RubyGems - dawnscanner - Versions diffs - 1.2.99 - Mend

dawnscanner 1.2.99

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (306) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +4 -0
data.tar.gz.sig +0 -0
data/.gitignore +19 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +8 -0
data/Changelog.md +412 -0
data/Gemfile +4 -0
data/KnowledgeBase.md +213 -0
data/LICENSE.txt +22 -0
data/README.md +354 -0
data/Rakefile +250 -0
data/Roadmap.md +59 -0
data/bin/dawn +210 -0
data/certs/paolo_at_codesake_dot_com.pem +21 -0
data/checksum/.placeholder +0 -0
data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
data/dawnscanner.gemspec +43 -0
data/doc/codesake-dawn.yaml.sample +26 -0
data/doc/dawn_1_0_announcement.md +139 -0
data/doc/dawn_1_1_announcement.md +67 -0
data/doc/dawn_1_2_announcement.md +69 -0
data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
data/features/step_definition/dawn_steps.rb +19 -0
data/features/support/env.rb +1 -0
data/lib/codesake-dawn.rb +12 -0
data/lib/codesake/dawn/core.rb +175 -0
data/lib/codesake/dawn/engine.rb +380 -0
data/lib/codesake/dawn/gemfile_lock.rb +12 -0
data/lib/codesake/dawn/kb/basic_check.rb +228 -0
data/lib/codesake/dawn/kb/combo_check.rb +64 -0
data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
data/lib/codesake/dawn/kb/version_check.rb +418 -0
data/lib/codesake/dawn/knowledge_base.rb +513 -0
data/lib/codesake/dawn/padrino.rb +82 -0
data/lib/codesake/dawn/rails.rb +17 -0
data/lib/codesake/dawn/railtie.rb +9 -0
data/lib/codesake/dawn/reporter.rb +280 -0
data/lib/codesake/dawn/sinatra.rb +129 -0
data/lib/codesake/dawn/tasks.rb +27 -0
data/lib/codesake/dawn/utils.rb +21 -0
data/lib/codesake/dawn/version.rb +28 -0
data/lib/tasks/codesake-dawn_tasks.rake +1 -0
data/spec/lib/dawn/codesake_core_spec.rb +9 -0
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
data/spec/spec_helper.rb +11 -0
data/support/bootstrap.js +2027 -0
data/support/bootstrap.min.css +9 -0
data/support/codesake.css +63 -0
metadata +659 -0
metadata.gz.sig +0 -0

data/lib/codesake/dawn/gemfile_lock.rb ADDED

@@ -0,0 +1,12 @@
+module Codesake
+  module Dawn
+    class GemfileLock
+      include Codesake::Dawn::Engine
+      def initialize(dir = "./", filename = "", guessed_mvc)
+        super(dir, "Gemfile.lock", {:gemfile_name=>filename, :guessed_mvc=>guessed_mvc})
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/basic_check.rb ADDED

@@ -0,0 +1,228 @@
+require 'cvss'
+module Codesake
+  module Dawn
+    module Kb
+      module BasicCheck
+        include Codesake::Dawn::Utils
+        attr_reader :name
+        attr_reader :cve
+        attr_reader :osvdb
+        attr_reader :cvss
+        attr_reader :cwe
+        attr_reader :owasp
+        attr_reader :release_date
+        attr_reader :applies
+        attr_reader :kind
+        attr_reader :message
+        attr_reader :remediation
+        attr_reader :aux_links
+        attr_reader :mitigated
+        # This is the ruby version used by the target application. set in
+        # Engine class around line #107
+        attr_accessor :ruby_version
+        # This is an array of ruby versions that lead a parcitular version to
+        # be exploitable.
+        # In example, consider CVE-2013-1655, the Puppet rubygem version
+        # vulnerability can be exploited only if ruby version is 1.9.3 or
+        # higher
+        attr_reader :ruby_vulnerable_versions
+        # The framework target version
+        attr_reader   :target_version
+        # The versions of the framework that fixes the vulnerability
+        attr_reader   :fixes_version
+        # Vulnerability evidences
+        attr_reader   :evidences
+        # Check status. Returns the latest vuln? call result
+        attr_reader   :status
+        # Put the check in debug mode
+        attr_accessor :debug
+        # This is a flag for the security check family. Valid values are:
+        #   + generic_check
+        #   + code_quality
+        #   + cve_bulletin
+        #   + code_style
+        #   + owasp_ror_cheatsheet
+        #   + owasp_top_10_n (where n is a number between 1 and 10)
+        attr_accessor :check_family
+        ALLOWED_FAMILIES = [:generic_check, :code_quality, :cve_bulletin, :code_style, :owasp_ror_cheatsheet, :owasp_top_10_1, :owasp_top_10_2, :owasp_top_10_3, :owasp_top_10_4, :owasp_top_10_5, :owasp_top_10_6, :owasp_top_10_7, :owasp_top_10_8, :owasp_top_10_9, :owasp_top_10_10]
+        # This is the check severity level. It tells how dangerous is the
+        # vulnerability for you application.
+        #
+        # Valid values are:
+        #   + :critical
+        #   + :high
+        #   + :medium
+        #   + :low
+        #   + :info
+        #   + :none
+        attr_accessor :severity
+        # This is the check priority level. It tells how fast you should
+        # mitigate the vulnerability.
+        #
+        # Valid values are:
+        #   + :critical
+        #   + :high
+        #   + :medium
+        #   + :low
+        #   + :info
+        #   + :none
+        attr_accessor :priority
+        def initialize(options={})
+          @applies                  = []
+          @ruby_version             = ""
+          @ruby_vulnerable_versions = []
+          @name         = options[:name]
+          @cvss         = options[:cvss]
+          @cwe          = options[:cwe]
+          @cve          = options[:cve]
+          @osvdb        = options[:osvdb]
+          @owasp        = options[:owasp]
+          @release_date = options[:release_date]
+          @applies      = options[:applies] unless options[:applies].nil?
+          @kind         = options[:kind]
+          @message      = options[:message]
+          @remediation  = options[:mitigation]
+          @aux_links    = options[:aux_links]
+          @target_version = options[:target_version]
+          @fixes_version  = options[:fixes_version]
+          @ruby_version   = options[:ruby_version]
+          @evidences    = []
+          @evidences    = options[:evidences] unless options[:evidences].nil?
+          @mitigated    = false
+          @status       = false
+          @debug        = false
+          @severity     = :none
+          @priority     = :none
+          @check_family = :generic_check
+          @severity         = options[:severity] unless options[:severity].nil?
+          @priority         = options[:priority] unless options[:priority].nil?
+          @check_family     = options[:check_family] unless options[:check_family].nil?
+          # FIXME.20140325
+          #
+          # I don't want to manually fix 150+ ruby files to add something I can
+          # deal here
+          @check_family = :cve if !options[:name].nil? && options[:name].start_with?('CVE-')
+          if $logger.nil?
+            require 'codesake-commons'
+            $logger  = Codesake::Commons::Logging.instance
+            $logger.helo "dawn-basic-check", Codesake::Dawn::VERSION
+          end
+        end
+        def self.families
+          return ALLOWED_FAMILIES.map { |x| x.to_s }
+        end
+        def family=(item)
+          if ! ALLOWED_FAMILIES.find_index(item.to_sym).nil?
+            instance_variable_set(:@check_family, item.to_sym)
+            return item
+          else
+            $logger.err("invalid check family: #{item}")
+            instance_variable_set(:@check_family, :generic_check)
+            return @family
+          end
+        end
+        def family
+          return "CVE bulletin"                   if @check_family == :cve
+          return "Ruby coding style"              if @check_family == :code_style
+          return "Ruby code quality check"        if @check_family == :code_quality
+          return "Owasp Ruby on Rails cheatsheet" if @check_family == :owasp_ror_cheatsheet
+          return "Owasp Top 10"                   if @check_family.to_s.start_with?('owasp_top_10')
+          return "Unknown"
+        end
+        def priority
+          return (@priority == :none)? "unknown" : @priority.to_s
+        end
+        def severity
+          return @severity.to_s unless @severity == :none
+          # if not set and if cvss is available, than use CVSS
+          unless self.cvss.nil?
+            score = Cvss::Engine.new.score(self.cvss)
+            case score
+            when 10
+              return "critical"
+            when 7..9
+              return "high"
+            when 4..6
+              return "medium"
+            when 2..3
+              return "low"
+            when 0..1
+              return "info"
+            else
+              return "unknown"
+            end
+          else
+            return "unknown"
+          end
+          # if not set, no cvss available just return unknown
+          return "unknown"
+        end
+        def applies_to?(name)
+          ! @applies.find_index(name).nil?
+        end
+        def cve_link
+          "http://cve.mitre.org/cgi-bin/cvename.cgi?name=#{@name}"
+        end
+        def nvd_link
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=#{@name}"
+        end
+        def rubysec_advisories_link
+          "http://www.rubysec.com/advisories/#{@name}/"
+        end
+        def osvdb_link
+          "http://osvdb.org/show/osvdb/#{@osvdb}"
+        end
+        def cvss_score
+          return Cvss::Engine.new.score(self.cvss) unless self.cvss.nil?
+          "    "
+        end
+        def mitigated?
+          self.mitigated
+        end
+        # Performs a self check against some core values from being not nil
+        #
+        # @return an Array with attributes with a nil value
+        def lint
+          ret = []
+          ret << :cve if @cve.nil?
+          ret << :osvdb if @osvdb.nil?
+          ret << :cvss if @cvss.nil?
+          ret << :severity if @severity == :none
+          ret << :priority if @priority == :none
+          ret
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/combo_check.rb ADDED

@@ -0,0 +1,64 @@
+module Codesake
+  module Dawn
+    module Kb
+      module ComboCheck
+        include BasicCheck
+        attr_reader   :checks
+        attr_accessor :options
+        attr_reader   :vulnerable_checks
+        def initialize(options={})
+          super(options)
+          @vuln_if_all_fails = true
+          @vuln_if_all_fails = options[:vuln_if_all_fails] unless options[:vuln_if_all_fails].nil?
+          @checks = options[:checks]
+          @vulnerable_checks = []
+          @options = options
+        end
+        def vuln?
+          ret = true
+          at_least_one = false
+          @checks.each do |check|
+            check_vuln = false
+            check.detected_ruby   = @options[:detected_ruby]    if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
+            check.dependencies    = @options[:dependencies]     if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
+            check.root_dir        = @options[:root_dir]         if check.kind == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+            check.debug           = self.debug
+            check_vuln = check.vuln? if check.respond_to?(:vuln?)
+            ret = ret && check_vuln
+            at_least_one = true if check_vuln
+            @evidences << check.evidences if check_vuln
+            @vulnerable_checks << check if check_vuln
+            raise "A check class doesn't respond to vuln? in combo (#{check.class})" unless check.respond_to?(:vuln?)
+          end
+          dump_status
+          debug_me("combo_check: is_vulnerable_if_all_checks_fail = #{@vuln_if_all_fails}, RET = #{ret}, at_least_one= #{at_least_one}")
+          return ret if @vuln_if_all_fails
+          return at_least_one unless @vuln_if_all_fails
+        end
+        def dump_status
+          @checks.each do |check|
+            debug_me("check name is #{check.name} and vulnerable status is #{check.status}")
+          end
+          true
+        end
+        def self.find_vulnerable_checks_by_class(list=[], klass=Object)
+          list.each do |l|
+            return l if l.instance_of?(klass)
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2004_0755.rb ADDED

@@ -0,0 +1,32 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2004_0755
+				include RubyVersionCheck
+				def initialize
+          message = "The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions."
+          super({
+            :name=>"CVE-2004-0755",
+            :cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
+            :release_date => Date.new(2004, 10, 20),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://xforce.iss.net/xforce/xfdb/16996"]
+          })
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.999", :patchlevel=>"p0"}, {:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2004_0983.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2004_0983
+				include RubyVersionCheck
+				def initialize
+          message = "The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request."
+          super({
+            :name=>"CVE-2004-0983",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2005, 03, 01),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://xforce.iss.net/xforce/xfdb/17985"]
+          })
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"}, {:engine=>"ruby", :version=>"1.6.7", :patchlevel=>"p0"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2005_1992.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2005_1992
+				include RubyVersionCheck
+				def initialize
+          message = "The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents \"security protection\" using handlers, which allows remote attackers to execute arbitrary commands."
+          super({
+            :name=>"CVE-2005-1992",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2005, 06, 20),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://www2.ruby-lang.org/en/20050701.html"]
+          })
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.999", :patchlevel=>"p0"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2005_2337.rb ADDED

@@ -0,0 +1,32 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2005_2337
+				include RubyVersionCheck
+				def initialize
+          message="Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin)."
+          super({
+            :name=>"CVE-2005-2337",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2005, 10, 07),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://www.ruby-lang.org/en/20051003.html"]
+          })
+          self.safe_rubies = [
+            {:engine=>"ruby", :version=>"1.6.8", :patchlevel=>"p0"},
+            {:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"},
+          ]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2006_1931.rb ADDED

@@ -0,0 +1,32 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2006_1931
+				include RubyVersionCheck
+				def initialize
+          message = "The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data."
+          super({
+            :name=>"CVE-2006-1931",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2005, 06, 20),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://www.securityfocus.com/bid/17645"]
+          })
+          self.safe_rubies = [
+            {:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"},
+            {:engine=>"ruby", :version=>"1.6.8", :patchlevel=>"p0"}
+          ]
+				end
+			end
+		end
+	end
+end