codesake-dawn 1.1.0 → 1.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/Changelog.md +21 -1
- data/README.md +1 -1
- data/bin/dawn +11 -8
- data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -1
- data/lib/codesake/dawn/core.rb +10 -4
- data/lib/codesake/dawn/engine.rb +6 -6
- data/lib/codesake/dawn/knowledge_base.rb +1 -1
- data/lib/codesake/dawn/reporter.rb +9 -1
- data/lib/codesake/dawn/version.rb +3 -3
- metadata +2 -2
- metadata.gz.sig +3 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 36ef1462b17193335545803ba645b1d23e9fb8fc
|
4
|
+
data.tar.gz: 968fb71145e469a485a61a6c667b0c5050ad3058
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: a8be5a4f078b5ca275666ea80e49d719877832710e820f73856a91cd9c90d7f0f530173c3f92389baff45ad19c0a70656c9ee6985b1b106c196e83714e1ad640
|
7
|
+
data.tar.gz: 3d57b1c811cb6dc542789735803ae14106e888313061bb0f2fb14c1536baa531e989882dbc2cbb6edc899d984df249d7191b93a59678c879ba938288845a8bc9
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/Changelog.md
CHANGED
@@ -5,7 +5,27 @@ It supports [Sinatra](http://www.sinatrarb.com),
|
|
5
5
|
[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
|
6
6
|
frameworks.
|
7
7
|
|
8
|
-
_latest update:
|
8
|
+
_latest update: Wed Apr 9 17:26:49 CEST 2014_
|
9
|
+
|
10
|
+
## Version 1.1.1 - codename: Lightning McQueen (2014-04-11)
|
11
|
+
|
12
|
+
* Fixing issue #52. The trailing '/' must be removed in File.exist? A begin -
|
13
|
+
rescue block was added so to handle any exception. The default configuration
|
14
|
+
is returned in case of error.
|
15
|
+
* Fixed issue #53. Both get_rbenv_ruby_ver and get_rvm_ruby_ver doesn't prepand
|
16
|
+
@target when trying to fetch ruby version file content.
|
17
|
+
* Fix issue #54. There were some unconsistence in command line call when
|
18
|
+
forcing the MVC instead of autodetect it. I refactored the part and it was
|
19
|
+
back to work now.
|
20
|
+
* Fixed issue #55. Introducing yaml config file, gemfile_name default value is
|
21
|
+
empty string not nil anymore. Therefore bin/dawn must check for emptyness not
|
22
|
+
for nil value.
|
23
|
+
* Issue #57: @zoltrain made a pull request to add vulnerability properties to
|
24
|
+
json output in reporter class.
|
25
|
+
* Issue #38. During the discussion, @shaneog pointed out that
|
26
|
+
--disable-ror-cheatsheet flag worked but disabling the whole family from the
|
27
|
+
YAML config file didn't. Due to a silly typo the magic didn't happened. Fixed
|
28
|
+
now.
|
9
29
|
|
10
30
|
## Version 1.1.0 - codename: Lightning McQueen (2014-04-04)
|
11
31
|
|
data/README.md
CHANGED
@@ -52,7 +52,7 @@ install hasn’t been tampered, you must first add ```paolo@codesake.com```
|
|
52
52
|
public signing certificate as trusted to your gem specific keyring.
|
53
53
|
|
54
54
|
```
|
55
|
-
$ gem cert --add <(curl -Ls https://raw.
|
55
|
+
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/codesake/codesake-dawn/master/certs/paolo_at_codesake_dot_com.pem)
|
56
56
|
```
|
57
57
|
|
58
58
|
You can install latest Codesake::Dawn version, fetching it from
|
data/bin/dawn
CHANGED
@@ -110,7 +110,7 @@ opts.each do |opt, val|
|
|
110
110
|
when '--gem-lock'
|
111
111
|
options[:gemfile_scan] = true
|
112
112
|
unless val.empty?
|
113
|
-
options[:gemfile_name] = val
|
113
|
+
options[:gemfile_name] = val
|
114
114
|
guess = Codesake::Dawn::Core.guess_mvc(val)
|
115
115
|
end
|
116
116
|
when '--verbose'
|
@@ -152,8 +152,8 @@ target=ARGV.shift
|
|
152
152
|
|
153
153
|
$logger.helo APPNAME, Codesake::Dawn::VERSION
|
154
154
|
trap("INT") { $logger.die('[INTERRUPTED]') }
|
155
|
-
$logger.die("missing target") if target.nil? && options[:gemfile_name].
|
156
|
-
$logger.die("invalid directory (#{target})") if options[:gemfile_name].
|
155
|
+
$logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
|
156
|
+
$logger.die("invalid directory (#{target})") if options[:gemfile_name].empty? &&! Codesake::Dawn::Core.is_good_target?(target)
|
157
157
|
$logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
|
158
158
|
$logger.log("security check enabled: #{options[:enabled_checks]}") if options[:debug]
|
159
159
|
|
@@ -163,7 +163,14 @@ $logger.log("security check enabled: #{options[:enabled_checks]}") if options[:d
|
|
163
163
|
|
164
164
|
unless options[:gemfile_scan]
|
165
165
|
begin
|
166
|
-
|
166
|
+
if options[:mvc].empty?
|
167
|
+
engine = Codesake::Dawn::Core.detect_mvc(target)
|
168
|
+
$logger.log("using #{engine.class.name} engine via autodect") if options[:debug]
|
169
|
+
else
|
170
|
+
engine = Codesake::Dawn::Rails.new(target) if options[:mvc] == :rails
|
171
|
+
engine = Codesake::Dawn::Sinatra.new(target) if options[:mvc] == :sinatra
|
172
|
+
engine = Codesake::Dawn::Padrino.new(target) if options[:mvc] == :padrino
|
173
|
+
end
|
167
174
|
rescue ArgumentError => e
|
168
175
|
$logger.die(e.message)
|
169
176
|
end
|
@@ -171,10 +178,6 @@ else
|
|
171
178
|
engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], guess) # if options[:gemfile_scan]
|
172
179
|
end
|
173
180
|
|
174
|
-
engine = Codesake::Dawn::Rails.new(target) if options[:mvc] == :rails && options[:gemfile_scan].nil?
|
175
|
-
engine = Codesake::Dawn::Sinatra.new(target) if options[:mvc] == :sinatra && options[:gemfile_scan].nil?
|
176
|
-
engine = Codesake::Dawn::Padrino.new(target) if options[:mvc] == :padrino && options[:gemfile_scan].nil?
|
177
|
-
|
178
181
|
$logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
|
179
182
|
|
180
183
|
if options[:exit_on_warn]
|
@@ -1 +1 @@
|
|
1
|
-
|
1
|
+
744c4729bddf79a21dac3ab40e4246294f80eddc4d1d1831995c9e3811c6ea0057007a30389cd8b8ae815b9416018a6c0557613dfcf9b3512dc2c9acac2704df
|
data/lib/codesake/dawn/core.rb
CHANGED
@@ -140,15 +140,21 @@ module Codesake
|
|
140
140
|
end
|
141
141
|
|
142
142
|
def self.read_conf(file=nil)
|
143
|
-
|
144
143
|
conf = {:verbose=>false, :output=>"console", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Codesake::Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
|
145
|
-
|
146
|
-
|
144
|
+
file = file.chop if file.end_with? '/'
|
145
|
+
begin
|
146
|
+
return conf if file.nil?
|
147
|
+
return conf if ! File.exist?(file)
|
148
|
+
rescue => e
|
149
|
+
$logger.err "it seems you've found a bug in core.rb@#{__LINE__}: #{e.message}"
|
150
|
+
return conf
|
151
|
+
end
|
147
152
|
|
148
153
|
c = YAML.load_file(file)
|
149
154
|
|
150
155
|
cf = c["config"]
|
151
|
-
cc = cf[
|
156
|
+
cc = cf[:enabled_checks]
|
157
|
+
|
152
158
|
# TODO
|
153
159
|
# I must add some sanity check here
|
154
160
|
conf[:verbose] = cf["verbose"] unless cf["verbose"].nil?
|
data/lib/codesake/dawn/engine.rb
CHANGED
@@ -135,7 +135,7 @@ module Codesake
|
|
135
135
|
unless @target.nil?
|
136
136
|
|
137
137
|
# does target use rbenv?
|
138
|
-
ver = get_rbenv_ruby_ver
|
138
|
+
ver = get_rbenv_ruby_ver
|
139
139
|
# does the target use rvm?
|
140
140
|
ver = get_rvm_ruby_ver if ver[:version].empty? && ver[:patchlevel].empty?
|
141
141
|
# take the running ruby otherwise
|
@@ -162,10 +162,10 @@ module Codesake
|
|
162
162
|
def load_knowledge_base(enabled_checks=[])
|
163
163
|
debug_me("load_knowledge_base called. Enabled checks are: #{enabled_checks}")
|
164
164
|
if @name == "Gemfile.lock"
|
165
|
-
@checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks
|
166
|
-
@checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks
|
165
|
+
@checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all if @force.empty?
|
166
|
+
@checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all_by_mvc(@force) unless @force.empty?
|
167
167
|
else
|
168
|
-
@checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks
|
168
|
+
@checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all_by_mvc(@name)
|
169
169
|
|
170
170
|
end
|
171
171
|
debug_me("#{@checks.count} checks loaded")
|
@@ -366,12 +366,12 @@ module Codesake
|
|
366
366
|
private
|
367
367
|
def get_rbenv_ruby_ver
|
368
368
|
return {:version=>"", :patchlevel=>""} unless File.exist?(File.join(@target, ".rbenv-version"))
|
369
|
-
hash = File.read('.rbenv-version').split('-')
|
369
|
+
hash = File.read(File.join(@target, '.rbenv-version')).split('-')
|
370
370
|
return {:version=>hash[0], :patchlevel=>hash[1]}
|
371
371
|
end
|
372
372
|
def get_rvm_ruby_ver
|
373
373
|
return {:version=>"", :patchlevel=>""} unless File.exist?(File.join(@target, ".ruby-version"))
|
374
|
-
hash = File.read('.ruby-version').split('-')
|
374
|
+
hash = File.read(File.join(@target, '.ruby-version')).split('-')
|
375
375
|
return {:version=>hash[0], :patchlevel=>hash[1]}
|
376
376
|
end
|
377
377
|
|
@@ -233,7 +233,7 @@ module Codesake
|
|
233
233
|
|
234
234
|
def initialize(options={})
|
235
235
|
@enabled_checks = Codesake::Dawn::Kb::BasicCheck::ALLOWED_FAMILIES
|
236
|
-
@enabled_checks = options[:enabled_checks] unless options[:
|
236
|
+
@enabled_checks = options[:enabled_checks] unless options[:enabled_checks].nil?
|
237
237
|
|
238
238
|
@security_checks = load_security_checks
|
239
239
|
end
|
@@ -206,7 +206,15 @@ module Codesake
|
|
206
206
|
result[:reflected_xss_count] = @engine.reflected_xss.count
|
207
207
|
result[:vulnerabilities]=[]
|
208
208
|
@engine.vulnerabilities.each do |v|
|
209
|
-
result[:vulnerabilities] <<
|
209
|
+
result[:vulnerabilities] << {
|
210
|
+
:name => v[:name],
|
211
|
+
:cve_link => v[:cve_link],
|
212
|
+
:severity => v[:severity],
|
213
|
+
:priority => v[:priority],
|
214
|
+
:cvss_score => v[:cvss_score],
|
215
|
+
:message => v[:message],
|
216
|
+
:remediation => v[:remediation]
|
217
|
+
}
|
210
218
|
end
|
211
219
|
result[:mitigated_vuln] = @engine.mitigated_issues
|
212
220
|
result[:reflected_xss] = []
|
@@ -19,10 +19,10 @@ module Codesake
|
|
19
19
|
# | "Luigi" | 7.0.0 |
|
20
20
|
# | "Doc Hudson" | 8.0.0 |
|
21
21
|
|
22
|
-
VERSION = "1.1.
|
22
|
+
VERSION = "1.1.1"
|
23
23
|
CODENAME = "Lightning McQueen"
|
24
|
-
#RELEASE = "(development)"
|
25
|
-
RELEASE = "
|
24
|
+
# RELEASE = "(development)"
|
25
|
+
RELEASE = "20140410"
|
26
26
|
|
27
27
|
end
|
28
28
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: codesake-dawn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.1.
|
4
|
+
version: 1.1.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paolo Perego
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
|
31
31
|
1LyVQIFlhF6nL0casp0ixer8N60=
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2014-04-
|
33
|
+
date: 2014-04-11 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: codesake-commons
|
metadata.gz.sig
CHANGED
@@ -1,2 +1,3 @@
|
|
1
|
-
|
2
|
-
|
1
|
+
�1�����s�# -����^�U����;u�P��Ӯ���p��=Pe�n���I�5���M��!��)�� Z���$�NH��H��^Y�����+O�>-"}����!�j�t{o:�[��~b
|
2
|
+
�V/ M������u����Ni]7���\�4�1w�n���A��,�,��X���1h�b�
|
3
|
+
����*o>{��M�c;�p�
|