codesake-dawn 1.1.0 → 1.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a6587e023ec76144d8c6a48e1b8130cee3a99b9d
-  data.tar.gz: 149559e865d2425e786fe587054d49a41d8fb69c
+  metadata.gz: 36ef1462b17193335545803ba645b1d23e9fb8fc
+  data.tar.gz: 968fb71145e469a485a61a6c667b0c5050ad3058
 SHA512:
-  metadata.gz: cadec13f2cdc11c1d3934b1da01a8eec2d2c4cac14cb4cd0b638601af3a46a7a493884993e4706adccbf41f50c5f7e92aa65271c0f0bc0ad83d710d8a0f9d171
-  data.tar.gz: 5f75eba4b560ed3cff6139ba2b42b0d0428933257d4664657510575bbd44af746ea1afa2e831026fbda7d6e31b66213ba3f0dfa003c5cab39f5371809d5f02c3
+  metadata.gz: a8be5a4f078b5ca275666ea80e49d719877832710e820f73856a91cd9c90d7f0f530173c3f92389baff45ad19c0a70656c9ee6985b1b106c196e83714e1ad640
+  data.tar.gz: 3d57b1c811cb6dc542789735803ae14106e888313061bb0f2fb14c1536baa531e989882dbc2cbb6edc899d984df249d7191b93a59678c879ba938288845a8bc9

data/Changelog.md

@@ -5,7 +5,27 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Mon Mar 31 09:05:57 CEST 2014_
+_latest update: Wed Apr  9 17:26:49 CEST 2014_
+
+## Version 1.1.1 - codename: Lightning McQueen (2014-04-11)
+
+* Fixing issue #52. The trailing '/' must be removed in File.exist? A begin -
+  rescue block was added so to handle any exception. The default configuration
+  is returned in case of error.
+* Fixed issue #53. Both get_rbenv_ruby_ver and get_rvm_ruby_ver doesn't prepand
+  @target when trying to fetch ruby version file content.
+* Fix issue #54. There were some unconsistence in command line call when
+  forcing the MVC instead of autodetect it. I refactored the part and it was
+  back to work now.
+* Fixed issue #55. Introducing yaml config file, gemfile_name default value is
+  empty string not nil anymore. Therefore bin/dawn must check for emptyness not
+  for nil value.
+* Issue #57: @zoltrain made a pull request to add vulnerability properties to
+  json output in reporter class.
+* Issue #38. During the discussion, @shaneog pointed out that
+  --disable-ror-cheatsheet flag worked but disabling the whole family from the
+  YAML config file didn't. Due to a silly typo the magic didn't happened. Fixed
+  now.
 
 ## Version 1.1.0 - codename: Lightning McQueen (2014-04-04)
 

data/README.md

@@ -52,7 +52,7 @@ install hasn’t been tampered, you must first add ```paolo@codesake.com```
 public signing certificate as trusted to your gem specific keyring.
 
 ```
-$ gem cert --add <(curl -Ls https://raw.github.com/codesake/codesake-dawn/certs/paolo_at_codesake_dot_com.pem)
+$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/codesake/codesake-dawn/master/certs/paolo_at_codesake_dot_com.pem)
 ```
 
 You can install latest Codesake::Dawn version, fetching it from

data/bin/dawn

@@ -110,7 +110,7 @@ opts.each do |opt, val|
   when '--gem-lock'
     options[:gemfile_scan] = true
     unless val.empty?
-      options[:gemfile_name] = val 
+      options[:gemfile_name] = val
       guess = Codesake::Dawn::Core.guess_mvc(val)
     end
   when '--verbose'
@@ -152,8 +152,8 @@ target=ARGV.shift
 
 $logger.helo APPNAME, Codesake::Dawn::VERSION
 trap("INT")   { $logger.die('[INTERRUPTED]') }
-$logger.die("missing target") if target.nil? && options[:gemfile_name].nil?
-$logger.die("invalid directory (#{target})") if options[:gemfile_name].nil?  &&! Codesake::Dawn::Core.is_good_target?(target) 
+$logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
+$logger.die("invalid directory (#{target})") if options[:gemfile_name].empty?  &&! Codesake::Dawn::Core.is_good_target?(target)
 $logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
 $logger.log("security check enabled: #{options[:enabled_checks]}") if options[:debug]
 
@@ -163,7 +163,14 @@ $logger.log("security check enabled: #{options[:enabled_checks]}") if options[:d
 
 unless options[:gemfile_scan]
   begin
-    engine = Codesake::Dawn::Core.detect_mvc(target)  if options[:mvc].empty?
+    if options[:mvc].empty?
+      engine = Codesake::Dawn::Core.detect_mvc(target)
+      $logger.log("using #{engine.class.name} engine via autodect") if options[:debug]
+    else
+      engine = Codesake::Dawn::Rails.new(target)      if options[:mvc] == :rails
+      engine = Codesake::Dawn::Sinatra.new(target)    if options[:mvc] == :sinatra
+      engine = Codesake::Dawn::Padrino.new(target)    if options[:mvc] == :padrino
+    end
   rescue ArgumentError => e
     $logger.die(e.message)
   end
@@ -171,10 +178,6 @@ else
   engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], guess) # if options[:gemfile_scan]
 end
 
-engine = Codesake::Dawn::Rails.new(target)                      if options[:mvc] == :rails && options[:gemfile_scan].nil?
-engine = Codesake::Dawn::Sinatra.new(target)                    if options[:mvc] == :sinatra && options[:gemfile_scan].nil?
-engine = Codesake::Dawn::Padrino.new(target)                    if options[:mvc] == :padrino && options[:gemfile_scan].nil? 
-
 $logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
 
 if options[:exit_on_warn]

data/checksum/codesake-dawn-1.1.0.gem.sha512

@@ -1 +1 @@
-57977e5c9f5349f28858053a5a6663b21a003fae1ad9bd099f70cdbc4595a299b5e0de7d01a6d4954e8393815a288d5d861e3e165f037da6c605918ae2a28ccd
+744c4729bddf79a21dac3ab40e4246294f80eddc4d1d1831995c9e3811c6ea0057007a30389cd8b8ae815b9416018a6c0557613dfcf9b3512dc2c9acac2704df

data/lib/codesake/dawn/core.rb

@@ -140,15 +140,21 @@ module Codesake
       end
 
       def self.read_conf(file=nil)
-
         conf = {:verbose=>false, :output=>"console", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Codesake::Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
-        return conf if file.nil?
-        return conf if ! File.exist?(file)
+        file = file.chop if file.end_with? '/'
+        begin
+          return conf if file.nil?
+          return conf if ! File.exist?(file)
+        rescue => e
+          $logger.err "it seems you've found a bug in core.rb@#{__LINE__}: #{e.message}"
+          return conf
+        end
 
         c = YAML.load_file(file)
 
         cf = c["config"]
-        cc = cf["enabled_checks"]
+        cc = cf[:enabled_checks]
+
         # TODO
         # I must add some sanity check here
         conf[:verbose] = cf["verbose"] unless cf["verbose"].nil?

data/lib/codesake/dawn/engine.rb

@@ -135,7 +135,7 @@ module Codesake
         unless @target.nil?
 
           # does target use rbenv?
-          ver = get_rbenv_ruby_ver 
+          ver = get_rbenv_ruby_ver
           # does the target use rvm?
           ver = get_rvm_ruby_ver if  ver[:version].empty? && ver[:patchlevel].empty?
           # take the running ruby otherwise
@@ -162,10 +162,10 @@ module Codesake
       def load_knowledge_base(enabled_checks=[])
         debug_me("load_knowledge_base called. Enabled checks are: #{enabled_checks}")
         if @name == "Gemfile.lock"
-          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>@enabled_checks}).all if @force.empty?
-          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>@enabled_checks}).all_by_mvc(@force) unless @force.empty? 
+          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all if @force.empty?
+          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all_by_mvc(@force) unless @force.empty? 
         else
-          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>@enabled_checks}).all_by_mvc(@name) 
+          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all_by_mvc(@name) 
 
         end
         debug_me("#{@checks.count} checks loaded")
@@ -366,12 +366,12 @@ module Codesake
       private
       def get_rbenv_ruby_ver
         return {:version=>"", :patchlevel=>""} unless File.exist?(File.join(@target, ".rbenv-version"))
-        hash = File.read('.rbenv-version').split('-')
+        hash = File.read(File.join(@target, '.rbenv-version')).split('-')
         return {:version=>hash[0], :patchlevel=>hash[1]}
       end
       def get_rvm_ruby_ver
         return {:version=>"", :patchlevel=>""} unless File.exist?(File.join(@target, ".ruby-version"))
-        hash = File.read('.ruby-version').split('-')
+        hash = File.read(File.join(@target, '.ruby-version')).split('-')
         return {:version=>hash[0], :patchlevel=>hash[1]}
       end
 

data/lib/codesake/dawn/knowledge_base.rb

@@ -233,7 +233,7 @@ module Codesake
 
       def initialize(options={})
         @enabled_checks = Codesake::Dawn::Kb::BasicCheck::ALLOWED_FAMILIES
-        @enabled_checks = options[:enabled_checks] unless options[:enabled_check].nil?
+        @enabled_checks = options[:enabled_checks] unless options[:enabled_checks].nil?
 
         @security_checks = load_security_checks
       end

data/lib/codesake/dawn/reporter.rb

@@ -206,7 +206,15 @@ module Codesake
         result[:reflected_xss_count] = @engine.reflected_xss.count
         result[:vulnerabilities]=[]
         @engine.vulnerabilities.each do |v|
-          result[:vulnerabilities] << v[:name]
+          result[:vulnerabilities] << {
+            :name => v[:name],
+            :cve_link => v[:cve_link],
+            :severity => v[:severity],
+            :priority => v[:priority],
+            :cvss_score => v[:cvss_score],
+            :message => v[:message],
+            :remediation => v[:remediation]
+          }
         end
         result[:mitigated_vuln] = @engine.mitigated_issues
         result[:reflected_xss] = []

data/lib/codesake/dawn/version.rb

@@ -19,10 +19,10 @@ module Codesake
     # |   "Luigi"       |  7.0.0  |
     # | "Doc Hudson"    |  8.0.0  |
 
-    VERSION   = "1.1.0"
+    VERSION   = "1.1.1"
     CODENAME  = "Lightning McQueen"
-    #RELEASE   = "(development)"
-    RELEASE   = "20140404"
+    # RELEASE   = "(development)"
+    RELEASE   = "20140410"
 
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: codesake-dawn
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.1.1
 platform: ruby
 authors:
 - Paolo Perego
@@ -30,7 +30,7 @@ cert_chain:
   Fh7BfxFDBZdj1mI2V+I+IYYMPKIouvwX3r7NTZgZ4TYuKVpOk9VSCxzhrPhnl4kb
   1LyVQIFlhF6nL0casp0ixer8N60=
   -----END CERTIFICATE-----
-date: 2014-04-04 00:00:00.000000000 Z
+date: 2014-04-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: codesake-commons

metadata.gz.sig

@@ -1,2 +1,3 @@
-R9�ш������V
3
-�+Λ�3�1�۸&�X�HN4��yxt6Y~O��
���5��cF�e
+�1�����s�# -����^�U����;u�P��Ӯ���p��=Pe�n���I�5���M��!��)��	Z���$�NH��H��^Y�����𸠙+O�>-"}����!�j�t{o:�[��~b
+�V/ M������u����Ni]7���\�4�1w�n���A��,�,��X���1h�b�
+����*o>{��M�c;�p�