Cheatsheet files
+* Add a method to return severity level. If it's provided by check constructor
+  then that value is used, otherwise is calculated using CVSS.  If no value and
+  no CVSS are available the return value is "unknown".
+* Removed old ruby version check from BasicCheck. It's outdated and no longer
+  needed
+* Added --disable-cve-bulletins flag to disable all CVE security checks
+* Added --disable-code-quality flag to disable all code quality checks
+* Added --disable-code-style flag to disable all code style checks
+* Added --disable-owasp-ror-cheatsheet flag to disable all Owasp Ruby on Rails
+  cheatsheet checks
+* Added --disable-owasp-top-10 flag to disable all Owasp Top 10 checks
+* Revamped help output
+* Added YAML Codesake::Dawn configuration support. Now you can specify your
+  preferences in a .codesake-dawn.yaml file in your home directory (or you can
+  use the --config-file option to specify the file you want to use). It returns
+  an embedded default configuration if the supplied filename doesn't exist.
 
 ## Version 1.0.6 - codename: Lightning McQueen (2014-03-23)
 
@@ -166,7 +232,7 @@ _latest update: Sun Mar 23 22:36:42 CET 2014_
 ## Version 0.85 - codename: elevator (2013-12-17)
 
 * refactoring bin/dawn script: some stuff were moved into Codesake::Core class
-* Added a check against Denial of Service vulnerability for Nokogiri 1.5.x 
+* Added a check against Denial of Service vulnerability for Nokogiri 1.5.x
   and 1.6.0 when used with JRuby.
 * Added a check against Denial of Service vulnerability due to entity expansion
   for Nokogiri 1.5.x and 1.6.0 when used with JRuby.
@@ -199,7 +265,7 @@ able to scan something. It deserves a special release.
 * adding test for CVE-2013-2065
 * adding test for CVE-2013-4389
 * adding test for CVE-2010-1330
-* adding test for CVE-2011-0446 
+* adding test for CVE-2011-0446
 * adding test for CVE-2011-0995
 * adding test for CVE-2011-2929
 * adding test for CVE-2011-4815
@@ -268,7 +334,7 @@ able to scan something. It deserves a special release.
 * adding test for CVE-2013-2616
 * adding test for CVE-2013-2617
 * adding test for CVE-2013-3221
-* make output less verbose. Only vulnerabilities and severity will be shown 
+* make output less verbose. Only vulnerabilities and severity will be shown
 * adding a '--verbose' option to see also the whole knowledge base info about each findings
 * adding a '--output' option
 * adding a '--count-only' option

data/README.md

@@ -1,15 +1,15 @@
 # Codesake::Dawn - The security code scanner for Ruby
 
 Codesake::Dawn is a source code scanner designed to review your code for
-security issues. 
+security issues.
 
 Codesake::Dawn is able to scan your ruby standalone programs but its main usage
 is to deal with web applications. It supports applications written using majors
-MVC (Model View Controller) frameworks, like: 
+MVC (Model View Controller) frameworks, like:
 
 * [Ruby on Rails](http://rubyonrails.org)
 * [Sinatra](http://www.sinatrarb.com)
-* [Padrino](http://www.padrinorb.com) 
+* [Padrino](http://www.padrinorb.com)
 
 ---
 
@@ -28,7 +28,7 @@ You can dump all security checks in the knowledge base by using the -k
 flag:
 
 ```
-$ dawn -k|--list-knowledge-base 
+$ dawn -k|--list-knowledge-base
 ```
 
 Useful in scripts, you can even supply a parameter to ```-k``` flag to check if
@@ -64,23 +64,39 @@ application.
 
 ## Installation
 
-You can install latest Codesake::Dawn version, using [Rubygems](https://rubygems.org) by typing:
+codesake-dawn rubygem is cryptographically signed. To be sure the gem you
+install hasn’t been tampered, you must first add ```paolo@codesake.com```
+public signing certificate as trusted to your gem specific keyring.
 
-    gem install codesake-dawn
+```
+$ gem cert --add <(curl -Ls https://raw.github.com/codesake/codesake-dawn/certs/paolo_at_codesake_dot_com.pem)
+```
 
-In order to install a release candidate version, the gem install command line is the following:
+You can install latest Codesake::Dawn version, fetching it from
+[Rubygems](https://rubygems.org) by typing:
 
 ```
-$ gem install codesake-dawn --pre
+$ gem install codesake-dawn -P MediumSecurity
+```
+
+The MediumSecurity trust profile will verify signed gems, but allow the
+installation of unsigned dependencies. This is necessary because not all of
+Codesake::Dawn’s dependencies are signed, so we cannot use HighSecurity.
+
+In order to install a release candidate version, the gem install command line
+is the following:
+
+```
+$ gem install codesake-dawn --pre -P MediumSecurity
 ```
 
 If you want to add dawn to your project Gemfile, you must add the following:
-    
+
     group :development do
       gem 'codesake-dawn', :require=>false
     end
 
-And then upgrade your bundle 
+And then upgrade your bundle
 
     $ bundle install
 
@@ -98,7 +114,7 @@ that.
 ## Usage
 
 You can start your code review with Codesake::Dawn very easily. Simply tell the tool
-where the project root directory. 
+where the project root directory.
 
 Underlying MVC framework is autodetected by Codesake::Dawn using target Gemfile.lock
 file. If autodetect fails for some reason, the tool will complain about it and
@@ -108,35 +124,55 @@ hand.
 Basic usage is to specify some optional command line option to fit best your
 needs, and to specify the target directory where your code is stored.
 
-``` 
+```
 $ dawn [options] target
 ```
 
 In case of need, there is a quick command line option reference running ```dawn -h``` at your OS prompt.
 
 ```
-$ bundle exec dawn -h
-08:05:21 [*] dawn v1.0.0 is starting up
+$ dawn -h
 Usage: dawn [options] target_directory
 
-
-Examples:$ dawn a_sinatra_webapp_directory
-$ dawn -C the_rails_blog_engine
-$ dawn -C --output json a_sinatra_webapp_directory
-
-   -r, --rails					force dawn to consider the target a rails application
-   -s, --sinatra				force dawn to consider the target a sinatra application
-   -p, --padrino				force dawn to consider the target a padrino application
-   -G, --gem-lock				force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
-   -D, --debug					enters dawn debug mode
-   -f, --list-known-framework			list ruby MVC frameworks supported by dawn
-   -k, --list-knowledgebase [check_name]	list dawn known security checks. If check_name is specified dawn says if check is present or not
-   -o, --output [console, json. csv, html]	the output will be in the specified format
-   -V, --verbose				the output will be more verbose
-   -C, --count-only				dawn will only count vulnerabilities (useful for scripts)
-   -z, --exit-on-warn				dawn will return number of found vulnerabilities as exit code
-   -v, --version				show version information
-   -h, --help					show this help
+Examples:
+  $ dawn a_sinatra_webapp_directory
+  $ dawn -C the_rails_blog_engine
+  $ dawn -C --json a_sinatra_webapp_directory
+  $ dawn --ascii-tabular-report my_rails_blog_ecommerce
+  $ dawn --html -F my_report.html my_rails_blog_ecommerce
+
+   -r, --rails          force dawn to consider the target a rails application
+   -s, --sinatra        force dawn to consider the target a sinatra application
+   -p, --padrino        force dawn to consider the target a padrino application
+   -G, --gem-lock       force dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock
+   -a, --ascii-tabular-report   cause dawn to format findings using table in ascii art
+   -j, --json                   cause dawn to format findings using json
+   -C, --count-only             dawn will only count vulnerabilities (useful for scripts)
+   -z, --exit-on-warn           dawn will return number of found vulnerabilities as exit code
+   -F, --file filename          tells dawn to write output to filename
+   -c, --config-file filename   tells dawn to load configuration from filename
+
+Disable security check family
+
+       --disable-cve-bulletins  disable all CVE security checks
+       --disable-code-quality   disable all code quality checks
+       --disable-code-style     disable all code style checks
+       --disable-owasp-ror-cheatsheet   disable all Owasp Ruby on Rails cheatsheet checks
+       --disable-owasp-top-10           disable all Owasp Top 10 checks
+
+Flags useful to query Codesake::Dawn
+
+       -S, --search-knowledge-base [check_name]   search check_name in the knowledge base
+           --list-knowledge-base                  list knowledge-base content
+           --list-known-families                  list security check families contained in dawn's knowledge base
+           --list-known-framework                 list ruby MVC frameworks supported by dawn
+
+Service flags
+
+   -D, --debug                                  enters dawn debug mode
+   -V, --verbose                                the output will be more verbose
+   -v, --version                                show version information
+   -h, --help                                   show this help
 ```
 
 ### Rake task
@@ -150,7 +186,8 @@ require 'codesake/dawn/tasks'
 Then executing ```$ rake -T``` you will have a ```dawn:run``` task you want to execute.
 
 ```
-$ rake -T                                                                                                                                                                                                                                                                 (ruby-2.0.0-p353@engage)
+$ rake -T
+...
 rake dawn:run                  # Execute codesake-dawn on the current directory
 ...
 ```
@@ -159,7 +196,7 @@ rake dawn:run                  # Execute codesake-dawn on the current directory
 
 As output, Codesake::Dawn will put all security checks that are failed during the scan.
 
-This the result of Codedake::Dawn running against a 
+This the result of Codedake::Dawn running against a
 [Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
 delivered in 2013 at [Railsberry conference](http://www.railsberry.com).
 
@@ -168,21 +205,23 @@ looking at Gemfile.lock, than it discards all security checks not appliable to
 Sinatra (49 security checks, in version 1.0, especially designed for Ruby on
 Rails) and it applies them.
 
-``` 
-$ bundle exec dawn ~/src/hacking/railsberry2013
-08:09:47 [*] dawn v1.0.0 is starting up
-08:09:47 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry2013
-08:09:47 [$] dawn: sinatra v1.4.2 detected
-08:09:47 [$] dawn: applying all security checks
-08:09:47 [$] dawn: 82 security checks applied - 0 security checks skipped
-08:09:47 [$] dawn: 1 vulnerabilities found
-08:09:47 [$] dawn: CVE-2013-1800 failed
-08:09:47 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
-08:09:47 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
-08:09:47 [!] dawn: Evidence:
-08:09:47 [!] dawn: Vulnerable crack gem version found: 0.3.1
-08:09:47 [*] dawn is leaving
-``` 
+```
+$ dawn ~/src/hacking/railsberry2013
+18:40:27 [*] dawn v1.1.0 is starting up
+18:40:27 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry2013
+18:40:27 [$] dawn: sinatra v1.4.2 detected
+18:40:27 [$] dawn: applying all security checks
+18:40:27 [$] dawn: 109 security checks applied - 0 security checks skipped
+18:40:27 [$] dawn: 1 vulnerabilities found
+18:40:27 [!] dawn: CVE-2013-1800 check failed
+18:40:27 [$] dawn: Severity: high
+18:40:27 [$] dawn: Priority: unknown
+18:40:27 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
+18:40:27 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
+18:40:27 [$] dawn: Evidence:
+18:40:27 [$] dawn:      Vulnerable crack gem version found: 0.3.1
+18:40:27 [*] dawn is leaving
+```
 
 ---
 
@@ -191,63 +230,36 @@ it's likely to return a friendly _no vulnerabilities found_ message. Keep it up
 working that way!
 
 This is Codesake::Dawn running against a Padrino web application I wrote for [a
-scorecard quiz game about application security](http://scorecard.armoredcode.com). 
+scorecard quiz game about application security](http://scorecard.armoredcode.com).
 Italian language only. Sorry.
 
 ```
-08:17:09 [*] dawn v1.0.0 is starting up
-08:17:09 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard
-08:17:09 [$] dawn: padrino v0.11.2 detected
-08:17:09 [$] dawn: applying all security checks
-08:17:09 [$] dawn: 82 security checks applied - 0 security checks skipped
-08:17:09 [*] dawn: no vulnerabilities found.
-08:17:09 [*] dawn is leaving
+18:42:39 [*] dawn v1.1.0 is starting up
+18:42:39 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard
+18:42:39 [$] dawn: padrino v0.11.2 detected
+18:42:39 [$] dawn: applying all security checks
+18:42:39 [$] dawn: 109 security checks applied - 0 security checks skipped
+18:42:39 [*] dawn: no vulnerabilities found.
+18:42:39 [*] dawn is leaving
 ```
 
----
-
-Last example shows Codesake::Dawn against a very simple Sinatra application
-designed to be buggy:
+If you need a fancy HTML report about your scan, just ask it to Codesake::Dawn
+with the ```--html``` flag used with the ```--file``` since I wanto to save the
+HTML to disk.
 
 ```
-$ dawn target
-08:28:18 [*] dawn v1.0.0 is starting up
-08:28:18 [$] dawn: scanning /Users/thesp0nge/tmp/sinatra-vulnerable
-08:28:18 [$] dawn: sinatra v1.2.6 detected
-08:28:18 [$] dawn: applying all security checks
-08:28:18 [$] dawn: 82 security checks applied - 0 security checks skipped
-08:28:18 [$] dawn: 5 vulnerabilities found
-08:28:18 [$] dawn: Not revised code failed
-08:28:18 [$] dawn: Description: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
-This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
-08:28:18 [$] dawn: Solution: Please review the file fixing the issue.
-08:28:18 [!] dawn: Evidence:
-08:28:18 [!] dawn: {:filename=>"/Users/thesp0nge/tmp/sinatra-vulnerable/application.rb", :matches=>[{:match=>"# FIXME: I must raise an error here\n", :line=>30}]}
-08:28:18 [$] dawn: CVE-2013-0269 failed
-08:28:18 [$] dawn: Description: The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
-08:28:18 [$] dawn: Solution: Please upgrade JSON gem to version 1.5.5, 1.6.8 or 1.7.7 or latest version available
-08:28:18 [!] dawn: Evidence:
-08:28:18 [!] dawn: Vulnerable json gem version found: 1.4.6
-08:28:18 [$] dawn: CVE-2013-1800 failed
-08:28:18 [$] dawn: Description: The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
-08:28:18 [$] dawn: Solution: Please use crack gem version 0.3.2 or above. Correct your gemfile
-08:28:18 [!] dawn: Evidence:
-08:28:18 [!] dawn: Vulnerable crack gem version found: 0.3.1
-08:28:18 [$] dawn: CVE-2013-4164 failed
-08:28:18 [$] dawn: Description: Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.
-08:28:18 [$] dawn: Solution: All users are recommended to upgrade to Ruby 1.9.3 patchlevel 484, ruby 2.0.0 patchlevel 353 or ruby 2.1.0 preview2.
-08:28:18 [!] dawn: Evidence:
-08:28:18 [!] dawn: ruby v2.0.0-p247 detected
-08:28:18 [$] dawn: 1 reflected XSS found
-08:28:18 [$] dawn: request parameter "name"
-08:28:18 [*] dawn is leaving
+$ dawn /Users/thesp0nge/src/hacking/rt_first_app --html --file report.html
+
+09:00:54 [*] dawn v1.1.0 is starting up
+09:00:54 [*] dawn: report.html created (2952 bytes)
+09:00:54 [*] dawn is leaving
 ```
 
 ---
 
 ## Useful links
 
-Project homepage: [http://dawn.codesake.com](http://dawn.codesake.com) 
+Project homepage: [http://dawn.codesake.com](http://dawn.codesake.com)
 
 Twitter profile:  [@dawnscanner](https://twitter.com/dawnscanner)
 
@@ -259,7 +271,7 @@ Mailing list: [https://groups.google.com/forum/#!forum/codesake-dawn](https://gr
 
 ## Supporters
 
-To me as project leader it's very important to have feedbacks. 
+To me as project leader it's very important to have feedbacks.
 
 If you're a proud codesake-dawn user, if you find it useful, if you integrated
 it in your release process and if you want to openly support the project you
@@ -279,12 +291,34 @@ Thank you.
 
 [saten](https://github.com/saten): first issue posted about a typo in the README
 
-[presidentbeef](https://github.com/presidentbeef): for his outstanding work that inspired me creating dawn and for double check comparison matrix. Issue #2 is your :)
+[presidentbeef](https://github.com/presidentbeef): for his outstanding work that inspired me creating dawn and for double check comparison matrix. Issue #2 is yours :)
 
 [marinerJB](https://github.com/marinerJB): for misc bug reports and further ideas
 
 [Matteo](https://github.com/matteocollina): for ideas on API and their usage with [github.com](https://github.com) hooks
 
+## Contribute to Codesake::Dawn
+
+Are you interested in contributing to Codesake::Dawn project? Great, here is
+some very basic rules in order to make rocking pull requests.
+
+First of all, I use the branching model described in [this
+post](http://nvie.com/posts/a-successful-git-branching-model/). There are two
+major branches:
+
+* master: it contains in every moment the code for the latest codesake-dawn
+  released gem. You can't make branches from here unless you're working on a
+  bugfix.
+* development: it contains the unstable code that is going to be the next
+  codesake-dawn realease. You start from here. Pick a task on the Roadmap.md
+  and create a separated branch to work on your feature to. When you're ready
+  (remember to include also spec files), submit your pull request. If the code
+  will be fine, it will be merged into the development tree ready to be include
+  in upcoming gem version.
+
+No branch from master it would be analyzed unless they are related to bugfix.
+In this case, the branch name must be something like _issue\_#xx\_description_
+
 ## LICENSE
 
 Copyright (c) 2013, 2014 Paolo Perego