RubyGems - dawnscanner - Versions diffs - 1.2.99 - Mend

dawnscanner 1.2.99

Files changed (306) hide show

checksums.yaml +7 -0
checksums.yaml.gz.sig +4 -0
data.tar.gz.sig +0 -0
data/.gitignore +19 -0
data/.ruby-gemset +1 -0
data/.ruby-version +1 -0
data/.travis.yml +8 -0
data/Changelog.md +412 -0
data/Gemfile +4 -0
data/KnowledgeBase.md +213 -0
data/LICENSE.txt +22 -0
data/README.md +354 -0
data/Rakefile +250 -0
data/Roadmap.md +59 -0
data/bin/dawn +210 -0
data/certs/paolo_at_codesake_dot_com.pem +21 -0
data/checksum/.placeholder +0 -0
data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
data/dawnscanner.gemspec +43 -0
data/doc/codesake-dawn.yaml.sample +26 -0
data/doc/dawn_1_0_announcement.md +139 -0
data/doc/dawn_1_1_announcement.md +67 -0
data/doc/dawn_1_2_announcement.md +69 -0
data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
data/features/step_definition/dawn_steps.rb +19 -0
data/features/support/env.rb +1 -0
data/lib/codesake-dawn.rb +12 -0
data/lib/codesake/dawn/core.rb +175 -0
data/lib/codesake/dawn/engine.rb +380 -0
data/lib/codesake/dawn/gemfile_lock.rb +12 -0
data/lib/codesake/dawn/kb/basic_check.rb +228 -0
data/lib/codesake/dawn/kb/combo_check.rb +64 -0
data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
data/lib/codesake/dawn/kb/version_check.rb +418 -0
data/lib/codesake/dawn/knowledge_base.rb +513 -0
data/lib/codesake/dawn/padrino.rb +82 -0
data/lib/codesake/dawn/rails.rb +17 -0
data/lib/codesake/dawn/railtie.rb +9 -0
data/lib/codesake/dawn/reporter.rb +280 -0
data/lib/codesake/dawn/sinatra.rb +129 -0
data/lib/codesake/dawn/tasks.rb +27 -0
data/lib/codesake/dawn/utils.rb +21 -0
data/lib/codesake/dawn/version.rb +28 -0
data/lib/tasks/codesake-dawn_tasks.rake +1 -0
data/spec/lib/dawn/codesake_core_spec.rb +9 -0
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
data/spec/spec_helper.rb +11 -0
data/support/bootstrap.js +2027 -0
data/support/bootstrap.min.css +9 -0
data/support/codesake.css +63 -0
metadata +659 -0
metadata.gz.sig +0 -0

data/lib/codesake/dawn/gemfile_lock.rb ADDED

@@ -0,0 +1,12 @@
+module Codesake
+  module Dawn
+    class GemfileLock
+      include Codesake::Dawn::Engine
+      def initialize(dir = "./", filename = "", guessed_mvc)
+        super(dir, "Gemfile.lock", {:gemfile_name=>filename, :guessed_mvc=>guessed_mvc})
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/basic_check.rb ADDED

@@ -0,0 +1,228 @@
+require 'cvss'
+module Codesake
+  module Dawn
+    module Kb
+      module BasicCheck
+        include Codesake::Dawn::Utils
+        attr_reader :name
+        attr_reader :cve
+        attr_reader :osvdb
+        attr_reader :cvss
+        attr_reader :cwe
+        attr_reader :owasp
+        attr_reader :release_date
+        attr_reader :applies
+        attr_reader :kind
+        attr_reader :message
+        attr_reader :remediation
+        attr_reader :aux_links
+        attr_reader :mitigated
+        # This is the ruby version used by the target application. set in
+        # Engine class around line #107
+        attr_accessor :ruby_version
+        # This is an array of ruby versions that lead a parcitular version to
+        # be exploitable.
+        # In example, consider CVE-2013-1655, the Puppet rubygem version
+        # vulnerability can be exploited only if ruby version is 1.9.3 or
+        # higher
+        attr_reader :ruby_vulnerable_versions
+        # The framework target version
+        attr_reader   :target_version
+        # The versions of the framework that fixes the vulnerability
+        attr_reader   :fixes_version
+        # Vulnerability evidences
+        attr_reader   :evidences
+        # Check status. Returns the latest vuln? call result
+        attr_reader   :status
+        # Put the check in debug mode
+        attr_accessor :debug
+        # This is a flag for the security check family. Valid values are:
+        #   + generic_check
+        #   + code_quality
+        #   + cve_bulletin
+        #   + code_style
+        #   + owasp_ror_cheatsheet
+        #   + owasp_top_10_n (where n is a number between 1 and 10)
+        attr_accessor :check_family
+        ALLOWED_FAMILIES = [:generic_check, :code_quality, :cve_bulletin, :code_style, :owasp_ror_cheatsheet, :owasp_top_10_1, :owasp_top_10_2, :owasp_top_10_3, :owasp_top_10_4, :owasp_top_10_5, :owasp_top_10_6, :owasp_top_10_7, :owasp_top_10_8, :owasp_top_10_9, :owasp_top_10_10]
+        # This is the check severity level. It tells how dangerous is the
+        # vulnerability for you application.
+        #
+        # Valid values are:
+        #   + :critical
+        #   + :high
+        #   + :medium
+        #   + :low
+        #   + :info
+        #   + :none
+        attr_accessor :severity
+        # This is the check priority level. It tells how fast you should
+        # mitigate the vulnerability.
+        #
+        # Valid values are:
+        #   + :critical
+        #   + :high
+        #   + :medium
+        #   + :low
+        #   + :info
+        #   + :none
+        attr_accessor :priority
+        def initialize(options={})
+          @applies                  = []
+          @ruby_version             = ""
+          @ruby_vulnerable_versions = []
+          @name         = options[:name]
+          @cvss         = options[:cvss]
+          @cwe          = options[:cwe]
+          @cve          = options[:cve]
+          @osvdb        = options[:osvdb]
+          @owasp        = options[:owasp]
+          @release_date = options[:release_date]
+          @applies      = options[:applies] unless options[:applies].nil?
+          @kind         = options[:kind]
+          @message      = options[:message]
+          @remediation  = options[:mitigation]
+          @aux_links    = options[:aux_links]
+          @target_version = options[:target_version]
+          @fixes_version  = options[:fixes_version]
+          @ruby_version   = options[:ruby_version]
+          @evidences    = []
+          @evidences    = options[:evidences] unless options[:evidences].nil?
+          @mitigated    = false
+          @status       = false
+          @debug        = false
+          @severity     = :none
+          @priority     = :none
+          @check_family = :generic_check
+          @severity         = options[:severity] unless options[:severity].nil?
+          @priority         = options[:priority] unless options[:priority].nil?
+          @check_family     = options[:check_family] unless options[:check_family].nil?
+          # FIXME.20140325
+          #
+          # I don't want to manually fix 150+ ruby files to add something I can
+          # deal here
+          @check_family = :cve if !options[:name].nil? && options[:name].start_with?('CVE-')
+          if $logger.nil?
+            require 'codesake-commons'
+            $logger  = Codesake::Commons::Logging.instance
+            $logger.helo "dawn-basic-check", Codesake::Dawn::VERSION
+          end
+        end
+        def self.families
+          return ALLOWED_FAMILIES.map { |x| x.to_s }
+        end
+        def family=(item)
+          if ! ALLOWED_FAMILIES.find_index(item.to_sym).nil?
+            instance_variable_set(:@check_family, item.to_sym)
+            return item
+          else
+            $logger.err("invalid check family: #{item}")
+            instance_variable_set(:@check_family, :generic_check)
+            return @family
+          end
+        end
+        def family
+          return "CVE bulletin"                   if @check_family == :cve
+          return "Ruby coding style"              if @check_family == :code_style
+          return "Ruby code quality check"        if @check_family == :code_quality
+          return "Owasp Ruby on Rails cheatsheet" if @check_family == :owasp_ror_cheatsheet
+          return "Owasp Top 10"                   if @check_family.to_s.start_with?('owasp_top_10')
+          return "Unknown"
+        end
+        def priority
+          return (@priority == :none)? "unknown" : @priority.to_s
+        end
+        def severity
+          return @severity.to_s unless @severity == :none
+          # if not set and if cvss is available, than use CVSS
+          unless self.cvss.nil?
+            score = Cvss::Engine.new.score(self.cvss)
+            case score
+            when 10
+              return "critical"
+            when 7..9
+              return "high"
+            when 4..6
+              return "medium"
+            when 2..3
+              return "low"
+            when 0..1
+              return "info"
+            else
+              return "unknown"
+            end
+          else
+            return "unknown"
+          end
+          # if not set, no cvss available just return unknown
+          return "unknown"
+        end
+        def applies_to?(name)
+          ! @applies.find_index(name).nil?
+        end
+        def cve_link
+          "http://cve.mitre.org/cgi-bin/cvename.cgi?name=#{@name}"
+        end
+        def nvd_link
+          "http://web.nvd.nist.gov/view/vuln/detail?vulnId=#{@name}"
+        end
+        def rubysec_advisories_link
+          "http://www.rubysec.com/advisories/#{@name}/"
+        end
+        def osvdb_link
+          "http://osvdb.org/show/osvdb/#{@osvdb}"
+        end
+        def cvss_score
+          return Cvss::Engine.new.score(self.cvss) unless self.cvss.nil?
+          "    "
+        end
+        def mitigated?
+          self.mitigated
+        end
+        # Performs a self check against some core values from being not nil
+        #
+        # @return an Array with attributes with a nil value
+        def lint
+          ret = []
+          ret << :cve if @cve.nil?
+          ret << :osvdb if @osvdb.nil?
+          ret << :cvss if @cvss.nil?
+          ret << :severity if @severity == :none
+          ret << :priority if @priority == :none
+          ret
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/combo_check.rb ADDED

@@ -0,0 +1,64 @@
+module Codesake
+  module Dawn
+    module Kb
+      module ComboCheck
+        include BasicCheck
+        attr_reader   :checks
+        attr_accessor :options
+        attr_reader   :vulnerable_checks
+        def initialize(options={})
+          super(options)
+          @vuln_if_all_fails = true
+          @vuln_if_all_fails = options[:vuln_if_all_fails] unless options[:vuln_if_all_fails].nil?
+          @checks = options[:checks]
+          @vulnerable_checks = []
+          @options = options
+        end
+        def vuln?
+          ret = true
+          at_least_one = false
+          @checks.each do |check|
+            check_vuln = false
+            check.detected_ruby   = @options[:detected_ruby]    if check.kind == Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK
+            check.dependencies    = @options[:dependencies]     if check.kind == Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK
+            check.root_dir        = @options[:root_dir]         if check.kind == Codesake::Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+            check.debug           = self.debug
+            check_vuln = check.vuln? if check.respond_to?(:vuln?)
+            ret = ret && check_vuln
+            at_least_one = true if check_vuln
+            @evidences << check.evidences if check_vuln
+            @vulnerable_checks << check if check_vuln
+            raise "A check class doesn't respond to vuln? in combo (#{check.class})" unless check.respond_to?(:vuln?)
+          end
+          dump_status
+          debug_me("combo_check: is_vulnerable_if_all_checks_fail = #{@vuln_if_all_fails}, RET = #{ret}, at_least_one= #{at_least_one}")
+          return ret if @vuln_if_all_fails
+          return at_least_one unless @vuln_if_all_fails
+        end
+        def dump_status
+          @checks.each do |check|
+            debug_me("check name is #{check.name} and vulnerable status is #{check.status}")
+          end
+          true
+        end
+        def self.find_vulnerable_checks_by_class(list=[], klass=Object)
+          list.each do |l|
+            return l if l.instance_of?(klass)
+          end
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/codesake/dawn/kb/cve_2004_0755.rb ADDED

@@ -0,0 +1,32 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2004_0755
+				include RubyVersionCheck
+				def initialize
+          message = "The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions."
+          super({
+            :name=>"CVE-2004-0755",
+            :cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
+            :release_date => Date.new(2004, 10, 20),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://xforce.iss.net/xforce/xfdb/16996"]
+          })
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.999", :patchlevel=>"p0"}, {:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2004_0983.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2004_0983
+				include RubyVersionCheck
+				def initialize
+          message = "The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request."
+          super({
+            :name=>"CVE-2004-0983",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2005, 03, 01),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://xforce.iss.net/xforce/xfdb/17985"]
+          })
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"}, {:engine=>"ruby", :version=>"1.6.7", :patchlevel=>"p0"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2005_1992.rb ADDED

@@ -0,0 +1,30 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2005_1992
+				include RubyVersionCheck
+				def initialize
+          message = "The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents \"security protection\" using handlers, which allows remote attackers to execute arbitrary commands."
+          super({
+            :name=>"CVE-2005-1992",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2005, 06, 20),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://www2.ruby-lang.org/en/20050701.html"]
+          })
+          self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.999", :patchlevel=>"p0"}]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2005_2337.rb ADDED

@@ -0,0 +1,32 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2005_2337
+				include RubyVersionCheck
+				def initialize
+          message="Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin)."
+          super({
+            :name=>"CVE-2005-2337",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            :release_date => Date.new(2005, 10, 07),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://www.ruby-lang.org/en/20051003.html"]
+          })
+          self.safe_rubies = [
+            {:engine=>"ruby", :version=>"1.6.8", :patchlevel=>"p0"},
+            {:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"},
+          ]
+				end
+			end
+		end
+	end
+end

data/lib/codesake/dawn/kb/cve_2006_1931.rb ADDED

@@ -0,0 +1,32 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-06
+			class CVE_2006_1931
+				include RubyVersionCheck
+				def initialize
+          message = "The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data."
+          super({
+            :name=>"CVE-2006-1931",
+            :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
+            :release_date => Date.new(2005, 06, 20),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+            :message=>message,
+            :mitigation=>"Upgrade your ruby interpreter",
+            :aux_links=>["http://www.securityfocus.com/bid/17645"]
+          })
+          self.safe_rubies = [
+            {:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"},
+            {:engine=>"ruby", :version=>"1.6.8", :patchlevel=>"p0"}
+          ]
+				end
+			end
+		end
+	end
+end