RubyGems - dawnscanner - Versions diffs - 1.2.99 - Mend

dawnscanner 1.2.99

Files changed (306) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +4 -0
data.tar.gz.sig +0 -0
data/.gitignore +19 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +8 -0
data/Changelog.md +412 -0
data/Gemfile +4 -0
data/KnowledgeBase.md +213 -0
data/LICENSE.txt +22 -0
data/README.md +354 -0
data/Rakefile +250 -0
data/Roadmap.md +59 -0
data/bin/dawn +210 -0
data/certs/paolo_at_codesake_dot_com.pem +21 -0
data/checksum/.placeholder +0 -0
data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
data/dawnscanner.gemspec +43 -0
data/doc/codesake-dawn.yaml.sample +26 -0
data/doc/dawn_1_0_announcement.md +139 -0
data/doc/dawn_1_1_announcement.md +67 -0
data/doc/dawn_1_2_announcement.md +69 -0
data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
data/features/step_definition/dawn_steps.rb +19 -0
data/features/support/env.rb +1 -0
data/lib/codesake-dawn.rb +12 -0
data/lib/codesake/dawn/core.rb +175 -0
data/lib/codesake/dawn/engine.rb +380 -0
data/lib/codesake/dawn/gemfile_lock.rb +12 -0
data/lib/codesake/dawn/kb/basic_check.rb +228 -0
data/lib/codesake/dawn/kb/combo_check.rb +64 -0
data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
data/lib/codesake/dawn/kb/version_check.rb +418 -0
data/lib/codesake/dawn/knowledge_base.rb +513 -0
data/lib/codesake/dawn/padrino.rb +82 -0
data/lib/codesake/dawn/rails.rb +17 -0
data/lib/codesake/dawn/railtie.rb +9 -0
data/lib/codesake/dawn/reporter.rb +280 -0
data/lib/codesake/dawn/sinatra.rb +129 -0
data/lib/codesake/dawn/tasks.rb +27 -0
data/lib/codesake/dawn/utils.rb +21 -0
data/lib/codesake/dawn/version.rb +28 -0
data/lib/tasks/codesake-dawn_tasks.rake +1 -0
data/spec/lib/dawn/codesake_core_spec.rb +9 -0
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
data/spec/spec_helper.rb +11 -0
data/support/bootstrap.js +2027 -0
data/support/bootstrap.min.css +9 -0
data/support/codesake.css +63 -0
metadata +659 -0
metadata.gz.sig +0 -0

data/Rakefile ADDED

@@ -0,0 +1,250 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+# require "highline/import"
+require 'cucumber'
+require 'cucumber/rake/task'
+require 'fileutils'
+require "codesake/dawn/utils"
+require "codesake/dawn/knowledge_base"
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "features --format pretty -x"
+  t.fork = false
+end
+RSpec::Core::RakeTask.new do |t|
+  t.rspec_opts = ["--color"]
+end
+task :default => [ :spec, :features, :kb ]
+task :test => :spec
+task :prepare => [:build, :'checksum:calculate', :'checksum:commit']
+task :release => [:prepare]
+# namespace :check do
+# desc "Create a dependency check"
+# task :dependency, :name do |t, args|
+# end
+# end
+desc "Create a new CVE test"
+task :cve, :name do |t,args|
+  name      = args.name
+  SRC_DIR   = "./lib/codesake/dawn/kb/"
+  SPEC_DIR  = "./spec/lib/kb/"
+  raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
+  raise "### Invalid CVE title: #{name}" if name.nil? or name.empty? or /CVE-\d{4}-\d{4}/.match(name).nil?
+  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
+  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
+  puts "Adding #{name} to knowledge base..."
+  rb_filename = SRC_DIR+name.downcase.gsub("-", "_")+".rb"
+  spec_filename = SPEC_DIR+name.downcase.gsub("-", "_")+"_spec.rb"
+  class_name = name.gsub("-", "_")
+  open(rb_filename, "w") do |file|
+    file.puts "module Codesake"
+    file.puts "\tmodule Dawn"
+    file.puts "\t\tmodule Kb"
+    file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
+    file.puts "\t\t\tclass #{class_name}"
+    file.puts "\t\t\t\t# Include the testing skeleton for this CVE"
+    file.puts "\t\t\t\t# include PatternMatchCheck"
+    file.puts "\t\t\t\t# include DependencyCheck"
+    file.puts "\t\t\t\t# include RubyVersionCheck"
+    file.puts ""
+    file.puts "\t\t\t\tdef initialize"
+    file.puts "\t\t\t\tend"
+    file.puts "\t\t\tend"
+    file.puts "\t\tend"
+    file.puts "\tend"
+    file.puts "end"
+  end
+  puts "#{rb_filename} created"
+  open(spec_filename, "w") do |file|
+    file.puts "require 'spec_helper'"
+    file.puts "describe \"The #{name} vulnerability\" do"
+    file.puts "\tbefore(:all) do"
+    file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
+    file.puts "\t\t# @check.debug = true"
+    file.puts "\tend"
+    file.puts "\tit \"is reported when...\""
+    file.puts "end"
+  end
+  puts "#{spec_filename} created"
+  puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
+  puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
+  puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
+  puts "it \"must have test for #{name}\" do"
+  puts "  sc = kb.find(\"#{name}\")"
+  puts "  sc.should_not   be_nil"
+  puts "  sc.class.should == Codesake::Dawn::Kb::#{class_name}"
+  puts "end"
+end
+desc "Create a new Generic security check"
+task :check, :name do |t,args|
+  name      = args.name
+  SRC_DIR   = "./lib/codesake/dawn/kb/"
+  SPEC_DIR  = "./spec/lib/kb/"
+  raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
+  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
+  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
+  puts "Adding #{name} to knowledge base..."
+  rb_filename = SRC_DIR+name.downcase.gsub("-", "_")+".rb"
+  spec_filename = SPEC_DIR+name.downcase.gsub("-", "_")+"_spec.rb"
+  class_name = name.gsub("-", "_")
+  open(rb_filename, "w") do |file|
+    file.puts "module Codesake"
+    file.puts "\tmodule Dawn"
+    file.puts "\t\tmodule Kb"
+    file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
+    file.puts "\t\t\tclass #{class_name}"
+    file.puts "\t\t\t\t# Include the testing skeleton for this Security Check"
+    file.puts "\t\t\t\t# include PatternMatchCheck"
+    file.puts "\t\t\t\t# include DependencyCheck"
+    file.puts "\t\t\t\t# include RubyVersionCheck"
+    file.puts ""
+    file.puts "\t\t\t\tdef initialize"
+    file.puts "\t\t\t\tend"
+    file.puts "\t\t\tend"
+    file.puts "\t\tend"
+    file.puts "\tend"
+    file.puts "end"
+  end
+  puts "#{rb_filename} created"
+  open(spec_filename, "w") do |file|
+    file.puts "require 'spec_helper'"
+    file.puts "describe \"The #{name} vulnerability\" do"
+    file.puts "\tbefore(:all) do"
+    file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
+    file.puts "\t\t# @check.debug = true"
+    file.puts "\tend"
+    file.puts "\tit \"is reported when...\""
+    file.puts "end"
+  end
+  puts "#{spec_filename} created"
+  puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
+  puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
+  puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
+  puts "it \"must have test for #{name}\" do"
+  puts "  sc = kb.find(\"#{name}\")"
+  puts "  sc.should_not   be_nil"
+  puts "  sc.class.should == Codesake::Dawn::Kb::#{class_name}"
+  puts "end"
+end
+namespace :kb do
+  desc 'Check information lint'
+  task :lint do
+    Codesake::Dawn::KnowledgeBase.new.all.each do |check|
+      l = check.lint
+      puts "check #{check.name} has this attribute(s) with a nil value: #{l.to_s}" unless l.size == 0
+    end
+  end
+desc 'Creates a KnowledgeBase.md file'
+task :create do
+  checks = Codesake::Dawn::KnowledgeBase.new.all
+  open("KnowledgeBase.md", "w") do |file|
+    file.puts "# Codesake::Dawn Knowledge base"
+    file.puts "\nThe knowledge base library for Codesake::Dawn version #{Codesake::Dawn::VERSION} contains #{checks.count} security checks."
+    file.puts "---"
+    checks.each do |c|
+      file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
+      file.puts "* [#{c.name}](#{c.osvdb_link}): #{c.message}" if c.name.start_with?('OSVDB')
+      file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
+    end
+    file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"
+  end
+  puts "KnowledgeBase.md file successfully generated"
+end
+end
+require 'digest/sha2'
+namespace :checksum do
+desc 'Calculate gem checksum'
+task :calculate do
+  system 'mkdir -p checksum > /dev/null'
+  built_gem_path = "pkg/codesake-dawn-#{Codesake::Dawn::VERSION}.gem"
+  checksum = Digest::SHA512.new.hexdigest(File.read(built_gem_path))
+  checksum_path = "checksum/codesake-dawn-#{Codesake::Dawn::VERSION}.gem.sha512"
+  File.open(checksum_path, 'w' ) {|f| f.write(checksum) }
+  puts "#{checksum_path}: #{checksum}"
+end
+desc 'Add and commit latest checksum'
+task :commit do
+  checksum_path = "checksum/codesake-dawn-#{Codesake::Dawn::VERSION}.gem.sha512"
+  system "git add #{checksum_path}"
+  system "git commit -v #{checksum_path} -m \"Adding #{Codesake::Dawn::VERSION} checksum to repo\""
+end
+end
+###############################################################################
+# ruby-advisory-rb integration
+###############################################################################
+namespace :rubysec do
+  desc 'Find new CVE bulletins to add to Codesake::Dawn'
+  task :find do
+    git_url = 'git@github.com:rubysec/ruby-advisory-db.git'
+    target_dir = './tmp/'
+    system "mkdir -p #{target_dir}"
+    system "rm -rf #{target_dir}ruby-advisory-db"
+    system "git clone #{git_url} #{target_dir}ruby-advisory-db"
+    list = []
+    Dir.glob("#{target_dir}ruby-advisory-db/gems/*/*.yml") do |path|
+      advisory = YAML.load_file(path)
+      if advisory['cve']
+        cve = "CVE-"+advisory['cve']
+        # Exclusion
+        # CVE-2007-6183 is a vulnerability in gnome2 ruby binding. Not a gem, I don't care
+        # CVE-2013-1878 is a duplicate of CVE-2013-2617 that is in knowledge base
+        # CVE-2013-1876 is a duplicate of CVE-2013-2615 that is in knowledge base
+        exclusion = ["CVE-2007-6183", "CVE-2013-1876", "CVE-2013-1878"]
+        if exclusion.include?(cve)
+          puts "#{cve} is in the exclusion list"
+        else
+          found = Codesake::Dawn::KnowledgeBase.find(nil, cve)
+          puts "#{cve} NOT in dawn v#{Codesake::Dawn::VERSION} knowledge base" unless found
+          list << cve unless found
+        end
+      end
+    end
+    unless list.empty?
+      File.open("missing_rubyadvisory_cvs_#{Time.now.strftime("%Y%m%d")}.txt", "w") do |f|
+        f.puts "Missing CVE bulletins - v#{Codesake::Dawn::VERSION} - #{Time.now.strftime("%d %B %Y")}"
+        f.puts list
+      end
+    end
+    system "rm -rf #{target_dir}ruby-advisory-db"
+  end
+end

data/Roadmap.md ADDED

@@ -0,0 +1,59 @@
+# Codesake Dawn - roadmap
+Codesake::Dawn is a static analysis security scanner for ruby written web applications.
+It supports [Sinatra](http://www.sinatrarb.com),
+[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
+frameworks.
+This is an ongoing roadmap for the Codesake::Dawn source code review tool.
+_latest update: Mon Mar 31 13:01:21 CEST 2014_
+## Version 1.2.0
+* create a task to check for new CVE in NVD website
+* SQLite3 integration for saving data. Each project will have its own SQLite
+  database containing reviews, findings and all. A table with Codesake::Dawn version it
+  created the database will be inserted as well
+* add a language check. It will handle a ruby script as input and a
+  ruby\_parser line as unsafe pattern. It will compile the ruby and look for
+  the unsafe pattern
+* Add preliminary Cross Site Scripting detection for Ruby on Rails.
+* Issue #7: Improving HTML output and let the user the capability to provide a
+  basic layout to customize report
+* Add a ruby deprecation check, accordingly to
+  https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
+## Version 1.3.0
+* Add support for ERB for in detect\_views
+* Add preliminary javascript support
+* adding test for CVE-2011-4969  XSS in jquery < 1.6.2
+* add support for pure Rack applications
+* Cross Site Scripting detection: it must be done for all MVC frameworks
+  (including Rack) and it must cover either reflected than stored attack
+  patterns
+* Add a --github option to Codesake::Dawn to clone a remote repository, perform
+  a bundle install and do a code review.
+* Add support for github hooks
+* Add premilinary SQL injection detection for Ruby on Rails
+## Version 1.5.0
+* Add insecure direct object reference detection for all MVC frameworks (including Rack)
+* SQL Injection detection: it must be done for all MVC frameworks (including Rack)
+* Add automatic mitigation patch generation
+* Add support for Javascript
+# Spinoff projects
+Codesake::Dawn is a security scanner for ruby code. Modern web applications
+however are wrote in a plenty of great technologies deserving a good tool for
+security scan.
+Node.js and Go are very promising programming languages and a tool similiar to
+Codesake::Dawn can be wrote also to support them:
+Initially they were in the Codesake::Dawn roadmap for a 2.0.0 version. However
+we decide to drop this in the name of being focused on ruby programming
+language.

data/bin/dawn ADDED

@@ -0,0 +1,210 @@
+#!/usr/bin/env ruby
+require 'getoptlong'
+require 'json'
+require 'terminal-table'
+require 'justify'
+require 'codesake-commons'
+require 'codesake-dawn'
+APPNAME = File.basename($0)
+LIST_KNOWN_FRAMEWORK  = %w(rails sinatra padrino)
+VALID_OUTPUT_FORMAT   = %w(console json csv html)
+$logger  = Codesake::Commons::Logging.instance
+opts    = GetoptLong.new(
+  # report formatting options
+  [ '--ascii-tabular-report',   '-a',   GetoptLong::NO_ARGUMENT],
+  [ '--json',                   '-j',   GetoptLong::NO_ARGUMENT],
+  [ '--html',                   '-H',   GetoptLong::NO_ARGUMENT],
+  # MVC forcing
+  [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
+  [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
+  [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
+  [ '--gem-lock',               '-G',   GetoptLong::REQUIRED_ARGUMENT],
+  [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
+  [ '--exit-on-warn',           '-z',   GetoptLong::NO_ARGUMENT],
+  # Disable checks by family type
+  [ '--disable-cve-bulletins',          GetoptLong::NO_ARGUMENT],
+  [ '--disable-code-quality',           GetoptLong::NO_ARGUMENT],
+  [ '--disable-code-style',             GetoptLong::NO_ARGUMENT],
+  [ '--disable-owasp-ror-cheatsheet',   GetoptLong::NO_ARGUMENT],
+  [ '--disable-owasp-top-10',           GetoptLong::NO_ARGUMENT],
+  # Search knowledge base
+  [ '--search-knowledge-base',  '-S',   GetoptLong::REQUIRED_ARGUMENT],
+  # List stuff
+  [ '--list-knowledge-base',            GetoptLong::NO_ARGUMENT],
+  [ '--list-known-framework',           GetoptLong::NO_ARGUMENT],
+  [ '--list-known-families',            GetoptLong::NO_ARGUMENT],
+  # please save output to file
+  [ '--file',                   '-F',   GetoptLong::REQUIRED_ARGUMENT],
+  # specify an alternate config file
+  [ '--config-file',            '-c',   GetoptLong::REQUIRED_ARGUMENT],
+  # service options
+  [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
+  [ '--debug',                  '-D',   GetoptLong::NO_ARGUMENT],
+  [ '--version',                '-v',   GetoptLong::NO_ARGUMENT],
+  [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
+)
+opts.quiet=true
+engine  = nil
+options = Codesake::Dawn::Core.read_conf(Codesake::Dawn::Core.find_conf(true))
+check = ""
+guess = {:name=>"", :version=>"", :connected_gems=>[]}
+begin
+opts.each do |opt, val|
+  case opt
+  when '--version'
+    puts "#{Codesake::Dawn::VERSION} [#{Codesake::Dawn::CODENAME}]"
+    Kernel.exit(0)
+  when '--config-file'
+    options = Codesake::Dawn::Core.read_conf(val)
+  when '--disable-cve-bulletins'
+    options[:enabled_checks].delete(:cve_bulletin)
+  when '--disable-code-quality'
+    options[:enabled_checks].delete(:code_quality)
+  when '--disable-code-style'
+    options[:enabled_checks].delete(:code_style)
+  when '--disable-owasp-ror-cheatsheet'
+    options[:enabled_checks].delete(:owasp_ror_cheatsheet)
+  when '--disable-owasp-top-10'
+    options[:enabled_checks].delete(:owasp_top_10_1)
+    options[:enabled_checks].delete(:owasp_top_10_2)
+    options[:enabled_checks].delete(:owasp_top_10_3)
+    options[:enabled_checks].delete(:owasp_top_10_4)
+    options[:enabled_checks].delete(:owasp_top_10_5)
+    options[:enabled_checks].delete(:owasp_top_10_6)
+    options[:enabled_checks].delete(:owasp_top_10_7)
+    options[:enabled_checks].delete(:owasp_top_10_8)
+    options[:enabled_checks].delete(:owasp_top_10_9)
+    options[:enabled_checks].delete(:owasp_top_10_10)
+  when '--list-known-families'
+    printf "Codesake::Dawn supports following check families:\n\n"
+    puts Codesake::Dawn::Kb::BasicCheck.families
+    Kernel.exit(0)
+  when '--json'
+    options[:output] = "json"
+  when '--ascii-tabular-report'
+    options[:output] = "tabular"
+  when '--html'
+    options[:output] = "html"
+  when '--rails'
+    options[:mvc]=:rails
+  when '--sinatra'
+    options[:mvc]=:sinatra
+  when '--padrino'
+    options[:mvc]=:padrino
+  when '--file'
+    options[:filename] = val
+  when '--gem-lock'
+    options[:gemfile_scan] = true
+    unless val.empty?
+      options[:gemfile_name] = val
+      guess = Codesake::Dawn::Core.guess_mvc(val)
+    end
+  when '--verbose'
+    options[:verbose]=true
+  when '--count-only'
+    options[:output] = "count"
+  when '--debug'
+    options[:debug] = true
+  when '--exit-on-warn'
+    options[:exit_on_warn] = true
+  when '--search-knowledge-base'
+    found = Codesake::Dawn::KnowledgeBase.find(nil, val)
+    puts "#{val} found in knowledgebase." if found
+    puts "#{val} not found in knowledgebase" if ! found
+    Kernel.exit(0)
+  when '--list-knowledge-base'
+    puts Codesake::Dawn::Core.dump_knowledge_base(options[:verbose])
+    Kernel.exit(0)
+  when '--list-known-framework'
+    puts "Ruby MVC framework supported by #{APPNAME}:"
+    LIST_KNOWN_FRAMEWORK.each do |mvc|
+      puts "* #{mvc}"
+    end
+    Kernel.exit(0)
+  when '--help'
+    Kernel.exit(Codesake::Dawn::Core.help)
+  end
+end
+rescue GetoptLong::InvalidOption => e
+  $logger.helo APPNAME, Codesake::Dawn::VERSION
+  $logger.err e.message
+  Kernel.exit(Codesake::Dawn::Core.help)
+end
+target=ARGV.shift
+$logger.helo APPNAME, Codesake::Dawn::VERSION
+trap("INT")   { $logger.die('[INTERRUPTED]') }
+$logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
+$logger.die("invalid directory (#{target})") if options[:gemfile_name].empty?  &&! Codesake::Dawn::Core.is_good_target?(target)
+$logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
+$logger.log("security check enabled: #{options[:enabled_checks]}") if options[:debug]
+## MVC auto detect.
+# Skipping MVC autodetect if it's already been done by guess_mvc when choosing Gemfile.lock scan
+unless options[:gemfile_scan]
+  begin
+    if options[:mvc].empty?
+      engine = Codesake::Dawn::Core.detect_mvc(target)
+      $logger.log("using #{engine.class.name} engine via autodect") if options[:debug]
+    else
+      engine = Codesake::Dawn::Rails.new(target)      if options[:mvc] == :rails
+      engine = Codesake::Dawn::Sinatra.new(target)    if options[:mvc] == :sinatra
+      engine = Codesake::Dawn::Padrino.new(target)    if options[:mvc] == :padrino
+    end
+  rescue ArgumentError => e
+    $logger.die(e.message)
+  end
+else
+  engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], guess) # if options[:gemfile_scan]
+end
+$logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
+if options[:exit_on_warn]
+  Kernel.at_exit do
+    if engine.count_vulnerabilities != 0
+      Kernel.exit(engine.count_vulnerabilities)
+    end
+  end
+end
+if options[:debug]
+  $logger.warn "putting engine in debug mode"
+  engine.debug = true
+end
+$logger.die "missing target framework option" if engine.nil?
+$logger.warn "this is a development Codesake::Dawn version" if Codesake::Dawn::RELEASE == "(development)"
+$logger.die "nothing to do on #{target}" if ! options[:gemfile_scan] && ! engine.can_apply?
+engine.load_knowledge_base(options[:enabled_checks])
+ret = engine.apply_all
+if options[:output] == "count"
+  puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
+  puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
+  Kernel.exit(0)
+end
+Codesake::Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report
+$logger.bye