dawnscanner 1.2.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +4 -0
- data.tar.gz.sig +0 -0
- data/.gitignore +19 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +8 -0
- data/Changelog.md +412 -0
- data/Gemfile +4 -0
- data/KnowledgeBase.md +213 -0
- data/LICENSE.txt +22 -0
- data/README.md +354 -0
- data/Rakefile +250 -0
- data/Roadmap.md +59 -0
- data/bin/dawn +210 -0
- data/certs/paolo_at_codesake_dot_com.pem +21 -0
- data/checksum/.placeholder +0 -0
- data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
- data/dawnscanner.gemspec +43 -0
- data/doc/codesake-dawn.yaml.sample +26 -0
- data/doc/dawn_1_0_announcement.md +139 -0
- data/doc/dawn_1_1_announcement.md +67 -0
- data/doc/dawn_1_2_announcement.md +69 -0
- data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
- data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
- data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
- data/features/step_definition/dawn_steps.rb +19 -0
- data/features/support/env.rb +1 -0
- data/lib/codesake-dawn.rb +12 -0
- data/lib/codesake/dawn/core.rb +175 -0
- data/lib/codesake/dawn/engine.rb +380 -0
- data/lib/codesake/dawn/gemfile_lock.rb +12 -0
- data/lib/codesake/dawn/kb/basic_check.rb +228 -0
- data/lib/codesake/dawn/kb/combo_check.rb +64 -0
- data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
- data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
- data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
- data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
- data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
- data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
- data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
- data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
- data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
- data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
- data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
- data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
- data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
- data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
- data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
- data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
- data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
- data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
- data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
- data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
- data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
- data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
- data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
- data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
- data/lib/codesake/dawn/kb/version_check.rb +418 -0
- data/lib/codesake/dawn/knowledge_base.rb +513 -0
- data/lib/codesake/dawn/padrino.rb +82 -0
- data/lib/codesake/dawn/rails.rb +17 -0
- data/lib/codesake/dawn/railtie.rb +9 -0
- data/lib/codesake/dawn/reporter.rb +280 -0
- data/lib/codesake/dawn/sinatra.rb +129 -0
- data/lib/codesake/dawn/tasks.rb +27 -0
- data/lib/codesake/dawn/utils.rb +21 -0
- data/lib/codesake/dawn/version.rb +28 -0
- data/lib/tasks/codesake-dawn_tasks.rake +1 -0
- data/spec/lib/dawn/codesake_core_spec.rb +9 -0
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
- data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
- data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
- data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
- data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
- data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
- data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
- data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
- data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
- data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
- data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
- data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
- data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
- data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
- data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
- data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
- data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
- data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
- data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
- data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
- data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
- data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
- data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
- data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
- data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
- data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
- data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
- data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
- data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
- data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
- data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
- data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
- data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
- data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
- data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
- data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
- data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
- data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
- data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
- data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
- data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
- data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
- data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
- data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
- data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
- data/spec/spec_helper.rb +11 -0
- data/support/bootstrap.js +2027 -0
- data/support/bootstrap.min.css +9 -0
- data/support/codesake.css +63 -0
- metadata +659 -0
- metadata.gz.sig +0 -0
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
describe "The Codesake::Dawn engine for padrino applications" do
|
|
5
|
+
before(:all) do
|
|
6
|
+
@engine = Codesake::Dawn::Padrino.new('./spec/support/hello_world_padrino')
|
|
7
|
+
end
|
|
8
|
+
|
|
9
|
+
|
|
10
|
+
it "has a proper name" do
|
|
11
|
+
@engine.name.should == "padrino"
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
it "has a valid target" do
|
|
15
|
+
@engine.target.should == "./spec/support/hello_world_padrino"
|
|
16
|
+
@engine.target_is_dir?.should be_true
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
it "detects the applications declared in config/apps.rb" do
|
|
20
|
+
@engine.should respond_to(:detect_apps)
|
|
21
|
+
@engine.apps.should_not be_nil
|
|
22
|
+
@engine.apps.count.should == 3
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
it "creates a valid pool of Sinatra engines" do
|
|
26
|
+
@engine.apps[0].mount_point.should == "/"
|
|
27
|
+
@engine.apps[1].mount_point.should == "/log"
|
|
28
|
+
@engine.apps[2].mount_point.should == "/dispatcher"
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
|
|
32
|
+
it "has a good Gemfile.lock" do
|
|
33
|
+
@engine.has_gemfile_lock?.should be_true
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
it "detects padrino v0.11.2" do
|
|
37
|
+
@engine.mvc_version.should == "0.11.2"
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
|
|
41
|
+
# describe "analyzing the main application" do
|
|
42
|
+
# end
|
|
43
|
+
|
|
44
|
+
|
|
45
|
+
end
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe "The Codesake::Dawn engine for rails applications" do
|
|
4
|
+
before(:all){@engine = Codesake::Dawn::Rails.new}
|
|
5
|
+
|
|
6
|
+
it "detects the version used in the hello_world_3.1.0 application" do
|
|
7
|
+
@engine.set_target("./spec/support/hello_world_3.1.0")
|
|
8
|
+
@engine.ruby_version[:version].should == RUBY_VERSION
|
|
9
|
+
@engine.ruby_version[:patchlevel].should == "p#{RUBY_PATCHLEVEL}"
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
end
|
|
@@ -0,0 +1,128 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe "The Codesake::Dawn engine for sinatra applications" do
|
|
4
|
+
before(:all) {@engine= Codesake::Dawn::Sinatra.new('./spec/support/sinatra-safe')}
|
|
5
|
+
|
|
6
|
+
it "has a proper name" do
|
|
7
|
+
@engine.name.should == "sinatra"
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
it "detects the default application name" do
|
|
11
|
+
@engine.appname.should == "application.rb"
|
|
12
|
+
end
|
|
13
|
+
it "has a valid target" do
|
|
14
|
+
@engine.target.should == "./spec/support/sinatra-safe"
|
|
15
|
+
@engine.target_is_dir?.should be_true
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
it "has a good Gemfile.lock" do
|
|
19
|
+
@engine.has_gemfile_lock?.should be_true
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
it "detects a sinatra 1.4.4" do
|
|
23
|
+
@engine.mvc_version.should == "1.4.4"
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
it "detects 2 views" do
|
|
27
|
+
@engine.views.should == [{:filename=>"./spec/support/sinatra-safe/views/layout.haml", :language=>:haml}, {:filename=>"./spec/support/sinatra-safe/views/root.haml", :language=>:haml}]
|
|
28
|
+
end
|
|
29
|
+
it "detects views are written using HAML" do
|
|
30
|
+
@engine.views[0][:language].should == :haml
|
|
31
|
+
@engine.views[1][:language].should == :haml
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
it "has some check in the knowledge base" do
|
|
35
|
+
@engine.checks.should_not be_nil
|
|
36
|
+
@engine.checks.should_not be_empty
|
|
37
|
+
end
|
|
38
|
+
it "has check for CVE-2013-1800" do
|
|
39
|
+
Codesake::Dawn::KnowledgeBase.find(@engine.checks, "CVE-2013-1800").should_not be_nil
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
it "applies all checks" do
|
|
43
|
+
@engine.apply_all.should be_true
|
|
44
|
+
end
|
|
45
|
+
it "applies check for CVE-2013-1800" do
|
|
46
|
+
@engine.apply("CVE-2013-1800").should be_true
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
it "applies check for \"Not revised code\"" do
|
|
50
|
+
@engine.apply("Not revised code").should be_true
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
describe "applied to sinatra-safe application" do
|
|
54
|
+
it "reports it's not vulnerable to CVE-2013-1800" do
|
|
55
|
+
@engine.is_vulnerable_to?("CVE-2013-1800").should be_false
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
it "reports it's not vulnerable to \"Not revised code\"" do
|
|
59
|
+
@engine.is_vulnerable_to?("Not revised code").should be_false
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
it "reports it has no vulnerabilities" do
|
|
63
|
+
puts @engine.vulnerabilities
|
|
64
|
+
@engine.vulnerabilities.should be_empty
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
|
|
68
|
+
describe "applied do the sinatra-vulnerable application" do
|
|
69
|
+
before (:all) {@engine= Codesake::Dawn::Sinatra.new('./spec/support/sinatra-vulnerable')}
|
|
70
|
+
it "has a valid target" do
|
|
71
|
+
@engine.target.should == "./spec/support/sinatra-vulnerable"
|
|
72
|
+
@engine.target_is_dir?.should be_true
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
it "detects running ruby as the one to be checked against" do
|
|
76
|
+
@engine.ruby_version[:version].should == RUBY_VERSION
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
it "reports it's vulnerable to CVE-2013-1800" do
|
|
80
|
+
@engine.is_vulnerable_to?("CVE-2013-1800").should be_true
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
it "reports it's vulnerable to \"Not revised code\"" do
|
|
84
|
+
@engine.is_vulnerable_to?("Not revised code").should be_true
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
it "reports it has vulnerabilities" do
|
|
88
|
+
@engine.vulnerabilities.should_not be_empty
|
|
89
|
+
end
|
|
90
|
+
|
|
91
|
+
it "applies automagically all the tests if no test has been applied" do
|
|
92
|
+
e2 = Codesake::Dawn::Sinatra.new('./spec/support/sinatra-vulnerable')
|
|
93
|
+
e2.vulnerabilities.should_not be_empty
|
|
94
|
+
end
|
|
95
|
+
|
|
96
|
+
context "when scanning for XSS" do
|
|
97
|
+
it "detects 3 views" do
|
|
98
|
+
@engine.views.should == [
|
|
99
|
+
{:filename=>"./spec/support/sinatra-vulnerable/views/layout.haml", :language=>:haml},
|
|
100
|
+
{:filename=>"./spec/support/sinatra-vulnerable/views/root.haml", :language=>:haml},
|
|
101
|
+
{:filename=>"./spec/support/sinatra-vulnerable/views/xss.haml", :language=>:haml}
|
|
102
|
+
]
|
|
103
|
+
end
|
|
104
|
+
it "detects views are written using HAML" do
|
|
105
|
+
@engine.views[0][:language].should == :haml
|
|
106
|
+
@engine.views[1][:language].should == :haml
|
|
107
|
+
@engine.views[2][:language].should == :haml
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
it "detects a sink on application.rb" do
|
|
111
|
+
sink = @engine.detect_sinks("application.rb")
|
|
112
|
+
sink.should == [
|
|
113
|
+
{:sink_name=>"@xss_param", :sink_kind=>:params, :sink_line=>26, :sink_source=>"name", :sink_file=>"application.rb", :sink_evidence=>" @xss_param = params['name']"},
|
|
114
|
+
{:sink_name=>"@my_arr", :sink_kind=>:params, :sink_line=>27, :sink_source=>"second", :sink_file=>"application.rb", :sink_evidence=>" @my_arr[0] = params['second']"}
|
|
115
|
+
]
|
|
116
|
+
end
|
|
117
|
+
|
|
118
|
+
it "detects reflected ones in HAML views" do
|
|
119
|
+
reflected_xss= @engine.detect_reflected_xss
|
|
120
|
+
@engine.reflected_xss.should_not be_nil
|
|
121
|
+
@engine.reflected_xss.should_not be_empty
|
|
122
|
+
@engine.reflected_xss.should == [
|
|
123
|
+
{:sink_name=>"@xss_param", :sink_kind=>:params, :sink_line=>26, :sink_source=>"name", :sink_file=>"application.rb", :sink_evidence=>" @xss_param = params['name']", :sink_view=>"./spec/support/sinatra-vulnerable/views/xss.haml"}
|
|
124
|
+
]
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
end
|
|
128
|
+
end
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe "CVE-2013-0175 security check" do
|
|
4
|
+
let (:check) {Codesake::Dawn::Kb::CVE_2013_0175.new}
|
|
5
|
+
it "knows its name" do
|
|
6
|
+
check.name.should == "CVE-2013-0175"
|
|
7
|
+
end
|
|
8
|
+
it "has a 7.5 cvss score" do
|
|
9
|
+
check.cvss_score == 7.5
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
it "fires when multi_xml vulnerable gem it has been found" do
|
|
13
|
+
check.dependencies = [{:name=>"multi_xml", :version=>"0.5.2"}]
|
|
14
|
+
check.vuln?.should be_true
|
|
15
|
+
end
|
|
16
|
+
it "fires when Grape vulnerable gem it has been found" do
|
|
17
|
+
check.dependencies = [{:name=>"grape", :version=>"0.2.5"}]
|
|
18
|
+
check.vuln?.should be_true
|
|
19
|
+
end
|
|
20
|
+
it "fires when multi_xml gem is not vulnerable but Grape is" do
|
|
21
|
+
check.dependencies = [{:name=>"grape", :version=>"0.2.5"}, {:name=>"multi_xml", :version=>"0.5.3"}]
|
|
22
|
+
check.vuln?.should be_true
|
|
23
|
+
end
|
|
24
|
+
it "fires when multi_xml gem is vulnerable but Grape is not" do
|
|
25
|
+
check.dependencies = [{:name=>"grape", :version=>"0.2.6"}, {:name=>"multi_xml", :version=>"0.5.2"}]
|
|
26
|
+
check.vuln?.should be_true
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it "doesn't fire when no vulnerabilities were found" do
|
|
30
|
+
check.dependencies = [{:name=>"grape", :version=>"0.2.6"}, {:name=>"multi_xml", :version=>"0.5.3"}]
|
|
31
|
+
check.vuln?.should be_false
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
|
|
35
|
+
end
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe "The CVE-2013-4457 vulnerability" do
|
|
4
|
+
before(:all) do
|
|
5
|
+
@check = Codesake::Dawn::Kb::CVE_2013_4457.new
|
|
6
|
+
# @check.debug = true
|
|
7
|
+
end
|
|
8
|
+
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
|
9
|
+
@check.dependencies=[{:name=>"cocaine", :version=>'0.4.0'}]
|
|
10
|
+
@check.vuln?.should be_true
|
|
11
|
+
end
|
|
12
|
+
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
|
13
|
+
@check.dependencies=[{:name=>"cocaine", :version=>'0.4.1'}]
|
|
14
|
+
@check.vuln?.should be_true
|
|
15
|
+
end
|
|
16
|
+
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
|
17
|
+
@check.dependencies=[{:name=>"cocaine", :version=>'0.4.2'}]
|
|
18
|
+
@check.vuln?.should be_true
|
|
19
|
+
end
|
|
20
|
+
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
|
21
|
+
@check.dependencies=[{:name=>"cocaine", :version=>'0.5.0'}]
|
|
22
|
+
@check.vuln?.should be_true
|
|
23
|
+
end
|
|
24
|
+
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
|
25
|
+
@check.dependencies=[{:name=>"cocaine", :version=>'0.5.1'}]
|
|
26
|
+
@check.vuln?.should be_true
|
|
27
|
+
end
|
|
28
|
+
it "is detected if vulnerable version of cocaine rubygem is detected" do
|
|
29
|
+
@check.dependencies=[{:name=>"cocaine", :version=>'0.5.2'}]
|
|
30
|
+
@check.vuln?.should be_true
|
|
31
|
+
end
|
|
32
|
+
|
|
33
|
+
it "is skipped if non vulnerable version of cocaine rubygem is detected" do
|
|
34
|
+
@check.dependencies=[{:name=>"cocaine", :version=>'0.3.2'}]
|
|
35
|
+
# @check.debug = true
|
|
36
|
+
@check.vuln?.should be_false
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
|
|
40
|
+
|
|
41
|
+
end
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
class DependencyMockup
|
|
4
|
+
include Codesake::Dawn::Kb::DependencyCheck
|
|
5
|
+
|
|
6
|
+
def initialize
|
|
7
|
+
message = "This is a mock"
|
|
8
|
+
super(
|
|
9
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
10
|
+
:applies=>['sinatra', 'padrino', 'rails'],
|
|
11
|
+
:message=> message
|
|
12
|
+
)
|
|
13
|
+
# self.debug = true
|
|
14
|
+
|
|
15
|
+
self.safe_dependencies = [{:name=>'this_gem', :version=>['0.3.0', '1.3.3', '2.3.3', '2.4.2', '9.4.31.2']}]
|
|
16
|
+
self.save_major = true
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
|
|
21
|
+
describe "The security check for gem dependency should" do
|
|
22
|
+
before(:all) do
|
|
23
|
+
@check = DependencyMockup.new
|
|
24
|
+
end
|
|
25
|
+
# let (:check) {Mockup.new}
|
|
26
|
+
|
|
27
|
+
it "gives an unkown priority value" do
|
|
28
|
+
@check.priority.should == "unknown"
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
it "gives the assigned priority value" do
|
|
32
|
+
@check.priority = :critical
|
|
33
|
+
@check.priority.should == "critical"
|
|
34
|
+
end
|
|
35
|
+
it "gives an unknown severity since no CVSS is provided and no severity is given" do
|
|
36
|
+
@check.severity.should == "unknown"
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
it "gives the severity level provided. No CVSS is here" do
|
|
40
|
+
@check.severity = :critical
|
|
41
|
+
@check.severity.should == "critical"
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
it "fires if vulnerable 0.2.9 version is detected" do
|
|
45
|
+
@check.dependencies = [{:name=>"this_gem", :version=>'0.2.9'}]
|
|
46
|
+
@check.vuln?.should be_true
|
|
47
|
+
end
|
|
48
|
+
it "doesn't fire if not vulnerable 0.4.0 version is found" do
|
|
49
|
+
@check.dependencies = [{:name=>"this_gem", :version=>'0.4.0'}]
|
|
50
|
+
@check.vuln?.should be_false
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
it "fires if vulnerable 1.3.2 version is found" do
|
|
54
|
+
@check.dependencies = [{:name=>"this_gem", :version=>'1.3.2'}]
|
|
55
|
+
@check.vuln?.should be_true
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
it "doesn't fire if not vulnerable 1.4.2 version is found" do
|
|
59
|
+
@check.dependencies = [{:name=>"this_gem", :version=>'1.4.2'}]
|
|
60
|
+
@check.vuln?.should be_false
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
it "doesn't fires when a non vulnerable version is found and there is a fixed version with higher minor release but I asked to honor the minor version (useful with rails gem)" do
|
|
64
|
+
@check.dependencies = [{:name=>"this_gem", :version=>'2.3.3'}]
|
|
65
|
+
@check.save_minor = true
|
|
66
|
+
@check.vuln?.should be_false
|
|
67
|
+
end
|
|
68
|
+
it "fires when a vulnerable version (2.3.2) is found even if I asked to save minors..." do
|
|
69
|
+
@check.dependencies = [{:name=>"this_gem", :version=>'2.3.2'}]
|
|
70
|
+
@check.save_minor = true
|
|
71
|
+
@check.vuln?.should be_true
|
|
72
|
+
|
|
73
|
+
end
|
|
74
|
+
|
|
75
|
+
|
|
76
|
+
end
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
require "spec_helper"
|
|
2
|
+
|
|
3
|
+
describe "The deprecation check for Ruby and MVC" do
|
|
4
|
+
before (:all) do
|
|
5
|
+
@check = Codesake::Dawn::Kb::DeprecationCheck.new
|
|
6
|
+
@check.enable_warning = false
|
|
7
|
+
# @check.debug = true
|
|
8
|
+
end
|
|
9
|
+
############################################################################
|
|
10
|
+
# Ruby deprecation check
|
|
11
|
+
############################################################################
|
|
12
|
+
it "should mark a random 1.1.x ruby version as deprecated" do
|
|
13
|
+
@check.detected = {:gem=>"ruby", :version=>"1.1.#{give_a_number}"}
|
|
14
|
+
@check.vuln?.should be_true
|
|
15
|
+
end
|
|
16
|
+
it "should mark a random 1.2.x ruby version as deprecated" do
|
|
17
|
+
@check.detected = {:gem=>"ruby", :version=>"1.2.#{give_a_number}"}
|
|
18
|
+
@check.vuln?.should be_true
|
|
19
|
+
end
|
|
20
|
+
it "should mark a random 1.3.x ruby version as deprecated" do
|
|
21
|
+
@check.detected = {:gem=>"ruby", :version=>"1.3.#{give_a_number}"}
|
|
22
|
+
@check.vuln?.should be_true
|
|
23
|
+
end
|
|
24
|
+
it "should mark a random 1.4.x ruby version as deprecated" do
|
|
25
|
+
@check.detected = {:gem=>"ruby", :version=>"1.4.#{give_a_number}"}
|
|
26
|
+
@check.vuln?.should be_true
|
|
27
|
+
end
|
|
28
|
+
it "should mark a random 1.5.x ruby version as deprecated" do
|
|
29
|
+
@check.detected = {:gem=>"ruby", :version=>"1.5.#{give_a_number}"}
|
|
30
|
+
@check.vuln?.should be_true
|
|
31
|
+
end
|
|
32
|
+
it "should mark a random 1.6.x ruby version as deprecated" do
|
|
33
|
+
@check.detected = {:gem=>"ruby", :version=>"1.6.#{give_a_number}"}
|
|
34
|
+
@check.vuln?.should be_true
|
|
35
|
+
end
|
|
36
|
+
it "should mark a random 1.7.x ruby version as deprecated" do
|
|
37
|
+
@check.detected = {:gem=>"ruby", :version=>"1.7.#{give_a_number}"}
|
|
38
|
+
@check.vuln?.should be_true
|
|
39
|
+
end
|
|
40
|
+
it "should mark ruby version 1.8.7 as deprecated" do
|
|
41
|
+
@check.detected = {:gem=>"ruby", :version=>"1.8.7"}
|
|
42
|
+
@check.vuln?.should be_true
|
|
43
|
+
end
|
|
44
|
+
it "should mark a random 1.9.x ruby version as non deprecated" do
|
|
45
|
+
@check.detected = {:gem=>"ruby", :version=>"1.9.#{give_a_number}"}
|
|
46
|
+
@check.vuln?.should be_false
|
|
47
|
+
end
|
|
48
|
+
it "should mark ruby version 2.0.0 as non deprecated" do
|
|
49
|
+
@check.detected = {:gem=>"ruby", :version=>"2.0.0"}
|
|
50
|
+
@check.vuln?.should be_false
|
|
51
|
+
end
|
|
52
|
+
it "should mark ruby version 2.1.0 as non deprecated" do
|
|
53
|
+
@check.detected = {:gem=>"ruby", :version=>"2.1.0"}
|
|
54
|
+
@check.vuln?.should be_false
|
|
55
|
+
end
|
|
56
|
+
end
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
class Mockup
|
|
4
|
+
include Codesake::Dawn::Kb::RubyVersionCheck
|
|
5
|
+
|
|
6
|
+
def initialize
|
|
7
|
+
message = "This is a mock"
|
|
8
|
+
super(
|
|
9
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
10
|
+
:applies=>['sinatra', 'padrino', 'rails'],
|
|
11
|
+
:message=> message
|
|
12
|
+
)
|
|
13
|
+
# self.debug = true
|
|
14
|
+
|
|
15
|
+
self.safe_rubies = [{:version=>"1.9.3", :patchlevel=>"p392"}, {:version=>"2.0.0", :patchlevel=>"p0"}]
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
describe "The security check for Ruby interpreter version" do
|
|
20
|
+
let (:check) {Mockup.new}
|
|
21
|
+
|
|
22
|
+
it "fires if ruby version is vulnerable" do
|
|
23
|
+
check.detected_ruby = {:version=>"1.9.2", :patchlevel=>"p10000"}
|
|
24
|
+
check.vuln?.should be_true
|
|
25
|
+
end
|
|
26
|
+
it "doesn't fire if ruby version is not vulnerable and patchlevel is not vulnerable" do
|
|
27
|
+
check.detected_ruby = {:version=>"1.9.4", :patchlevel=>"p10000"}
|
|
28
|
+
check.vuln?.should be_false
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
it "doesn't fire if ruby version is vulnerable and patchlevel is not vulnerable" do
|
|
32
|
+
check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p10000"}
|
|
33
|
+
check.vuln?.should be_false
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
it "fires if ruby version is vulnerable and patchlevel is vulnerable" do
|
|
37
|
+
check.detected_ruby = {:version=>"1.9.3", :patchlevel=>"p391"}
|
|
38
|
+
check.vuln?.should be_true
|
|
39
|
+
end
|
|
40
|
+
end
|
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe "The version check should" do
|
|
4
|
+
before(:all) do
|
|
5
|
+
@check = Codesake::Dawn::Kb::VersionCheck.new
|
|
6
|
+
@check.safe=['0.4.5', '0.5.4', '0.7.8']
|
|
7
|
+
@check.deprecated=['0.1.x', '0.2.x', '0.3.x', '1.x']
|
|
8
|
+
@check.excluded=['0.6.4']
|
|
9
|
+
@check.enable_warning = false
|
|
10
|
+
# @check.debug = true
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
context "without some beta versions to handle" do
|
|
14
|
+
|
|
15
|
+
it "reports when a version is vulnerable" do
|
|
16
|
+
@check.is_vulnerable_version?('2.3.0', '2.2.9').should be_true
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
it "reports when a version is not vulnerable (equals)" do
|
|
20
|
+
@check.is_vulnerable_version?('2.3.0', '2.3.0').should be_false
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
it "reports when a version is not vulnerable" do
|
|
24
|
+
@check.is_vulnerable_version?('2.3.0', '2.3.1').should be_false
|
|
25
|
+
end
|
|
26
|
+
it "reports when a version is not vulnerable" do
|
|
27
|
+
@check.is_vulnerable_version?('2.3.0', '2.4.1').should be_false
|
|
28
|
+
end
|
|
29
|
+
it "reports when a version is not vulnerable" do
|
|
30
|
+
@check.is_vulnerable_version?('2.3.0', '4.4.1').should be_false
|
|
31
|
+
end
|
|
32
|
+
it "reports when a version is not vulnerable" do
|
|
33
|
+
@check.is_vulnerable_version?('2.3.0', '4.1.1').should be_false
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
# check for x character support
|
|
37
|
+
|
|
38
|
+
it "reports when a version is not vulnerable" do
|
|
39
|
+
@check.is_vulnerable_version?('2.x', '4.1.1').should be_false
|
|
40
|
+
end
|
|
41
|
+
it "reports when a version is not vulnerable" do
|
|
42
|
+
@check.is_vulnerable_version?('2.x', '4.4.1').should be_false
|
|
43
|
+
end
|
|
44
|
+
it "reports when a version is not vulnerable" do
|
|
45
|
+
@check.is_vulnerable_version?('2.x', '4.4.1').should be_false
|
|
46
|
+
end
|
|
47
|
+
it "reports when a version is vulnerable" do
|
|
48
|
+
@check.is_vulnerable_version?('2.x', '1.4.1').should be_true
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
|
|
52
|
+
end
|
|
53
|
+
context "with some beta versions to handle" do
|
|
54
|
+
it "reports when a beta version is vulnerable" do
|
|
55
|
+
@check.is_vulnerable_version?('2.3.0.beta3', '2.3.0.beta1').should be_true
|
|
56
|
+
end
|
|
57
|
+
it "reports when a beta version is not vulnerable" do
|
|
58
|
+
@check.is_vulnerable_version?('2.3.0.beta3', '2.3.0.beta5').should be_false
|
|
59
|
+
end
|
|
60
|
+
it "reports when a beta version is not vulnerable (equals)" do
|
|
61
|
+
@check.is_vulnerable_version?('2.3.0.beta5', '2.3.0.beta5').should be_false
|
|
62
|
+
end
|
|
63
|
+
it "reports a vulnerability when a stable version is safe and beta is detected" do
|
|
64
|
+
@check.is_vulnerable_version?('2.3.0', '2.3.0.beta9').should be_true
|
|
65
|
+
end
|
|
66
|
+
it "reports a safe condition when a beta version is safe and the stable version is detected" do
|
|
67
|
+
@check.is_vulnerable_version?('2.3.0.beta9', '2.3.0').should be_true
|
|
68
|
+
end
|
|
69
|
+
it "reports a vulnerability when a previous beta version is detected" do
|
|
70
|
+
@check.is_vulnerable_version?('2.3.0', '2.2.10.beta2').should be_true
|
|
71
|
+
end
|
|
72
|
+
it "reports a safe condition when a beta version is detected but the safe version was released earlier (same major, same minor)" do
|
|
73
|
+
@check.is_vulnerable_version?('2.2.0', '2.2.10.beta2').should be_false
|
|
74
|
+
end
|
|
75
|
+
it "reports a safe condition when a beta version is detected but the safe version was released earlier (same major)" do
|
|
76
|
+
@check.is_vulnerable_version?('2.2.0', '2.4.10.beta2').should be_false
|
|
77
|
+
end
|
|
78
|
+
it "reports a safe condition when a beta version is detected but the safe version was released earlier" do
|
|
79
|
+
@check.is_vulnerable_version?('2.2.0', '3.4.10.beta2').should be_false
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
|
|
83
|
+
context "with some rc versions to handle" do
|
|
84
|
+
it "reports when a rc version is vulnerable" do
|
|
85
|
+
@check.is_vulnerable_version?('2.3.0.rc3', '2.3.0.rc1').should be_true
|
|
86
|
+
end
|
|
87
|
+
it "reports when a rc version is not vulnerable" do
|
|
88
|
+
@check.is_vulnerable_version?('2.3.0.rc3', '2.3.0.rc5').should be_false
|
|
89
|
+
end
|
|
90
|
+
it "reports when a rc version is not vulnerable (equals)" do
|
|
91
|
+
@check.is_vulnerable_version?('2.3.0.rc5', '2.3.0.rc5').should be_false
|
|
92
|
+
end
|
|
93
|
+
it "reports a vulnerability when a stable version is safe and rc is detected" do
|
|
94
|
+
@check.is_vulnerable_version?('2.3.0', '2.3.0.rc9').should be_true
|
|
95
|
+
end
|
|
96
|
+
it "reports a safe condition when a rc version is safe and the stable version is detected" do
|
|
97
|
+
@check.is_vulnerable_version?('2.3.0.rc9', '2.3.0').should be_false
|
|
98
|
+
end
|
|
99
|
+
it "reports a vulnerability when a previous rc version is detected" do
|
|
100
|
+
@check.is_vulnerable_version?('2.3.0', '2.2.10.rc2').should be_true
|
|
101
|
+
end
|
|
102
|
+
it "reports a safe condition when a rc version is detected but the safe version was released earlier (same major, same minor)" do
|
|
103
|
+
@check.is_vulnerable_version?('2.2.0', '2.2.10.rc2').should be_false
|
|
104
|
+
end
|
|
105
|
+
it "reports a safe condition when a rc version is detected but the safe version was released earlier (same major)" do
|
|
106
|
+
@check.is_vulnerable_version?('2.2.0', '2.4.10.rc2').should be_false
|
|
107
|
+
end
|
|
108
|
+
it "reports a safe condition when a rc version is detected but the safe version was released earlier" do
|
|
109
|
+
@check.is_vulnerable_version?('2.2.0', '3.4.10.rc2').should be_false
|
|
110
|
+
end
|
|
111
|
+
end
|
|
112
|
+
|
|
113
|
+
context "with some pre versions to handle" do
|
|
114
|
+
it "reports when a pre version is vulnerable" do
|
|
115
|
+
@check.is_vulnerable_version?('2.3.0.pre3', '2.3.0.pre1').should be_true
|
|
116
|
+
end
|
|
117
|
+
it "reports when a pre version is not vulnerable" do
|
|
118
|
+
@check.is_vulnerable_version?('2.3.0.pre3', '2.3.0.pre5').should be_false
|
|
119
|
+
end
|
|
120
|
+
it "reports when a pre version is not vulnerable (equals)" do
|
|
121
|
+
@check.is_vulnerable_version?('2.3.0.pre5', '2.3.0.pre5').should be_false
|
|
122
|
+
end
|
|
123
|
+
it "reports a vulnerability when a stable version is safe and pre is detected" do
|
|
124
|
+
@check.is_vulnerable_version?('2.3.0', '2.3.0.pre9').should be_true
|
|
125
|
+
end
|
|
126
|
+
it "reports a safe condition when a pre version is safe and the stable version is detected" do
|
|
127
|
+
@check.is_vulnerable_version?('2.3.0.pre9', '2.3.0').should be_true
|
|
128
|
+
end
|
|
129
|
+
it "reports a vulnerability when a previous pre version is detected" do
|
|
130
|
+
@check.is_vulnerable_version?('2.3.0', '2.2.10.pre2').should be_true
|
|
131
|
+
end
|
|
132
|
+
it "reports a safe condition when a pre version is detected but the safe version was released earlier (same major, same minor)" do
|
|
133
|
+
@check.is_vulnerable_version?('2.2.0', '2.2.10.pre2').should be_false
|
|
134
|
+
end
|
|
135
|
+
it "reports a safe condition when a pre version is detected but the safe version was released earlier (same major)" do
|
|
136
|
+
@check.is_vulnerable_version?('2.2.0', '2.4.10.pre2').should be_false
|
|
137
|
+
end
|
|
138
|
+
it "reports a safe condition when a pre version is detected but the safe version was released earlier" do
|
|
139
|
+
@check.is_vulnerable_version?('2.2.0', '3.4.10.pre2').should be_false
|
|
140
|
+
end
|
|
141
|
+
end
|
|
142
|
+
# deprecation check
|
|
143
|
+
it "reports nonsense deprecation" do
|
|
144
|
+
nonsense = Codesake::Dawn::Kb::VersionCheck.new
|
|
145
|
+
nonsense.deprecated = ['x.0.0']
|
|
146
|
+
nonsense.is_deprecated?('2.2.3').should be_true
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
it "tells 1.1.12 is deprecated" do
|
|
150
|
+
@check.is_deprecated?('1.1.12').should be_true
|
|
151
|
+
end
|
|
152
|
+
it "tells 0.1.12 is deprecated" do
|
|
153
|
+
@check.is_deprecated?('0.1.12').should be_true
|
|
154
|
+
end
|
|
155
|
+
it "tells 0.4.12 is not deprecated" do
|
|
156
|
+
@check.is_deprecated?('0.4.12').should be_false
|
|
157
|
+
end
|
|
158
|
+
context "applied as it should be" do
|
|
159
|
+
it "says a version 0.4.6 is safe" do
|
|
160
|
+
@check.detected = '0.4.6'
|
|
161
|
+
@check.save_minor = true
|
|
162
|
+
@check.vuln?.should be_false
|
|
163
|
+
end
|
|
164
|
+
end
|
|
165
|
+
end
|