RubyGems - dawnscanner - Versions diffs - 1.2.99 - Mend

dawnscanner 1.2.99

Files changed (306) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +4 -0
data.tar.gz.sig +0 -0
data/.gitignore +19 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +8 -0
data/Changelog.md +412 -0
data/Gemfile +4 -0
data/KnowledgeBase.md +213 -0
data/LICENSE.txt +22 -0
data/README.md +354 -0
data/Rakefile +250 -0
data/Roadmap.md +59 -0
data/bin/dawn +210 -0
data/certs/paolo_at_codesake_dot_com.pem +21 -0
data/checksum/.placeholder +0 -0
data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
data/dawnscanner.gemspec +43 -0
data/doc/codesake-dawn.yaml.sample +26 -0
data/doc/dawn_1_0_announcement.md +139 -0
data/doc/dawn_1_1_announcement.md +67 -0
data/doc/dawn_1_2_announcement.md +69 -0
data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
data/features/step_definition/dawn_steps.rb +19 -0
data/features/support/env.rb +1 -0
data/lib/codesake-dawn.rb +12 -0
data/lib/codesake/dawn/core.rb +175 -0
data/lib/codesake/dawn/engine.rb +380 -0
data/lib/codesake/dawn/gemfile_lock.rb +12 -0
data/lib/codesake/dawn/kb/basic_check.rb +228 -0
data/lib/codesake/dawn/kb/combo_check.rb +64 -0
data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
data/lib/codesake/dawn/kb/version_check.rb +418 -0
data/lib/codesake/dawn/knowledge_base.rb +513 -0
data/lib/codesake/dawn/padrino.rb +82 -0
data/lib/codesake/dawn/rails.rb +17 -0
data/lib/codesake/dawn/railtie.rb +9 -0
data/lib/codesake/dawn/reporter.rb +280 -0
data/lib/codesake/dawn/sinatra.rb +129 -0
data/lib/codesake/dawn/tasks.rb +27 -0
data/lib/codesake/dawn/utils.rb +21 -0
data/lib/codesake/dawn/version.rb +28 -0
data/lib/tasks/codesake-dawn_tasks.rake +1 -0
data/spec/lib/dawn/codesake_core_spec.rb +9 -0
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
data/spec/spec_helper.rb +11 -0
data/support/bootstrap.js +2027 -0
data/support/bootstrap.min.css +9 -0
data/support/codesake.css +63 -0
metadata +659 -0
metadata.gz.sig +0 -0

data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled ADDED

@@ -0,0 +1,36 @@
+Feature: dawn reports security issues
+  When it scans a sinatra application that it is not updated and it has XSS
+  Scenario: dawn detects the sinatra version
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn /tmp/sinatra-vulnerable`
+    Then the stdout should contain "1.2.6"
+  Scenario: dawn tells there are no vulnerabilities
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn /tmp/sinatra-vulnerable`
+    Then the stdout should contain "4 vulnerabilities found"
+    And the stdout should contain "Not revised code failed"
+    And the stdout should contain "CVE-2013-0269 failed"
+    And the stdout should contain "CVE-2013-1800 failed"
+    And the stdout should contain "1 reflected XSS found"
+    And the stdout should contain "request parameter \"name\""
+    # Test for --output json
+  Scenario: dawn can give a brief json output as well
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn -s /tmp/sinatra-vulnerable --output json`
+    Then the stdout should contain "{\"status\":"OK",\"target\":"/tmp/sinatra-vulnerable",\"mvc\":"sinatra",\"mvc_version\":"1.2.6",\"vulnerabilities_count\":4,\"vulnerabilities\":["Not revised code","CVE-2013-0269","CVE-2013-1800"],\"mitigated_vuln_count\":0,\"mitigated_vuln\":[],\"reflected_xss\":["request parameter \"name\""]}"
+    # Tests for --count-only option
+  Scenario: dawn can give just the number of issues found as output
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn --count-only -s /tmp/sinatra-vulnerable`
+    Then the stdout should contain "4"
+  Scenario: dawn can give just the number of issues found as output
+    Given a vulnerable sinatra application exists
+    When I run `bundle exec dawn --count-only -s /tmp/sinatra-vulnerable --output json`
+    Then the stdout should contain "{\"status\":"OK",\"vulnerabilities_count\":4}"

data/features/step_definition/dawn_steps.rb ADDED

@@ -0,0 +1,19 @@
+Given /^the generic project "(.*?)" doesn't exist$/ do |file|
+  FileUtils.rm(file) if File.exists?(file)
+end
+Given /^the hello world rails project does exist$/ do
+  system("rm -rf /tmp/hello_world_3.2.13")
+  system("cp -a ./spec/support/hello_world_3.2.13 /tmp")
+end
+Given /^a safe sinatra application exists$/ do
+  system("rm -rf /tmp/sinatra-safe")
+  system("cp -a ./spec/support/sinatra-safe /tmp")
+end
+Given /^a vulnerable sinatra application exists$/ do
+  system("rm -rf /tmp/sinatra-vulnerable")
+  system("cp -a ./spec/support/sinatra-vulnerable /tmp")
+end

data/features/support/env.rb ADDED

	@@ -0,0 +1 @@
1	+ require 'aruba/cucumber'

data/lib/codesake-dawn.rb ADDED

@@ -0,0 +1,12 @@
+require "codesake/dawn/utils"
+require "codesake/dawn/core"
+require "codesake/dawn/version"
+require "codesake/dawn/knowledge_base"
+require "codesake/dawn/rails"
+require "codesake/dawn/sinatra"
+require "codesake/dawn/padrino"
+require "codesake/dawn/gemfile_lock"
+require "codesake/dawn/reporter"
+require "codesake-commons"
+require "date"

data/lib/codesake/dawn/core.rb ADDED

@@ -0,0 +1,175 @@
+require "yaml"
+module Codesake
+  module Dawn
+    class Core
+      # TODO.20140326
+      # All those methods must moved from here to Util class and a
+      # Codesake::Dawn::Core namespace must be created.
+      def self.help
+        puts "Usage: dawn [options] target_directory"
+        printf "\nExamples:\n"
+        puts "\t$ dawn a_sinatra_webapp_directory"
+        puts "\t$ dawn -C the_rails_blog_engine"
+        puts "\t$ dawn -C --json a_sinatra_webapp_directory"
+        puts "\t$ dawn --ascii-tabular-report my_rails_blog_ecommerce"
+        puts "\t$ dawn --html -F my_report.html my_rails_blog_ecommerce"
+        printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application"
+        printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application"
+        printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application"
+        printf "\n   -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
+        printf "\n   -a, --ascii-tabular-report\t\t\tcause dawn to format findings using table in ascii art"
+        printf "\n   -j, --json\t\t\t\t\tcause dawn to format findings using json"
+        printf "\n   -C, --count-only\t\t\t\tdawn will only count vulnerabilities (useful for scripts)"
+        printf "\n   -z, --exit-on-warn\t\t\t\tdawn will return number of found vulnerabilities as exit code"
+        printf "\n   -F, --file filename\t\t\t\ttells dawn to write output to filename"
+        printf "\n   -c, --config-file filename\t\t\ttells dawn to load configuration from filename"
+        printf "\n\nDisable security check family\n"
+        printf "\n       --disable-cve-bulletins\t\t\tdisable all CVE security checks"
+        printf "\n       --disable-code-quality\t\t\tdisable all code quality checks"
+        printf "\n       --disable-code-style\t\t\tdisable all code style checks"
+        printf "\n       --disable-owasp-ror-cheatsheet\t\tdisable all Owasp Ruby on Rails cheatsheet checks"
+        printf "\n       --disable-owasp-top-10\t\t\tdisable all Owasp Top 10 checks"
+        printf "\n\nFlags useful to query Codesake::Dawn\n"
+        printf "\n   -S, --search-knowledge-base [check_name]\tsearch check_name in the knowledge base"
+        printf "\n       --list-knowledge-base\t\t\tlist knowledge-base content"
+        printf "\n       --list-known-families\t\t\tlist security check families contained in dawn's knowledge base"
+        printf "\n       --list-known-framework\t\t\tlist ruby MVC frameworks supported by dawn"
+        printf "\n\nService flags\n"
+        printf "\n   -D, --debug\t\t\t\t\tenters dawn debug mode"
+        printf "\n   -V, --verbose\t\t\t\tthe output will be more verbose"
+        printf "\n   -v, --version\t\t\t\tshow version information"
+        printf "\n   -h, --help\t\t\t\t\tshow this help\n"
+        true
+      end
+      def self.dump_knowledge_base(verbose = false)
+        kb = Codesake::Dawn::KnowledgeBase.new
+        lines = []
+        lines << "Security checks currently supported:\n"
+        kb.all.each do |check|
+          if verbose
+            lines << "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
+            lines << "Description\n#{check.message}"
+            lines << "Remediation\n#{check.remediation}\n\n"
+          else
+            lines << "#{check.name}"
+          end
+        end
+        lines << "-----\nTotal: #{kb.all.count}"
+        lines.empty? ? 0 : lines.compact.join("\n")
+      end
+      # guess_mvc is very close to detect_mvc despite it accepts a
+      # filename as input and it tries to guess the mvc framework used from the
+      # gems it founds in Gemfile.lock without creating an engine.
+      def self.guess_mvc(gemfile_lock)
+        ret = {:name=>"", :version=>"", :connected_gems=>[]}
+        a = []
+        my_dir = Dir.pwd
+        Dir.chdir(File.dirname(gemfile_lock))
+        raise ArgumentError.new("can't read #{gemfile_lock}") unless File.readable?(File.basename(gemfile_lock))
+        lockfile = Bundler::LockfileParser.new(Bundler.read_file(File.basename(gemfile_lock)))
+        Dir.chdir(my_dir)
+        lockfile.specs.each do |s|
+          ret = {:name=>s.name, :version=>s.version.to_s} if s.name == "rails" || s.name == "sinatra"
+          a << {:name=>s.name, :version=>s.version.to_s}
+        end
+        ret[:connected_gems]=a
+        ret
+      end
+      def self.detect_mvc(target)
+        raise ArgumentError.new("you must set target directory") if target.nil?
+        my_dir = Dir.pwd
+        Dir.chdir(target)
+        raise ArgumentError.new("no Gemfile.lock in #{target}") unless File.exist?("Gemfile.lock")
+        lockfile = Bundler::LockfileParser.new(Bundler.read_file("Gemfile.lock"))
+        Dir.chdir(my_dir)
+        lockfile.specs.each do |s|
+          return Codesake::Dawn::Rails.new(target)    if s.name == "rails"
+          return Codesake::Dawn::Padrino.new(target)  if s.name == "padrino"
+        end
+        return Codesake::Dawn::Sinatra.new(target)
+      end
+      def self.is_good_target?(target)
+        (File.exist?(target) and File.directory?(target))
+      end
+      def self.find_conf(create_if_none = false)
+        conf_name  = 'codesake-dawn.yaml'
+        path_order = [
+          './',
+          '~/',
+          '/usr/local/etc/',
+        ]
+        path_order.each do |p|
+          fn = p + conf_name if p.start_with?('/')
+          # if outside $HOME the config file must be hidden
+          fn = File.expand_path(p) + '/.'+conf_name if ! p.start_with?('/')
+          return fn if File.exist?(fn)
+        end
+        # Codesake::Dawn didn't find a config file.
+        # If create_if_none flag is set to false, than I'll return nil so the
+        # read_conf method will return the default configuration
+        return nil unless create_if_none
+        # If create_if_none flag is set to true, than I'll create a config file
+        # on the current directory with the default configuration.
+        conf = {"config"=>{:verbose=>false, :output=>"console", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Codesake::Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}}
+        # Calculate the conf file path
+        conf_path = File.expand_path('~') +'/.'+conf_name
+        # Open the conf file and write our default config to it
+        File.open(conf_path, 'w') do |f|
+          rv = f.write(YAML.dump(conf))
+        end
+        conf_path
+      end
+      def self.read_conf(file=nil)
+        conf = {:verbose=>false, :output=>"console", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Codesake::Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
+        begin
+          return conf if file.nil?
+          file = file.chop if (not file.nil? and file.end_with? '/')
+          return conf if ! File.exist?(file)
+        rescue => e
+          $logger.err "it seems you've found a bug in core.rb@#{__LINE__}: #{e.message}"
+          return conf
+        end
+        c = YAML.load_file(file)
+        cf = c["config"]
+        cc = cf[:enabled_checks]
+        # TODO
+        # I must add some sanity check here
+        conf[:verbose] = cf["verbose"] unless cf["verbose"].nil?
+        conf[:debug] = cf["debug"] unless cf["debug"].nil?
+        conf[:output] = cf["output"] unless cf["output"].nil?
+        conf[:enabled_checks] = cc unless cc.nil?
+        return conf
+      end
+    end
+  end
+end

data/lib/codesake/dawn/engine.rb ADDED

@@ -0,0 +1,380 @@
+require 'bundler'
+module Codesake
+  module Dawn
+    module Engine
+      include Codesake::Dawn::Utils
+      attr_reader :target
+      attr_reader :name
+      attr_reader :scan_start
+      attr_reader :scan_stop
+      # This attribute is used when @name == "Gemfile.lock" to force the
+      # loading of specific MVC checks
+      attr_reader :force
+      attr_reader :gemfile_lock
+      attr_reader :mvc_version
+      attr_reader :connected_gems
+      attr_reader :checks
+      attr_reader :vulnerabilities
+      attr_reader :mitigated_issues
+      attr_reader :ruby_version
+      attr_reader :engine_error
+      attr_reader :reflected_xss
+      # Typical MVC elements here
+      # Each view will be something like {:filename=>"target/views/index.haml", :language=>:haml}
+      attr_reader :views
+      # Each controller will be a little bit more complex. Of course for
+      # Sinatra, the controller filename will be the sole web application ruby
+      # file.
+      # {:filename=>"target/controllers/this_controller.rb", :actions=>[{:name=>"index", :method=>:get, :map=>"/"]}
+      attr_reader :controllers
+      # Models I don't know right now. Let them initialized as Array... we
+      # will see later
+      attr_reader :models
+      attr_accessor :debug
+      attr_reader   :applied_checks
+      attr_reader   :skipped_checks
+      def initialize(dir=nil, name="", options={})
+        @name = name
+        @scan_start = Time.now
+        @scan_stop = @scan_start
+        @mvc_version = ""
+        @gemfile_lock = ""
+        @force = ""
+        @connected_gems = []
+        @checks = []
+        @vulnerabilities = []
+        @mitigated_issues = []
+        @applied = []
+        @reflected_xss = []
+        @engine_error = false
+        @debug = false
+        @debug = options[:debug] unless options[:debug].nil?
+        @applied_checks = 0
+        @skipped_checks = 0
+        @gemfile_lock_sudo = false
+        set_target(dir) unless dir.nil?
+        @ruby_version = get_ruby_version if dir.nil?
+        @gemfile_lock = options[:gemfile_name] unless options[:gemfile_name].nil?
+        @views        = detect_views
+        @controllers  = detect_controllers
+        @models       = detect_models
+        if $logger.nil?
+          $logger  = Codesake::Commons::Logging.instance
+          $logger.helo "dawn-engine", Codesake::Dawn::VERSION
+        end
+        $logger.warn "pattern matching security checks are disabled for Gemfile.lock scan" if @name == "Gemfile.lock"
+        $logger.warn "combo security checks are disabled for Gemfile.lock scan" if @name == "Gemfile.lock"
+        debug_me "engine is in debug mode"
+        if @name == "Gemfile.lock" && ! options[:guessed_mvc].nil?
+          # since all checks relies on @name a Gemfile.lock engine must
+          # impersonificate the engine for the mvc it was detected
+          debug_me "now I'm switching my name from #{@name} to #{options[:guessed_mvc][:name]}"
+          $logger.err "there are no connected gems... it seems Gemfile.lock parsing failed" if options[:guessed_mvc][:connected_gems].empty?
+          @name = options[:guessed_mvc][:name]
+          @mvc_version = options[:guessed_mvc][:version]
+          @connected_gems = options[:guessed_mvc][:connected_gems]
+          @gemfile_lock_sudo = true
+        end
+        # FIXME.20140325
+        #
+        # I comment out this call. knowledge base must be called explicitly
+        # since it's now possible to pass an array saying check families to be
+        # loaded.
+        #
+        # load_knowledge_base
+      end
+      def detect_views
+        []
+      end
+      def error!
+        @error = true
+      end
+      def error?
+        @error
+      end
+      def build_view_array(dir)
+        return [] unless File.exist?(dir) and File.directory?(dir)
+        ret = []
+        Dir.glob(File.join("#{dir}", "*")).each do |filename|
+          ret << {:filename=>filename, :language=>:haml} if File.extname(filename) == ".haml"
+        end
+        ret
+      end
+      def detect_controllers
+        []
+      end
+      def detect_models
+        []
+      end
+      def get_ruby_version
+        unless @target.nil?
+          # does target use rbenv?
+          ver = get_rbenv_ruby_ver
+          # does the target use rvm?
+          ver = get_rvm_ruby_ver if  ver[:version].empty? && ver[:patchlevel].empty?
+          # take the running ruby otherwise
+          ver = {:engine=>RUBY_ENGINE, :version=>RUBY_VERSION, :patchlevel=>"p#{RUBY_PATCHLEVEL}"} if ver[:version].empty? && ver[:patchlevel].empty?
+        else
+          ver = {:engine=>RUBY_ENGINE, :version=>RUBY_VERSION, :patchlevel=>"p#{RUBY_PATCHLEVEL}"}
+        end
+        ver
+      end
+      def set_target(dir)
+        @target = dir
+        @gemfile_lock = File.join(@target, "Gemfile.lock")
+        @mvc_version = set_mvc_version
+        @ruby_version = get_ruby_version
+      end
+      def target_is_dir?
+        File.directory?(@target)
+      end
+      def load_knowledge_base(enabled_checks=[])
+        debug_me("load_knowledge_base called. Enabled checks are: #{enabled_checks}")
+        if @name == "Gemfile.lock"
+          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all if @force.empty?
+          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all_by_mvc(@force) unless @force.empty?
+        else
+          @checks = Codesake::Dawn::KnowledgeBase.new({:enabled_checks=>enabled_checks}).all_by_mvc(@name)
+        end
+        debug_me("#{@checks.count} checks loaded")
+        @checks
+      end
+      def set_mvc_version
+        ver = ""
+        return ver unless target_is_dir?
+        return ver unless has_gemfile_lock?
+        my_dir = Dir.pwd
+        Dir.chdir(@target)
+        lockfile = Bundler::LockfileParser.new(Bundler.read_file("Gemfile.lock"))
+        lockfile.specs.each do |s|
+          # detecting MVC version using @name in case of sinatra, padrino or rails engine
+          ver= s.version.to_s if s.name == @name && @name != "Gemfile.lock"
+          # detecting MVC version using @force in case of Gemfile.lock engine
+          ver= s.version.to_s if s.name == @force.to_s && @name == "Gemfile.lock"
+          @connected_gems << {:name=>s.name, :version=>s.version.to_s}
+        end
+        Dir.chdir(my_dir)
+        return ver
+      end
+      def has_gemfile_lock?
+        File.exist?(@gemfile_lock)
+      end
+      def is_good_mvc?
+        (@mvc_version != "")
+      end
+      def can_apply?
+        target_is_dir? && is_good_mvc?
+      end
+      def get_mvc_version
+        "#{@mvc_version}" if is_good_mvc?
+      end
+      ## Security stuff applies here
+      #
+      # Public it applies a single security check given by its name
+      #
+      # name - the security check to be applied
+      #
+      # Examples
+      #
+      #   engine.apply("CVE-2013-1800")
+      #   # => boolean
+      #
+      # Returns a true value if the security check was successfully applied or false
+      # otherwise
+      def apply(name)
+        # FIXME.20140325
+        # Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
+        # Reason is simple, load_knowledge_base now needs enabled check array
+        # and I don't want to pollute engine API to propagate this value. It's
+        # a param to load_knowledge_base and then bin/dawn calls it
+        # accordingly.
+        # load_knowledge_base if @checks.nil?
+        if @checks.nil?
+          $logger.err "you must load knowledge base before trying to apply security checks"
+          return false
+        end
+        return false if @checks.empty?
+        @checks.each do |check|
+          if check.name == name
+            unless ((check.kind == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK || check.kind == Codesake::Dawn::KnowledgeBase::COMBO_CHECK ) && @name == "Gemfile.lock")
+              debug_me "applying check #{check.name}"
+              @applied_checks += 1
+              @applied << { :name=>name }
+              check.ruby_version = @ruby_version[:version]
+              check.detected_ruby  = @ruby_version if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
+              check.dependencies = self.connected_gems if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
+              check.root_dir = self.target if check.kind  == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+              check.options = {:detected_ruby => self.ruby_version, :dependencies => self.connected_gems, :root_dir => self.target } if check.kind == Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+              check_vuln = check.vuln?
+              @vulnerabilities  << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check_vuln && check.kind !=  Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+              @vulnerabilities  << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>check.vulnerable_checks} if check_vuln && check.kind ==  Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+              @mitigated_issues << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check.mitigated?
+              return true
+            else
+              debug_me "skipping check #{check.name}"
+              @skipped_checks += 1
+            end
+          end
+        end
+        false
+      end
+      def apply_all
+        @scan_start = Time.now
+        debug_me("SCAN STARTED: #{@scan_start}")
+        # FIXME.20140325
+        # Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
+        # Reason is simple, load_knowledge_base now needs enabled check array
+        # and I don't want to pollute engine API to propagate this value. It's
+        # a param to load_knowledge_base and then bin/dawn calls it
+        # accordingly.
+        # load_knowledge_base if @checks.nil?
+        if @checks.nil?
+          $logger.err "you must load knowledge base before trying to apply security checks"
+          @scan_stop = Time.now
+          debug_me("SCAN STOPPED: #{@scan_stop}")
+          return false
+        end
+        if @checks.empty?
+          @scan_stop = Time.now
+          debug_me("SCAN STOPPED: #{@scan_stop}")
+          return false
+        end
+        @checks.each do |check|
+          unless ((check.kind == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK || check.kind == Codesake::Dawn::KnowledgeBase::COMBO_CHECK ) && @gemfile_lock_sudo)
+            @applied << { :name => name }
+            debug_me "applying check #{check.name}"
+            @applied_checks += 1
+            check.ruby_version = @ruby_version[:version]
+            check.detected_ruby  = @ruby_version if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
+            check.dependencies = self.connected_gems if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
+            check.root_dir = self.target if check.kind  == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+            check.options = {:detected_ruby => self.ruby_version, :dependencies => self.connected_gems, :root_dir => self.target } if check.kind == Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+            check_vuln = check.vuln?
+            @vulnerabilities  << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check_vuln && check.kind !=  Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+            @vulnerabilities  << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>check.vulnerable_checks} if check_vuln && check.kind ==  Codesake::Dawn::KnowledgeBase::COMBO_CHECK
+            @mitigated_issues << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check.mitigated?
+          else
+            debug_me "skipping check #{check.name}"
+            @skipped_checks += 1
+          end
+        end
+        @scan_stop = Time.now
+        debug_me("SCAN STOPPED: #{@scan_stop}")
+        true
+      end
+      def scan_time
+        @scan_stop - @scan_start
+      end
+      def is_applied?(name)
+        @applied.each do |a|
+          return true if a[:name] == name
+        end
+        return false
+      end
+      def vulnerabilities
+        apply_all if @applied.empty?
+        @vulnerabilities
+      end
+      def find_vulnerability_by_name(name)
+        apply(name) unless is_applied?(name)
+        @vulnerabilities.each do |v|
+          return v if v[:name] == name
+        end
+        nil
+      end
+      def is_vulnerable_to?(name)
+        return (find_vulnerability_by_name(name) != nil)
+      end
+      def has_reflected_xss?
+        (@reflected_xss.count != 0) unless @reflected_xss.nil?
+      end
+      def count_vulnerabilities
+        ret = 0
+        ret = @vulnerabilities.count unless @vulnerabilities.nil?
+        ret +=  @reflected_xss.count unless @reflected_xss.nil?
+        ret
+      end
+      private
+      def get_rbenv_ruby_ver
+        return {:version=>"", :patchlevel=>""} unless File.exist?(File.join(@target, ".rbenv-version"))
+        hash = File.read(File.join(@target, '.rbenv-version')).split('-')
+        return {:version=>hash[0], :patchlevel=>hash[1]}
+      end
+      def get_rvm_ruby_ver
+        return {:version=>"", :patchlevel=>""} unless File.exist?(File.join(@target, ".ruby-version"))
+        hash = File.read(File.join(@target, '.ruby-version')).split('-')
+        return {:version=>hash[0], :patchlevel=>hash[1]}
+      end
+    end
+  end
+end