RubyGems - dawnscanner - Versions diffs - 1.2.99 - Mend

dawnscanner 1.2.99

Files changed (306) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +4 -0
data.tar.gz.sig +0 -0
data/.gitignore +19 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +8 -0
data/Changelog.md +412 -0
data/Gemfile +4 -0
data/KnowledgeBase.md +213 -0
data/LICENSE.txt +22 -0
data/README.md +354 -0
data/Rakefile +250 -0
data/Roadmap.md +59 -0
data/bin/dawn +210 -0
data/certs/paolo_at_codesake_dot_com.pem +21 -0
data/checksum/.placeholder +0 -0
data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
data/dawnscanner.gemspec +43 -0
data/doc/codesake-dawn.yaml.sample +26 -0
data/doc/dawn_1_0_announcement.md +139 -0
data/doc/dawn_1_1_announcement.md +67 -0
data/doc/dawn_1_2_announcement.md +69 -0
data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
data/features/step_definition/dawn_steps.rb +19 -0
data/features/support/env.rb +1 -0
data/lib/codesake-dawn.rb +12 -0
data/lib/codesake/dawn/core.rb +175 -0
data/lib/codesake/dawn/engine.rb +380 -0
data/lib/codesake/dawn/gemfile_lock.rb +12 -0
data/lib/codesake/dawn/kb/basic_check.rb +228 -0
data/lib/codesake/dawn/kb/combo_check.rb +64 -0
data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
data/lib/codesake/dawn/kb/version_check.rb +418 -0
data/lib/codesake/dawn/knowledge_base.rb +513 -0
data/lib/codesake/dawn/padrino.rb +82 -0
data/lib/codesake/dawn/rails.rb +17 -0
data/lib/codesake/dawn/railtie.rb +9 -0
data/lib/codesake/dawn/reporter.rb +280 -0
data/lib/codesake/dawn/sinatra.rb +129 -0
data/lib/codesake/dawn/tasks.rb +27 -0
data/lib/codesake/dawn/utils.rb +21 -0
data/lib/codesake/dawn/version.rb +28 -0
data/lib/tasks/codesake-dawn_tasks.rake +1 -0
data/spec/lib/dawn/codesake_core_spec.rb +9 -0
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
data/spec/spec_helper.rb +11 -0
data/support/bootstrap.js +2027 -0
data/support/bootstrap.min.css +9 -0
data/support/codesake.css +63 -0
metadata +659 -0
metadata.gz.sig +0 -0

data/spec/lib/dawn/codesake_padrino_engine_disabled.rb ADDED

@@ -0,0 +1,45 @@
+require 'spec_helper'
+describe "The Codesake::Dawn engine for padrino applications" do
+  before(:all) do
+    @engine = Codesake::Dawn::Padrino.new('./spec/support/hello_world_padrino')
+  end
+  it "has a proper name" do
+    @engine.name.should   ==    "padrino"
+  end
+  it "has a valid target" do
+    @engine.target.should ==   "./spec/support/hello_world_padrino"
+    @engine.target_is_dir?.should  be_true
+  end
+  it "detects the applications declared in config/apps.rb" do
+    @engine.should  respond_to(:detect_apps)
+    @engine.apps.should_not     be_nil
+    @engine.apps.count.should   == 3
+  end
+  it "creates a valid pool of Sinatra engines" do
+    @engine.apps[0].mount_point.should == "/"
+    @engine.apps[1].mount_point.should == "/log"
+    @engine.apps[2].mount_point.should == "/dispatcher"
+  end
+  it "has a good Gemfile.lock" do
+    @engine.has_gemfile_lock?.should   be_true
+  end
+  it "detects padrino v0.11.2" do
+    @engine.mvc_version.should   == "0.11.2"
+  end
+  # describe "analyzing the main application" do
+  # end
+end

data/spec/lib/dawn/codesake_rails_engine_disabled.rb ADDED

@@ -0,0 +1,12 @@
+require 'spec_helper'
+describe "The Codesake::Dawn engine for rails applications" do
+  before(:all){@engine = Codesake::Dawn::Rails.new}
+  it "detects the version used in the hello_world_3.1.0 application" do
+    @engine.set_target("./spec/support/hello_world_3.1.0")
+    @engine.ruby_version[:version].should == RUBY_VERSION
+    @engine.ruby_version[:patchlevel].should == "p#{RUBY_PATCHLEVEL}"
+  end
+end

data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb ADDED

@@ -0,0 +1,128 @@
+require 'spec_helper'
+describe "The Codesake::Dawn engine for sinatra applications" do
+  before(:all) {@engine= Codesake::Dawn::Sinatra.new('./spec/support/sinatra-safe')}
+  it "has a proper name" do
+    @engine.name.should   ==    "sinatra"
+  end
+  it "detects the default application name" do
+    @engine.appname.should == "application.rb"
+  end
+  it "has a valid target" do
+    @engine.target.should ==   "./spec/support/sinatra-safe"
+    @engine.target_is_dir?.should  be_true
+  end
+  it "has a good Gemfile.lock" do
+    @engine.has_gemfile_lock?.should   be_true
+  end
+  it "detects a sinatra 1.4.4" do
+    @engine.mvc_version.should   == "1.4.4"
+  end
+  it "detects 2 views" do
+    @engine.views.should == [{:filename=>"./spec/support/sinatra-safe/views/layout.haml", :language=>:haml}, {:filename=>"./spec/support/sinatra-safe/views/root.haml", :language=>:haml}]
+  end
+  it "detects views are written using HAML" do
+    @engine.views[0][:language].should == :haml
+    @engine.views[1][:language].should == :haml
+  end
+  it "has some check in the knowledge base" do
+    @engine.checks.should_not be_nil
+    @engine.checks.should_not be_empty
+  end
+  it "has check for CVE-2013-1800" do
+    Codesake::Dawn::KnowledgeBase.find(@engine.checks, "CVE-2013-1800").should_not  be_nil
+  end
+  it "applies all checks" do
+    @engine.apply_all.should  be_true
+  end
+  it "applies check for CVE-2013-1800" do
+    @engine.apply("CVE-2013-1800").should   be_true
+  end
+  it "applies check for \"Not revised code\"" do
+    @engine.apply("Not revised code").should  be_true
+  end
+  describe "applied to sinatra-safe application" do
+    it "reports it's not vulnerable to CVE-2013-1800" do
+      @engine.is_vulnerable_to?("CVE-2013-1800").should be_false
+    end
+    it "reports it's not vulnerable to \"Not revised code\"" do
+      @engine.is_vulnerable_to?("Not revised code").should  be_false
+    end
+    it "reports it has no vulnerabilities" do
+      puts @engine.vulnerabilities
+      @engine.vulnerabilities.should  be_empty
+    end
+  end
+  describe "applied do the sinatra-vulnerable application" do
+    before (:all) {@engine= Codesake::Dawn::Sinatra.new('./spec/support/sinatra-vulnerable')}
+    it "has a valid target" do
+      @engine.target.should ==   "./spec/support/sinatra-vulnerable"
+      @engine.target_is_dir?.should  be_true
+    end
+    it "detects running ruby as the one to be checked against" do
+      @engine.ruby_version[:version].should == RUBY_VERSION
+    end
+    it "reports it's vulnerable to CVE-2013-1800" do
+      @engine.is_vulnerable_to?("CVE-2013-1800").should be_true
+    end
+    it "reports it's vulnerable to \"Not revised code\"" do
+      @engine.is_vulnerable_to?("Not revised code").should  be_true
+    end
+    it "reports it has vulnerabilities" do
+      @engine.vulnerabilities.should_not  be_empty
+    end
+    it "applies automagically all the tests if no test has been applied" do
+      e2 =  Codesake::Dawn::Sinatra.new('./spec/support/sinatra-vulnerable')
+      e2.vulnerabilities.should_not be_empty
+    end
+    context "when scanning for XSS" do
+      it "detects 3 views" do
+        @engine.views.should == [
+          {:filename=>"./spec/support/sinatra-vulnerable/views/layout.haml", :language=>:haml},
+          {:filename=>"./spec/support/sinatra-vulnerable/views/root.haml", :language=>:haml},
+          {:filename=>"./spec/support/sinatra-vulnerable/views/xss.haml", :language=>:haml}
+        ]
+      end
+      it "detects views are written using HAML" do
+        @engine.views[0][:language].should == :haml
+        @engine.views[1][:language].should == :haml
+        @engine.views[2][:language].should == :haml
+      end
+      it "detects a sink on application.rb" do
+        sink = @engine.detect_sinks("application.rb")
+        sink.should == [
+          {:sink_name=>"@xss_param", :sink_kind=>:params, :sink_line=>26, :sink_source=>"name", :sink_file=>"application.rb", :sink_evidence=>"  @xss_param = params['name']"},
+          {:sink_name=>"@my_arr", :sink_kind=>:params, :sink_line=>27, :sink_source=>"second", :sink_file=>"application.rb", :sink_evidence=>"  @my_arr[0] = params['second']"}
+        ]
+      end
+      it "detects reflected ones in HAML views" do
+        reflected_xss= @engine.detect_reflected_xss
+        @engine.reflected_xss.should_not be_nil
+        @engine.reflected_xss.should_not be_empty
+        @engine.reflected_xss.should == [
+          {:sink_name=>"@xss_param", :sink_kind=>:params, :sink_line=>26, :sink_source=>"name", :sink_file=>"application.rb", :sink_evidence=>"  @xss_param = params['name']", :sink_view=>"./spec/support/sinatra-vulnerable/views/xss.haml"}
+        ]
+      end
+    end
+  end
+end

data/spec/lib/kb/codesake_cve_2013_0175_spec.rb ADDED

@@ -0,0 +1,35 @@
+require 'spec_helper'
+describe "CVE-2013-0175 security check" do
+  let (:check) {Codesake::Dawn::Kb::CVE_2013_0175.new}
+  it "knows its name" do
+    check.name.should == "CVE-2013-0175"
+  end
+  it "has a 7.5 cvss score" do
+    check.cvss_score == 7.5
+  end
+  it "fires when multi_xml vulnerable gem it has been found" do
+    check.dependencies = [{:name=>"multi_xml", :version=>"0.5.2"}]
+    check.vuln?.should be_true
+  end
+  it "fires when Grape vulnerable gem it has been found" do
+    check.dependencies = [{:name=>"grape", :version=>"0.2.5"}]
+    check.vuln?.should be_true
+  end
+  it "fires when multi_xml gem is not vulnerable but Grape is" do
+    check.dependencies = [{:name=>"grape", :version=>"0.2.5"}, {:name=>"multi_xml", :version=>"0.5.3"}]
+    check.vuln?.should be_true
+  end
+  it "fires when multi_xml gem is vulnerable but Grape is not" do
+    check.dependencies = [{:name=>"grape", :version=>"0.2.6"}, {:name=>"multi_xml", :version=>"0.5.2"}]
+    check.vuln?.should be_true
+  end
+  it "doesn't fire when no vulnerabilities were found" do
+    check.dependencies = [{:name=>"grape", :version=>"0.2.6"}, {:name=>"multi_xml", :version=>"0.5.3"}]
+    check.vuln?.should be_false
+  end
+end

data/spec/lib/kb/codesake_cve_2013_4457_spec.rb ADDED

@@ -0,0 +1,41 @@
+require 'spec_helper'
+describe "The CVE-2013-4457 vulnerability" do
+  before(:all) do
+    @check = Codesake::Dawn::Kb::CVE_2013_4457.new
+    # @check.debug = true
+  end
+  it "is detected if vulnerable version of cocaine rubygem is detected" do
+    @check.dependencies=[{:name=>"cocaine", :version=>'0.4.0'}]
+    @check.vuln?.should   be_true
+  end
+  it "is detected if vulnerable version of cocaine rubygem is detected" do
+    @check.dependencies=[{:name=>"cocaine", :version=>'0.4.1'}]
+    @check.vuln?.should   be_true
+  end
+  it "is detected if vulnerable version of cocaine rubygem is detected" do
+    @check.dependencies=[{:name=>"cocaine", :version=>'0.4.2'}]
+    @check.vuln?.should   be_true
+  end
+  it "is detected if vulnerable version of cocaine rubygem is detected" do
+    @check.dependencies=[{:name=>"cocaine", :version=>'0.5.0'}]
+    @check.vuln?.should   be_true
+  end
+  it "is detected if vulnerable version of cocaine rubygem is detected" do
+    @check.dependencies=[{:name=>"cocaine", :version=>'0.5.1'}]
+    @check.vuln?.should   be_true
+  end
+  it "is detected if vulnerable version of cocaine rubygem is detected" do
+    @check.dependencies=[{:name=>"cocaine", :version=>'0.5.2'}]
+    @check.vuln?.should   be_true
+  end
+  it "is skipped if non vulnerable version of cocaine rubygem is detected" do
+    @check.dependencies=[{:name=>"cocaine", :version=>'0.3.2'}]
+    # @check.debug = true
+    @check.vuln?.should   be_false
+  end
+end

data/spec/lib/kb/codesake_dependency_version_check_spec.rb ADDED

@@ -0,0 +1,76 @@
+require 'spec_helper'
+class DependencyMockup
+  include Codesake::Dawn::Kb::DependencyCheck
+  def initialize
+    message = "This is a mock"
+    super(
+      :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+      :applies=>['sinatra', 'padrino', 'rails'],
+      :message=> message
+    )
+    # self.debug = true
+    self.safe_dependencies = [{:name=>'this_gem', :version=>['0.3.0', '1.3.3', '2.3.3', '2.4.2', '9.4.31.2']}]
+    self.save_major = true
+  end
+end
+describe "The security check for gem dependency should" do
+  before(:all) do
+    @check = DependencyMockup.new
+  end
+  # let (:check) {Mockup.new}
+  it "gives an unkown priority value" do
+    @check.priority.should == "unknown"
+  end
+  it "gives the assigned priority value" do
+    @check.priority = :critical
+    @check.priority.should == "critical"
+  end
+  it "gives an unknown severity since no CVSS is provided and no severity is given" do
+    @check.severity.should  == "unknown"
+  end
+  it "gives the severity level provided. No CVSS is here" do
+    @check.severity = :critical
+    @check.severity.should  == "critical"
+  end
+  it "fires if vulnerable 0.2.9 version is detected" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'0.2.9'}]
+    @check.vuln?.should    be_true
+  end
+  it "doesn't fire if not vulnerable 0.4.0 version is found" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'0.4.0'}]
+    @check.vuln?.should    be_false
+  end
+  it "fires if vulnerable 1.3.2 version is found" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'1.3.2'}]
+    @check.vuln?.should    be_true
+  end
+  it "doesn't fire if not vulnerable 1.4.2 version is found" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'1.4.2'}]
+    @check.vuln?.should    be_false
+  end
+  it "doesn't fires when a non vulnerable version is found and there is a fixed version with higher minor release but I asked to honor the minor version (useful with rails gem)" do
+    @check.dependencies = [{:name=>"this_gem", :version=>'2.3.3'}]
+    @check.save_minor = true
+    @check.vuln?.should    be_false
+  end
+  it "fires when a vulnerable version (2.3.2) is found even if I asked to save minors..." do
+    @check.dependencies = [{:name=>"this_gem", :version=>'2.3.2'}]
+    @check.save_minor = true
+    @check.vuln?.should    be_true
+  end
+end

data/spec/lib/kb/codesake_deprecation_check_spec.rb ADDED

@@ -0,0 +1,56 @@
+require "spec_helper"
+describe "The deprecation check for Ruby and MVC" do
+  before (:all) do
+    @check = Codesake::Dawn::Kb::DeprecationCheck.new
+    @check.enable_warning = false
+    # @check.debug = true
+  end
+  ############################################################################
+  # Ruby deprecation check
+  ############################################################################
+  it "should mark a random 1.1.x ruby version as deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.1.#{give_a_number}"}
+    @check.vuln?.should   be_true
+  end
+  it "should mark a random 1.2.x ruby version as deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.2.#{give_a_number}"}
+    @check.vuln?.should   be_true
+  end
+  it "should mark a random 1.3.x ruby version as deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.3.#{give_a_number}"}
+    @check.vuln?.should   be_true
+  end
+  it "should mark a random 1.4.x ruby version as deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.4.#{give_a_number}"}
+    @check.vuln?.should   be_true
+  end
+  it "should mark a random 1.5.x ruby version as deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.5.#{give_a_number}"}
+    @check.vuln?.should   be_true
+  end
+  it "should mark a random 1.6.x ruby version as deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.6.#{give_a_number}"}
+    @check.vuln?.should   be_true
+  end
+  it "should mark a random 1.7.x ruby version as deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.7.#{give_a_number}"}
+    @check.vuln?.should   be_true
+  end
+  it "should mark ruby version 1.8.7 as deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.8.7"}
+    @check.vuln?.should   be_true
+  end
+  it "should mark a random 1.9.x ruby version as non deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"1.9.#{give_a_number}"}
+    @check.vuln?.should   be_false
+  end
+  it "should mark ruby version 2.0.0 as non deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"2.0.0"}
+    @check.vuln?.should   be_false
+  end
+  it "should mark ruby version 2.1.0 as non deprecated" do
+    @check.detected = {:gem=>"ruby", :version=>"2.1.0"}
+    @check.vuln?.should   be_false
+  end
+end

data/spec/lib/kb/codesake_ruby_version_check_spec.rb ADDED

@@ -0,0 +1,40 @@
+require 'spec_helper'
+class Mockup
+  include Codesake::Dawn::Kb::RubyVersionCheck
+  def initialize
+    message = "This is a mock"
+    super(
+      :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+      :applies=>['sinatra', 'padrino', 'rails'],
+      :message=> message
+    )
+    # self.debug = true
+    self.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
+  end
+end
+describe "The security check for Ruby interpreter version" do
+  let (:check) {Mockup.new}
+  it "fires if ruby version is vulnerable" do
+    check.detected_ruby = {:version=>"1.9.2", :patchlevel=>"p10000"}
+    check.vuln?.should    be_true
+  end
+  it "doesn't fire if ruby version is not vulnerable and patchlevel is not vulnerable" do
+    check.detected_ruby = {:version=>"1.9.4", :patchlevel=>"p10000"}
+    check.vuln?.should    be_false
+  end
+  it "doesn't fire if ruby version is vulnerable and patchlevel is not vulnerable" do
+    check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p10000"}
+    check.vuln?.should    be_false
+  end
+  it "fires if ruby version is vulnerable and patchlevel is vulnerable" do
+    check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p391"}
+    check.vuln?.should    be_true
+  end
+end

data/spec/lib/kb/codesake_version_check_spec.rb ADDED

@@ -0,0 +1,165 @@
+require 'spec_helper'
+describe "The version check should" do
+  before(:all) do
+    @check = Codesake::Dawn::Kb::VersionCheck.new
+    @check.safe=['0.4.5', '0.5.4', '0.7.8']
+    @check.deprecated=['0.1.x', '0.2.x', '0.3.x', '1.x']
+    @check.excluded=['0.6.4']
+    @check.enable_warning = false
+    # @check.debug = true
+  end
+  context "without some beta versions to handle" do
+    it "reports when a version is vulnerable" do
+      @check.is_vulnerable_version?('2.3.0', '2.2.9').should be_true
+    end
+    it "reports when a version is not vulnerable (equals)" do
+      @check.is_vulnerable_version?('2.3.0', '2.3.0').should be_false
+    end
+    it "reports when a version is not vulnerable" do
+      @check.is_vulnerable_version?('2.3.0', '2.3.1').should be_false
+    end
+    it "reports when a version is not vulnerable" do
+      @check.is_vulnerable_version?('2.3.0', '2.4.1').should be_false
+    end
+    it "reports when a version is not vulnerable" do
+      @check.is_vulnerable_version?('2.3.0', '4.4.1').should be_false
+    end
+    it "reports when a version is not vulnerable" do
+      @check.is_vulnerable_version?('2.3.0', '4.1.1').should be_false
+    end
+    # check for x character support
+    it "reports when a version is not vulnerable" do
+      @check.is_vulnerable_version?('2.x', '4.1.1').should be_false
+    end
+    it "reports when a version is not vulnerable" do
+      @check.is_vulnerable_version?('2.x', '4.4.1').should be_false
+    end
+    it "reports when a version is not vulnerable" do
+      @check.is_vulnerable_version?('2.x', '4.4.1').should be_false
+    end
+    it "reports when a version is vulnerable" do
+      @check.is_vulnerable_version?('2.x', '1.4.1').should be_true
+    end
+  end
+  context "with some beta versions to handle" do
+    it "reports when a beta version is vulnerable" do
+      @check.is_vulnerable_version?('2.3.0.beta3', '2.3.0.beta1').should be_true
+    end
+    it "reports when a beta version is not vulnerable" do
+      @check.is_vulnerable_version?('2.3.0.beta3', '2.3.0.beta5').should be_false
+    end
+    it "reports when a beta version is not vulnerable (equals)" do
+      @check.is_vulnerable_version?('2.3.0.beta5', '2.3.0.beta5').should be_false
+    end
+    it "reports a vulnerability when a stable version is safe and beta is detected" do
+      @check.is_vulnerable_version?('2.3.0', '2.3.0.beta9').should be_true
+    end
+    it "reports a safe condition when a beta version is safe and the stable version is detected" do
+      @check.is_vulnerable_version?('2.3.0.beta9', '2.3.0').should be_true
+    end
+    it "reports a vulnerability when a previous beta version is detected" do
+      @check.is_vulnerable_version?('2.3.0', '2.2.10.beta2').should be_true
+    end
+    it "reports a safe condition when a beta version is detected but the safe version was released earlier (same major, same minor)" do
+      @check.is_vulnerable_version?('2.2.0', '2.2.10.beta2').should be_false
+    end
+    it "reports a safe condition when a beta version is detected but the safe version was released earlier (same major)" do
+      @check.is_vulnerable_version?('2.2.0', '2.4.10.beta2').should be_false
+    end
+    it "reports a safe condition when a beta version is detected but the safe version was released earlier" do
+      @check.is_vulnerable_version?('2.2.0', '3.4.10.beta2').should be_false
+    end
+  end
+  context "with some rc versions to handle" do
+    it "reports when a rc version is vulnerable" do
+      @check.is_vulnerable_version?('2.3.0.rc3', '2.3.0.rc1').should be_true
+    end
+    it "reports when a rc version is not vulnerable" do
+      @check.is_vulnerable_version?('2.3.0.rc3', '2.3.0.rc5').should be_false
+    end
+    it "reports when a rc version is not vulnerable (equals)" do
+      @check.is_vulnerable_version?('2.3.0.rc5', '2.3.0.rc5').should be_false
+    end
+    it "reports a vulnerability when a stable version is safe and rc is detected" do
+      @check.is_vulnerable_version?('2.3.0', '2.3.0.rc9').should be_true
+    end
+    it "reports a safe condition when a rc version is safe and the stable version is detected" do
+      @check.is_vulnerable_version?('2.3.0.rc9', '2.3.0').should be_false
+    end
+    it "reports a vulnerability when a previous rc version is detected" do
+      @check.is_vulnerable_version?('2.3.0', '2.2.10.rc2').should be_true
+    end
+    it "reports a safe condition when a rc version is detected but the safe version was released earlier (same major, same minor)" do
+      @check.is_vulnerable_version?('2.2.0', '2.2.10.rc2').should be_false
+    end
+    it "reports a safe condition when a rc version is detected but the safe version was released earlier (same major)" do
+      @check.is_vulnerable_version?('2.2.0', '2.4.10.rc2').should be_false
+    end
+    it "reports a safe condition when a rc version is detected but the safe version was released earlier" do
+      @check.is_vulnerable_version?('2.2.0', '3.4.10.rc2').should be_false
+    end
+  end
+  context "with some pre versions to handle" do
+    it "reports when a pre version is vulnerable" do
+      @check.is_vulnerable_version?('2.3.0.pre3', '2.3.0.pre1').should be_true
+    end
+    it "reports when a pre version is not vulnerable" do
+      @check.is_vulnerable_version?('2.3.0.pre3', '2.3.0.pre5').should be_false
+    end
+    it "reports when a pre version is not vulnerable (equals)" do
+      @check.is_vulnerable_version?('2.3.0.pre5', '2.3.0.pre5').should be_false
+    end
+    it "reports a vulnerability when a stable version is safe and pre is detected" do
+      @check.is_vulnerable_version?('2.3.0', '2.3.0.pre9').should be_true
+    end
+    it "reports a safe condition when a pre version is safe and the stable version is detected" do
+      @check.is_vulnerable_version?('2.3.0.pre9', '2.3.0').should be_true
+    end
+    it "reports a vulnerability when a previous pre version is detected" do
+      @check.is_vulnerable_version?('2.3.0', '2.2.10.pre2').should be_true
+    end
+    it "reports a safe condition when a pre version is detected but the safe version was released earlier (same major, same minor)" do
+      @check.is_vulnerable_version?('2.2.0', '2.2.10.pre2').should be_false
+    end
+    it "reports a safe condition when a pre version is detected but the safe version was released earlier (same major)" do
+      @check.is_vulnerable_version?('2.2.0', '2.4.10.pre2').should be_false
+    end
+    it "reports a safe condition when a pre version is detected but the safe version was released earlier" do
+      @check.is_vulnerable_version?('2.2.0', '3.4.10.pre2').should be_false
+    end
+  end
+  # deprecation check
+  it "reports nonsense deprecation" do
+    nonsense = Codesake::Dawn::Kb::VersionCheck.new
+    nonsense.deprecated = ['x.0.0']
+    nonsense.is_deprecated?('2.2.3').should be_true
+  end
+  it "tells 1.1.12 is deprecated" do
+    @check.is_deprecated?('1.1.12').should be_true
+  end
+  it "tells 0.1.12 is deprecated" do
+    @check.is_deprecated?('0.1.12').should be_true
+  end
+  it "tells 0.4.12 is not deprecated" do
+    @check.is_deprecated?('0.4.12').should be_false
+  end
+  context "applied as it should be" do
+    it "says a version 0.4.6 is safe" do
+      @check.detected = '0.4.6'
+      @check.save_minor = true
+      @check.vuln?.should   be_false
+    end
+  end
+end