RubyGems - dawnscanner - Versions diffs - 1.2.99 - Mend

dawnscanner 1.2.99

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (306) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +4 -0
data.tar.gz.sig +0 -0
data/.gitignore +19 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +8 -0
data/Changelog.md +412 -0
data/Gemfile +4 -0
data/KnowledgeBase.md +213 -0
data/LICENSE.txt +22 -0
data/README.md +354 -0
data/Rakefile +250 -0
data/Roadmap.md +59 -0
data/bin/dawn +210 -0
data/certs/paolo_at_codesake_dot_com.pem +21 -0
data/checksum/.placeholder +0 -0
data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
data/dawnscanner.gemspec +43 -0
data/doc/codesake-dawn.yaml.sample +26 -0
data/doc/dawn_1_0_announcement.md +139 -0
data/doc/dawn_1_1_announcement.md +67 -0
data/doc/dawn_1_2_announcement.md +69 -0
data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
data/features/step_definition/dawn_steps.rb +19 -0
data/features/support/env.rb +1 -0
data/lib/codesake-dawn.rb +12 -0
data/lib/codesake/dawn/core.rb +175 -0
data/lib/codesake/dawn/engine.rb +380 -0
data/lib/codesake/dawn/gemfile_lock.rb +12 -0
data/lib/codesake/dawn/kb/basic_check.rb +228 -0
data/lib/codesake/dawn/kb/combo_check.rb +64 -0
data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
data/lib/codesake/dawn/kb/version_check.rb +418 -0
data/lib/codesake/dawn/knowledge_base.rb +513 -0
data/lib/codesake/dawn/padrino.rb +82 -0
data/lib/codesake/dawn/rails.rb +17 -0
data/lib/codesake/dawn/railtie.rb +9 -0
data/lib/codesake/dawn/reporter.rb +280 -0
data/lib/codesake/dawn/sinatra.rb +129 -0
data/lib/codesake/dawn/tasks.rb +27 -0
data/lib/codesake/dawn/utils.rb +21 -0
data/lib/codesake/dawn/version.rb +28 -0
data/lib/tasks/codesake-dawn_tasks.rake +1 -0
data/spec/lib/dawn/codesake_core_spec.rb +9 -0
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
data/spec/spec_helper.rb +11 -0
data/support/bootstrap.js +2027 -0
data/support/bootstrap.min.css +9 -0
data/support/codesake.css +63 -0
metadata +659 -0
metadata.gz.sig +0 -0

data/Rakefile ADDED

@@ -0,0 +1,250 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+# require "highline/import"
+require 'cucumber'
+require 'cucumber/rake/task'
+require 'fileutils'
+require "codesake/dawn/utils"
+require "codesake/dawn/knowledge_base"
+Cucumber::Rake::Task.new(:features) do |t|
+  t.cucumber_opts = "features --format pretty -x"
+  t.fork = false
+end
+RSpec::Core::RakeTask.new do |t|
+  t.rspec_opts = ["--color"]
+end
+task :default => [ :spec, :features, :kb ]
+task :test => :spec
+task :prepare => [:build, :'checksum:calculate', :'checksum:commit']
+task :release => [:prepare]
+# namespace :check do
+# desc "Create a dependency check"
+# task :dependency, :name do |t, args|
+# end
+# end
+desc "Create a new CVE test"
+task :cve, :name do |t,args|
+  name      = args.name
+  SRC_DIR   = "./lib/codesake/dawn/kb/"
+  SPEC_DIR  = "./spec/lib/kb/"
+  raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
+  raise "### Invalid CVE title: #{name}" if name.nil? or name.empty? or /CVE-\d{4}-\d{4}/.match(name).nil?
+  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
+  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
+  puts "Adding #{name} to knowledge base..."
+  rb_filename = SRC_DIR+name.downcase.gsub("-", "_")+".rb"
+  spec_filename = SPEC_DIR+name.downcase.gsub("-", "_")+"_spec.rb"
+  class_name = name.gsub("-", "_")
+  open(rb_filename, "w") do |file|
+    file.puts "module Codesake"
+    file.puts "\tmodule Dawn"
+    file.puts "\t\tmodule Kb"
+    file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
+    file.puts "\t\t\tclass #{class_name}"
+    file.puts "\t\t\t\t# Include the testing skeleton for this CVE"
+    file.puts "\t\t\t\t# include PatternMatchCheck"
+    file.puts "\t\t\t\t# include DependencyCheck"
+    file.puts "\t\t\t\t# include RubyVersionCheck"
+    file.puts ""
+    file.puts "\t\t\t\tdef initialize"
+    file.puts "\t\t\t\tend"
+    file.puts "\t\t\tend"
+    file.puts "\t\tend"
+    file.puts "\tend"
+    file.puts "end"
+  end
+  puts "#{rb_filename} created"
+  open(spec_filename, "w") do |file|
+    file.puts "require 'spec_helper'"
+    file.puts "describe \"The #{name} vulnerability\" do"
+    file.puts "\tbefore(:all) do"
+    file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
+    file.puts "\t\t# @check.debug = true"
+    file.puts "\tend"
+    file.puts "\tit \"is reported when...\""
+    file.puts "end"
+  end
+  puts "#{spec_filename} created"
+  puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
+  puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
+  puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
+  puts "it \"must have test for #{name}\" do"
+  puts "  sc = kb.find(\"#{name}\")"
+  puts "  sc.should_not   be_nil"
+  puts "  sc.class.should == Codesake::Dawn::Kb::#{class_name}"
+  puts "end"
+end
+desc "Create a new Generic security check"
+task :check, :name do |t,args|
+  name      = args.name
+  SRC_DIR   = "./lib/codesake/dawn/kb/"
+  SPEC_DIR  = "./spec/lib/kb/"
+  raise "### It seems that #{name} is already in Dawn knowledge base" unless Codesake::Dawn::KnowledgeBase.find(nil, name).nil?
+  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
+  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
+  puts "Adding #{name} to knowledge base..."
+  rb_filename = SRC_DIR+name.downcase.gsub("-", "_")+".rb"
+  spec_filename = SPEC_DIR+name.downcase.gsub("-", "_")+"_spec.rb"
+  class_name = name.gsub("-", "_")
+  open(rb_filename, "w") do |file|
+    file.puts "module Codesake"
+    file.puts "\tmodule Dawn"
+    file.puts "\t\tmodule Kb"
+    file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
+    file.puts "\t\t\tclass #{class_name}"
+    file.puts "\t\t\t\t# Include the testing skeleton for this Security Check"
+    file.puts "\t\t\t\t# include PatternMatchCheck"
+    file.puts "\t\t\t\t# include DependencyCheck"
+    file.puts "\t\t\t\t# include RubyVersionCheck"
+    file.puts ""
+    file.puts "\t\t\t\tdef initialize"
+    file.puts "\t\t\t\tend"
+    file.puts "\t\t\tend"
+    file.puts "\t\tend"
+    file.puts "\tend"
+    file.puts "end"
+  end
+  puts "#{rb_filename} created"
+  open(spec_filename, "w") do |file|
+    file.puts "require 'spec_helper'"
+    file.puts "describe \"The #{name} vulnerability\" do"
+    file.puts "\tbefore(:all) do"
+    file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
+    file.puts "\t\t# @check.debug = true"
+    file.puts "\tend"
+    file.puts "\tit \"is reported when...\""
+    file.puts "end"
+  end
+  puts "#{spec_filename} created"
+  puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
+  puts "*** PLEASE ADD THIS CODE IN lib/codesake/dawn/knowledge_base.rb in order to reflect changes"
+  puts "require \"codesake/dawn/kb/#{class_name.downcase}\""
+  puts "it \"must have test for #{name}\" do"
+  puts "  sc = kb.find(\"#{name}\")"
+  puts "  sc.should_not   be_nil"
+  puts "  sc.class.should == Codesake::Dawn::Kb::#{class_name}"
+  puts "end"
+end
+namespace :kb do
+  desc 'Check information lint'
+  task :lint do
+    Codesake::Dawn::KnowledgeBase.new.all.each do |check|
+      l = check.lint
+      puts "check #{check.name} has this attribute(s) with a nil value: #{l.to_s}" unless l.size == 0
+    end
+  end
+desc 'Creates a KnowledgeBase.md file'
+task :create do
+  checks = Codesake::Dawn::KnowledgeBase.new.all
+  open("KnowledgeBase.md", "w") do |file|
+    file.puts "# Codesake::Dawn Knowledge base"
+    file.puts "\nThe knowledge base library for Codesake::Dawn version #{Codesake::Dawn::VERSION} contains #{checks.count} security checks."
+    file.puts "---"
+    checks.each do |c|
+      file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
+      file.puts "* [#{c.name}](#{c.osvdb_link}): #{c.message}" if c.name.start_with?('OSVDB')
+      file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
+    end
+    file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"
+  end
+  puts "KnowledgeBase.md file successfully generated"
+end
+end
+require 'digest/sha2'
+namespace :checksum do
+desc 'Calculate gem checksum'
+task :calculate do
+  system 'mkdir -p checksum > /dev/null'
+  built_gem_path = "pkg/codesake-dawn-#{Codesake::Dawn::VERSION}.gem"
+  checksum = Digest::SHA512.new.hexdigest(File.read(built_gem_path))
+  checksum_path = "checksum/codesake-dawn-#{Codesake::Dawn::VERSION}.gem.sha512"
+  File.open(checksum_path, 'w' ) {|f| f.write(checksum) }
+  puts "#{checksum_path}: #{checksum}"
+end
+desc 'Add and commit latest checksum'
+task :commit do
+  checksum_path = "checksum/codesake-dawn-#{Codesake::Dawn::VERSION}.gem.sha512"
+  system "git add #{checksum_path}"
+  system "git commit -v #{checksum_path} -m \"Adding #{Codesake::Dawn::VERSION} checksum to repo\""
+end
+end
+###############################################################################
+# ruby-advisory-rb integration
+###############################################################################
+namespace :rubysec do
+  desc 'Find new CVE bulletins to add to Codesake::Dawn'
+  task :find do
+    git_url = 'git@github.com:rubysec/ruby-advisory-db.git'
+    target_dir = './tmp/'
+    system "mkdir -p #{target_dir}"
+    system "rm -rf #{target_dir}ruby-advisory-db"
+    system "git clone #{git_url} #{target_dir}ruby-advisory-db"
+    list = []
+    Dir.glob("#{target_dir}ruby-advisory-db/gems/*/*.yml") do |path|
+      advisory = YAML.load_file(path)
+      if advisory['cve']
+        cve = "CVE-"+advisory['cve']
+        # Exclusion
+        # CVE-2007-6183 is a vulnerability in gnome2 ruby binding. Not a gem, I don't care
+        # CVE-2013-1878 is a duplicate of CVE-2013-2617 that is in knowledge base
+        # CVE-2013-1876 is a duplicate of CVE-2013-2615 that is in knowledge base
+        exclusion = ["CVE-2007-6183", "CVE-2013-1876", "CVE-2013-1878"]
+        if exclusion.include?(cve)
+          puts "#{cve} is in the exclusion list"
+        else
+          found = Codesake::Dawn::KnowledgeBase.find(nil, cve)
+          puts "#{cve} NOT in dawn v#{Codesake::Dawn::VERSION} knowledge base" unless found
+          list << cve unless found
+        end
+      end
+    end
+    unless list.empty?
+      File.open("missing_rubyadvisory_cvs_#{Time.now.strftime("%Y%m%d")}.txt", "w") do |f|
+        f.puts "Missing CVE bulletins - v#{Codesake::Dawn::VERSION} - #{Time.now.strftime("%d %B %Y")}"
+        f.puts list
+      end
+    end
+    system "rm -rf #{target_dir}ruby-advisory-db"
+  end
+end

data/Roadmap.md ADDED

@@ -0,0 +1,59 @@
+# Codesake Dawn - roadmap
+Codesake::Dawn is a static analysis security scanner for ruby written web applications.
+It supports [Sinatra](http://www.sinatrarb.com),
+[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
+frameworks.
+This is an ongoing roadmap for the Codesake::Dawn source code review tool.
+_latest update: Mon Mar 31 13:01:21 CEST 2014_
+## Version 1.2.0
+* create a task to check for new CVE in NVD website
+* SQLite3 integration for saving data. Each project will have its own SQLite
+  database containing reviews, findings and all. A table with Codesake::Dawn version it
+  created the database will be inserted as well
+* add a language check. It will handle a ruby script as input and a
+  ruby\_parser line as unsafe pattern. It will compile the ruby and look for
+  the unsafe pattern
+* Add preliminary Cross Site Scripting detection for Ruby on Rails.
+* Issue #7: Improving HTML output and let the user the capability to provide a
+  basic layout to customize report
+* Add a ruby deprecation check, accordingly to
+  https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
+## Version 1.3.0
+* Add support for ERB for in detect\_views
+* Add preliminary javascript support
+* adding test for CVE-2011-4969  XSS in jquery < 1.6.2
+* add support for pure Rack applications
+* Cross Site Scripting detection: it must be done for all MVC frameworks
+  (including Rack) and it must cover either reflected than stored attack
+  patterns
+* Add a --github option to Codesake::Dawn to clone a remote repository, perform
+  a bundle install and do a code review.
+* Add support for github hooks
+* Add premilinary SQL injection detection for Ruby on Rails
+## Version 1.5.0
+* Add insecure direct object reference detection for all MVC frameworks (including Rack)
+* SQL Injection detection: it must be done for all MVC frameworks (including Rack)
+* Add automatic mitigation patch generation
+* Add support for Javascript
+# Spinoff projects
+Codesake::Dawn is a security scanner for ruby code. Modern web applications
+however are wrote in a plenty of great technologies deserving a good tool for
+security scan.
+Node.js and Go are very promising programming languages and a tool similiar to
+Codesake::Dawn can be wrote also to support them:
+Initially they were in the Codesake::Dawn roadmap for a 2.0.0 version. However
+we decide to drop this in the name of being focused on ruby programming
+language.

data/bin/dawn ADDED

@@ -0,0 +1,210 @@
+#!/usr/bin/env ruby
+require 'getoptlong'
+require 'json'
+require 'terminal-table'
+require 'justify'
+require 'codesake-commons'
+require 'codesake-dawn'
+APPNAME = File.basename($0)
+LIST_KNOWN_FRAMEWORK  = %w(rails sinatra padrino)
+VALID_OUTPUT_FORMAT   = %w(console json csv html)
+$logger  = Codesake::Commons::Logging.instance
+opts    = GetoptLong.new(
+  # report formatting options
+  [ '--ascii-tabular-report',   '-a',   GetoptLong::NO_ARGUMENT],
+  [ '--json',                   '-j',   GetoptLong::NO_ARGUMENT],
+  [ '--html',                   '-H',   GetoptLong::NO_ARGUMENT],
+  # MVC forcing
+  [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
+  [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
+  [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
+  [ '--gem-lock',               '-G',   GetoptLong::REQUIRED_ARGUMENT],
+  [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
+  [ '--exit-on-warn',           '-z',   GetoptLong::NO_ARGUMENT],
+  # Disable checks by family type
+  [ '--disable-cve-bulletins',          GetoptLong::NO_ARGUMENT],
+  [ '--disable-code-quality',           GetoptLong::NO_ARGUMENT],
+  [ '--disable-code-style',             GetoptLong::NO_ARGUMENT],
+  [ '--disable-owasp-ror-cheatsheet',   GetoptLong::NO_ARGUMENT],
+  [ '--disable-owasp-top-10',           GetoptLong::NO_ARGUMENT],
+  # Search knowledge base
+  [ '--search-knowledge-base',  '-S',   GetoptLong::REQUIRED_ARGUMENT],
+  # List stuff
+  [ '--list-knowledge-base',            GetoptLong::NO_ARGUMENT],
+  [ '--list-known-framework',           GetoptLong::NO_ARGUMENT],
+  [ '--list-known-families',            GetoptLong::NO_ARGUMENT],
+  # please save output to file
+  [ '--file',                   '-F',   GetoptLong::REQUIRED_ARGUMENT],
+  # specify an alternate config file
+  [ '--config-file',            '-c',   GetoptLong::REQUIRED_ARGUMENT],
+  # service options
+  [ '--verbose',                '-V',   GetoptLong::NO_ARGUMENT],
+  [ '--debug',                  '-D',   GetoptLong::NO_ARGUMENT],
+  [ '--version',                '-v',   GetoptLong::NO_ARGUMENT],
+  [ '--help',                   '-h',   GetoptLong::NO_ARGUMENT]
+)
+opts.quiet=true
+engine  = nil
+options = Codesake::Dawn::Core.read_conf(Codesake::Dawn::Core.find_conf(true))
+check = ""
+guess = {:name=>"", :version=>"", :connected_gems=>[]}
+begin
+opts.each do |opt, val|
+  case opt
+  when '--version'
+    puts "#{Codesake::Dawn::VERSION} [#{Codesake::Dawn::CODENAME}]"
+    Kernel.exit(0)
+  when '--config-file'
+    options = Codesake::Dawn::Core.read_conf(val)
+  when '--disable-cve-bulletins'
+    options[:enabled_checks].delete(:cve_bulletin)
+  when '--disable-code-quality'
+    options[:enabled_checks].delete(:code_quality)
+  when '--disable-code-style'
+    options[:enabled_checks].delete(:code_style)
+  when '--disable-owasp-ror-cheatsheet'
+    options[:enabled_checks].delete(:owasp_ror_cheatsheet)
+  when '--disable-owasp-top-10'
+    options[:enabled_checks].delete(:owasp_top_10_1)
+    options[:enabled_checks].delete(:owasp_top_10_2)
+    options[:enabled_checks].delete(:owasp_top_10_3)
+    options[:enabled_checks].delete(:owasp_top_10_4)
+    options[:enabled_checks].delete(:owasp_top_10_5)
+    options[:enabled_checks].delete(:owasp_top_10_6)
+    options[:enabled_checks].delete(:owasp_top_10_7)
+    options[:enabled_checks].delete(:owasp_top_10_8)
+    options[:enabled_checks].delete(:owasp_top_10_9)
+    options[:enabled_checks].delete(:owasp_top_10_10)
+  when '--list-known-families'
+    printf "Codesake::Dawn supports following check families:\n\n"
+    puts Codesake::Dawn::Kb::BasicCheck.families
+    Kernel.exit(0)
+  when '--json'
+    options[:output] = "json"
+  when '--ascii-tabular-report'
+    options[:output] = "tabular"
+  when '--html'
+    options[:output] = "html"
+  when '--rails'
+    options[:mvc]=:rails
+  when '--sinatra'
+    options[:mvc]=:sinatra
+  when '--padrino'
+    options[:mvc]=:padrino
+  when '--file'
+    options[:filename] = val
+  when '--gem-lock'
+    options[:gemfile_scan] = true
+    unless val.empty?
+      options[:gemfile_name] = val
+      guess = Codesake::Dawn::Core.guess_mvc(val)
+    end
+  when '--verbose'
+    options[:verbose]=true
+  when '--count-only'
+    options[:output] = "count"
+  when '--debug'
+    options[:debug] = true
+  when '--exit-on-warn'
+    options[:exit_on_warn] = true
+  when '--search-knowledge-base'
+    found = Codesake::Dawn::KnowledgeBase.find(nil, val)
+    puts "#{val} found in knowledgebase." if found
+    puts "#{val} not found in knowledgebase" if ! found
+    Kernel.exit(0)
+  when '--list-knowledge-base'
+    puts Codesake::Dawn::Core.dump_knowledge_base(options[:verbose])
+    Kernel.exit(0)
+  when '--list-known-framework'
+    puts "Ruby MVC framework supported by #{APPNAME}:"
+    LIST_KNOWN_FRAMEWORK.each do |mvc|
+      puts "* #{mvc}"
+    end
+    Kernel.exit(0)
+  when '--help'
+    Kernel.exit(Codesake::Dawn::Core.help)
+  end
+end
+rescue GetoptLong::InvalidOption => e
+  $logger.helo APPNAME, Codesake::Dawn::VERSION
+  $logger.err e.message
+  Kernel.exit(Codesake::Dawn::Core.help)
+end
+target=ARGV.shift
+$logger.helo APPNAME, Codesake::Dawn::VERSION
+trap("INT")   { $logger.die('[INTERRUPTED]') }
+$logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
+$logger.die("invalid directory (#{target})") if options[:gemfile_name].empty?  &&! Codesake::Dawn::Core.is_good_target?(target)
+$logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
+$logger.log("security check enabled: #{options[:enabled_checks]}") if options[:debug]
+## MVC auto detect.
+# Skipping MVC autodetect if it's already been done by guess_mvc when choosing Gemfile.lock scan
+unless options[:gemfile_scan]
+  begin
+    if options[:mvc].empty?
+      engine = Codesake::Dawn::Core.detect_mvc(target)
+      $logger.log("using #{engine.class.name} engine via autodect") if options[:debug]
+    else
+      engine = Codesake::Dawn::Rails.new(target)      if options[:mvc] == :rails
+      engine = Codesake::Dawn::Sinatra.new(target)    if options[:mvc] == :sinatra
+      engine = Codesake::Dawn::Padrino.new(target)    if options[:mvc] == :padrino
+    end
+  rescue ArgumentError => e
+    $logger.die(e.message)
+  end
+else
+  engine = Codesake::Dawn::GemfileLock.new(target, options[:gemfile_name], guess) # if options[:gemfile_scan]
+end
+$logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
+if options[:exit_on_warn]
+  Kernel.at_exit do
+    if engine.count_vulnerabilities != 0
+      Kernel.exit(engine.count_vulnerabilities)
+    end
+  end
+end
+if options[:debug]
+  $logger.warn "putting engine in debug mode"
+  engine.debug = true
+end
+$logger.die "missing target framework option" if engine.nil?
+$logger.warn "this is a development Codesake::Dawn version" if Codesake::Dawn::RELEASE == "(development)"
+$logger.die "nothing to do on #{target}" if ! options[:gemfile_scan] && ! engine.can_apply?
+engine.load_knowledge_base(options[:enabled_checks])
+ret = engine.apply_all
+if options[:output] == "count"
+  puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
+  puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
+  Kernel.exit(0)
+end
+Codesake::Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report
+$logger.bye