RubyGems - dawnscanner - Versions diffs - 1.2.99 - Mend

dawnscanner 1.2.99

Files changed (306) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +4 -0
data.tar.gz.sig +0 -0
data/.gitignore +19 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +8 -0
data/Changelog.md +412 -0
data/Gemfile +4 -0
data/KnowledgeBase.md +213 -0
data/LICENSE.txt +22 -0
data/README.md +354 -0
data/Rakefile +250 -0
data/Roadmap.md +59 -0
data/bin/dawn +210 -0
data/certs/paolo_at_codesake_dot_com.pem +21 -0
data/checksum/.placeholder +0 -0
data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
data/dawnscanner.gemspec +43 -0
data/doc/codesake-dawn.yaml.sample +26 -0
data/doc/dawn_1_0_announcement.md +139 -0
data/doc/dawn_1_1_announcement.md +67 -0
data/doc/dawn_1_2_announcement.md +69 -0
data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
data/features/step_definition/dawn_steps.rb +19 -0
data/features/support/env.rb +1 -0
data/lib/codesake-dawn.rb +12 -0
data/lib/codesake/dawn/core.rb +175 -0
data/lib/codesake/dawn/engine.rb +380 -0
data/lib/codesake/dawn/gemfile_lock.rb +12 -0
data/lib/codesake/dawn/kb/basic_check.rb +228 -0
data/lib/codesake/dawn/kb/combo_check.rb +64 -0
data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
data/lib/codesake/dawn/kb/version_check.rb +418 -0
data/lib/codesake/dawn/knowledge_base.rb +513 -0
data/lib/codesake/dawn/padrino.rb +82 -0
data/lib/codesake/dawn/rails.rb +17 -0
data/lib/codesake/dawn/railtie.rb +9 -0
data/lib/codesake/dawn/reporter.rb +280 -0
data/lib/codesake/dawn/sinatra.rb +129 -0
data/lib/codesake/dawn/tasks.rb +27 -0
data/lib/codesake/dawn/utils.rb +21 -0
data/lib/codesake/dawn/version.rb +28 -0
data/lib/tasks/codesake-dawn_tasks.rake +1 -0
data/spec/lib/dawn/codesake_core_spec.rb +9 -0
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
data/spec/spec_helper.rb +11 -0
data/support/bootstrap.js +2027 -0
data/support/bootstrap.min.css +9 -0
data/support/codesake.css +63 -0
metadata +659 -0
metadata.gz.sig +0 -0

data/lib/codesake/dawn/kb/cve_2013_1607.rb ADDED

@@ -0,0 +1,27 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-02-07
+			class CVE_2013_1607
+				include DependencyCheck
+				def initialize
+          message = "PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options."
+          super({
+            :name=>"CVE-2013-1607",
+            :cvss=>"",
+            :release_date => Date.new(2013, 2, 21),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"To mitigate this vulnerability you must upgrade pdfkit gem version to 0.5.3 or higher.",
+            :aux_links=>["https://github.com/pdfkit/pdfkit/issues/164"]
+          })
+          self.safe_dependencies = [{:name=>"pdfkit", :version=>['0.5.3']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1655.rb ADDED

@@ -0,0 +1,67 @@
+module Codesake
+	module Dawn
+		module Kb
+      class CVE_2013_1655_a
+				include DependencyCheck
+        def initialize
+          message = "CVE-2013-1655: puppet versions 2.7.21 and 3.1.1 are vulnerable"
+          super({
+            :name=>"CVE-2013-1655_a",
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+          })
+          self.safe_dependencies = [{:name=>"puppet", :version=>['2.7.21', '3.1.1']}]
+        end
+      end
+      class CVE_2013_1655_b
+        include RubyVersionCheck
+        def initialize
+          message = "CVE-2013-1655: puppet versions 2.7.21 and 3.1.1 are vulnerable only when running ruby 1.9.3 and 2.0.2"
+          super({
+            :name=>"CVE-2013-1655_b",
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+          })
+          self.safe_rubies = [
+            {:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p357"},
+            {:engine=>"ruby", :version=>"1.9.4", :patchlevel=>"p0"},
+            {:engine=>"ruby", :version=>"2.0.1", :patchlevel=>"p0"}]
+        end
+      end
+      class CVE_2013_1655
+        include ComboCheck
+        def initialize
+          message = "Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when
+          running Ruby 1.9.3 or later, allows remote attackers to execute
+          arbitrary code via vectors related to \"serialized attributes.\""
+          super({
+            :name=>"CVE-2013-1655",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 3, 20),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade puppet gem to a newer version",
+            :aux_links=>["https://puppetlabs.com/security/cve/cve-2013-1655/"],
+            :checks=>[CVE_2013_1655_a.new, CVE_2013_1655_b.new]
+          })
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2013_1656.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-20
+			class CVE_2013_1656
+				include DependencyCheck
+				def initialize
+          message = "Spree Commerce 1.0.x through 1.3.2 allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function."
+          super({
+            :name=>'CVE-2013-1656',
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 3, 8),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade Spree commerce rubygem",
+            :aux_links => ["http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed"]
+          })
+          self.safe_dependencies = [{:name=>"spree", :version=>['1.3.3']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1756.rb ADDED

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-15
+			class CVE_2013_1756
+				include DependencyCheck
+				def initialize
+          message = "Dragonfly Gem for Ruby contains a flaw that is triggered during the parsing of a specially crafted request. This may allow a remote attacker to execute arbitrary code."
+          super({
+            :name=>'CVE-2013-1756',
+            :cvss=>"",
+            :release_date => Date.new(2013, 2, 19),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade dragonfly gem to 0.9.13. However the maintainer suggests upgrading to 0.9.14 since it fix another non security related bug",
+            :aux_links => ["http://www.osvdb.com/show/osvdb/90647"]
+          })
+          self.safe_dependencies = [{:name=>"dragonfly", :version=>['0.9.13']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1800.rb ADDED

@@ -0,0 +1,28 @@
+module Codesake
+  module Dawn
+    module Kb
+      class CVE_2013_1800
+        include DependencyCheck
+        def initialize
+          message = "The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
+          super({:name=>"CVE-2013-1800",
+                :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+                :release_date => Date.new(2013, 4, 9),
+                :cwe=>"264",
+                :owasp=>"A9",
+                :applies=>["sinatra", "padrino", "rails"],
+                :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+                :message=>message,
+                :mitigation=>"Please use crack gem version 0.3.2 or above. Correct your gemfile"
+          })
+          self.safe_dependencies = [{:name=>'crack', :version=>['0.3.2']}]
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2013_1801.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-21
+			class CVE_2013_1801
+				include DependencyCheck
+				def initialize
+          message = "The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156."
+           super({
+            :name=>"CVE-2013-1801",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"264",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade httparty gem to version 0.9.0 or latest version available",
+            :aux_links=>["https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"]
+          })
+          self.safe_dependencies = [{:name=>"httparty", :version=>['0.9.0']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1802.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-21
+			class CVE_2013_1802
+				include DependencyCheck
+				def initialize
+          message= "The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
+           super({
+            :name=>"CVE-2013-1802",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"264",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade extlib gem to version 0.9.16 or latest version available",
+            :aux_links=>["https://support.cloud.engineyard.com/entries/22915701-january-14-2013-security-vulnerabilities-httparty-extlib-crack-nori-update-these-gems-immediately"]
+          })
+          self.safe_dependencies = [{:name=>"extlib", :version=>['0.9.16']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1812.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-12-17
+			class CVE_2013_1812
+				include DependencyCheck
+				def initialize
+          message = "The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack."
+           super({
+            :name=>'CVE-2013-1812',
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2013, 12, 12),
+            :cwe=>"399",
+            :owasp=>"A9",
+            :applies=>["rails", "padrino", "sinatra"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade ruby-openid rubygem",
+            :aux_links => ["http://www.openwall.com/lists/oss-security/2013/03/03/8"]
+          })
+          self.safe_dependencies = [{:name=>"ruby-openid", :version=>['2.2.2']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1821.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-22
+			class CVE_2013_1821
+				include RubyVersionCheck
+				def initialize
+          message="lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 and 2.0.0-p0 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack."
+          super({
+            :name=>"CVE-2013-1821",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2013, 4, 9),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p392 or 2.0.0-p195 or latest version available",
+            :aux_links=>["http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/"]
+          })
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p392"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1854.rb ADDED

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-16
+			class CVE_2013_1854
+				include DependencyCheck
+				def initialize
+          message = "The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method."
+          super({
+            :name=>'CVE-2013-1854',
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2013, 3, 19),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.18, 3.1.12 and 3.2.13. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.18', '3.2.13', '3.1.12']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1855.rb ADDED

@@ -0,0 +1,27 @@
+module Codesake
+  module Dawn
+    module Kb
+      class CVE_2013_1855
+				include DependencyCheck
+        def initialize
+          message = "The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \\n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences."
+          super({
+            :name=>'CVE-2013-1855',
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 3, 19),
+            :cwe=>"79",
+            :owasp=>"A3",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.18, 3.0.8, 3.1.12 and 3.2.13. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/d/msg/rubyonrails-security/4_QHo4BqnN8/_RrdfKk12I4J"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.18', '3.0.8', '3.2.13', '3.1.12']}]
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2013_1856.rb ADDED

@@ -0,0 +1,28 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-16
+			class CVE_2013_1856
+				include DependencyCheck
+				def initialize
+          message= "The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference."
+         super({
+            :name=>'CVE-2013-1856',
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:P",
+            :release_date => Date.new(2013, 3, 19),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 3.1.12 and 3.2.13. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => ["https://groups.google.com/group/rubyonrails-security/msg/6c2482d4ed1545e6?dmode=source&output=gplain"]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['3.2.13', '3.1.12']}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2013_1857.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-02
+			class CVE_2013_1857
+				include DependencyCheck
+        def initialize
+          message = "The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a &#x3a; sequence."
+          super({
+            :name=>'CVE-2013-1857',
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 3, 19),
+            :cwe=>"79",
+            :owasp=>"A3",
+            :applies=>["rails"],
+            :kind => Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message => message,
+            :mitigation=>"Please upgrade rails version at least to 2.3.18, 3.0.8, 3.1.10 and 3.2.11. As a general rule, using the latest stable rails version is recommended.",
+            :aux_links => [ "https://groups.google.com/d/msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ" ]
+          })
+          self.safe_dependencies = [{:name=>"rails", :version=>['2.3.18', '3.0.8', '3.2.13', '3.1.12']}]
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2013_1875.rb ADDED

@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2013-05-17
+			class CVE_2013_1875
+				include DependencyCheck
+				def initialize
+          message="command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename."
+         super({
+            :name=>"CVE-2013-1875",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2013, 3, 20),
+            :cwe=>"94",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade command_wrap gem to a newer version",
+            :aux_links=>["http://seclists.org/fulldisclosure/2013/Mar/175"]
+          })
+          self.safe_dependencies = [{:name=>"fastreader", :version=>['1.0.9']}]
+				end
+			end
+		end
+	end
+end