dawnscanner 1.3.1 → 1.3.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3f0312208553d247840f6a71da2e0ef95c8c223d
-  data.tar.gz: 5122a815d28cc9d701374407d04cf0c0b78e1b48
+  metadata.gz: 05b506c1430295b474c31984bc9a1b9a155b5d51
+  data.tar.gz: 7e0417a90ad9c5a2a054d1579b26ac0ce25747ff
 SHA512:
-  metadata.gz: aef798632ca975c2c04b67a434a69e3ce5852ef83fc28ecf4e1e781b3f7e79adde54c6bb20459bcf7249acfe3968c77ef02cf4c87183c497c186fb6794f1cabe
-  data.tar.gz: 14f385eb24b0745a67eaa8fd7e177e6a456b2c298434f794f54b2c952417f49ed728fdab3dc5592face49983de1e485b986905931bc6556d05be96019c4959e1
+  metadata.gz: fa103df76aeb6f50084803cd653aa328eb29734ac123ec06a4dd5a5d3cb2bb2600318c26ae36ab5669e06dd7d052197d1ca68a1c80594231e6be073832f58ed9
+  data.tar.gz: 8a8a0fe09ba77ec3d69433a33ed4cf75f9fbb469f6e3e9fd43f05841b38095ffe43d6b5b1d201f97de2d041214435f9c1361166762fc877a37e6a52d84a1a393

data/BUGS.md

@@ -0,0 +1,14 @@
+# Dawnscanner - BUGS
+
+In this file you will find bugs I (thesp0nge) will find during development
+tests. This is a memo file for [github
+issues](https://github.com/thesp0nge/dawnscanner/issues) opened by myself, I
+can use when I'm offline.
+
+| ID | Description            | Status |
+|----|------------------------|--------|
+| B1 | when reviewing a Rails app, Source checks are not wired up. We must understand how to enable source checks in engines: source_check.rb:77:in `is_this_precondition_met?': undefined method `deep_each' for nil:NilClass | open |
+| B2 | when reviewing a Sinatra app, we've got this error: engine.rb:42:in `[]': no implicit conversion of Symbol into Integer (TypeError) | open |
+|----|------------------------|--------|
+
+_last updated: Tue Jan 13 17:19:05 CET 2015_

data/Changelog.md

@@ -5,7 +5,33 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Thu Jan  8 17:19:37 CET 2015_
+_latest update: Wed Jul 29 23:10:24 CEST 2015_
+
+## Version 1.3.5 - codename: Lightning McQueen (2015-07-29)
+
+* Adding a check for CVE-2015-293: XSS in the paperclip gem (issue #139)
+* Adding a check for CVE-2015-1840: CSRF in jquery-rails and jquery-ujs gems.
+  Please note that this is the first (and I hope the only) dependency check
+  splitted in two parts. People from NVD assigned a single CVE to a
+  vulnerability affecting two related but different gems. (issue #135)
+* Adding a check for CVE-2015-3224: Whitelist bypass rack gem (issue #133)
+* Adding a check for CVE-2015-3225: DoS in rack gem (issue #136)
+* Adding a check for CVE-2015-3226: XSS in activesupport gem (issue #134)
+* Adding a check for CVE-2015-3227: DoS in activesupport gem (issue #137)
+* Adding a check for OSVDB-119927: MITM attack for http gem (issue #131)
+* Adding a check for OSVDB-119878: Session Fixation for rest-client gem (issue #130)
+* Adding a check for OSVDB-118954: Denial of service for rails gem (issue #129)
+* Adding a check for OSVDB-118579: MySQL credentials disclosure due to a flaw
+* Adding a check for OSVDB-118830: Sensitive information stored in production logs (issue #127)
+
+## Version 1.3.1 - codename: Lightning McQueen (2015-02-19)
+
+* Fixed last namespace pollution errors. Codesake namespace went away (issue
+  #101)
+
+## Version 1.3.0 - codename: Lightning McQueen (2015-02-18)
+
+* Renewing digital signing certificate (issue #100)
 
 ## Version 1.2.99 - codename: Lightning McQueen (2015-01-07)
 

data/KnowledgeBase.md

@@ -1,6 +1,6 @@
 # Dawn Knowledge base
 
-The knowledge base library for Dawn version 1.2.0 contains 180 security checks.
+The knowledge base library for Dawn version 1.3.5 contains 192 security checks.
 ---
 * Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
 * [CVE-2004-0755](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0755): The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.
@@ -172,6 +172,13 @@ XML documents with carefully crafted entity expansion strings which can cause th
 * [CVE-2014-2538](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2538): rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 * [CVE-2014-3482](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482): Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstrings. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
 * [CVE-2014-3483](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483): Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
+* [CVE-2015-1849](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1849): jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
+* [CVE-2015-1849](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1849): jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
+* [CVE-2015-2963](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2963): The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.
+* [CVE-2015-3224](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3224): request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.
+* [CVE-2015-3225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3225): lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
+* [CVE-2015-3226](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226): Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
+* [CVE-2015-3227](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227): The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
 * [OSVDB-105971](http://osvdb.org/show/osvdb/105971): sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.
 * OSVDB-105971: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.
 * [OSVDB-108569](http://osvdb.org/show/osvdb/108569): backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information.
@@ -182,6 +189,16 @@ XML documents with carefully crafted entity expansion strings which can cause th
 * OSVDB-108530: kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
 * [OSVDB-108563](http://osvdb.org/show/osvdb/108563): gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
 * OSVDB-108563: gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
+* [OSVDB_118579](http://osvdb.org/show/osvdb/118579): xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is due to the function exposing sensitive information via the process table. This may allow a local attack to gain access to MySQL credential information.
+* OSVDB_118579: xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is due to the function exposing sensitive information via the process table. This may allow a local attack to gain access to MySQL credential information.
+* [OSVDB_118830](http://osvdb.org/show/osvdb/118830): Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb. The issue is due to the program storing sensitive information in production logs. This may allow a local attacker to gain access to sensitive information.
+* OSVDB_118830: Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb. The issue is due to the program storing sensitive information in production logs. This may allow a local attacker to gain access to sensitive information.
+* [OSVDB_118954](http://osvdb.org/show/osvdb/118954): Ruby on Rails contains a flaw that is triggered when handling a to_json call to ActiveModel::Name, which can cause an infinite loop. This may allow a remote attacker to cause a denial of service.
+* OSVDB_118954: Ruby on Rails contains a flaw that is triggered when handling a to_json call to ActiveModel::Name, which can cause an infinite loop. This may allow a remote attacker to cause a denial of service.
+* [OSVDB_119878](http://osvdb.org/show/osvdb/119878): rest-client Gem for Ruby contains a flaw in abstract_response.rb related to the handling of set-cookie headers in redirection responses that allows a remote, user-assisted attacker to conduct a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked.
+* OSVDB_119878: rest-client Gem for Ruby contains a flaw in abstract_response.rb related to the handling of set-cookie headers in redirection responses that allows a remote, user-assisted attacker to conduct a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked.
+* [OSVDB_119927](http://osvdb.org/show/osvdb/119927): http Gem for Ruby contains a flaw related to certificate validation. The issue is due to a failure to call the OpenSSL::SSL::SSLSocket#post_connection_check method, leading to hostnames not being properly verified. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MiTM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
+* OSVDB_119927: http Gem for Ruby contains a flaw related to certificate validation. The issue is due to a failure to call the OpenSSL::SSL::SSLSocket#post_connection_check method, leading to hostnames not being properly verified. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MiTM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
 * Owasp Ror CheatSheet: Command Injection: Ruby offers a function called "eval" which will dynamically build new Ruby code based on Strings. It also has a number of ways to call system commands. While the power of these commands is quite useful, extreme care should be taken when using them in a Rails based application. Usually, its just a bad idea. If need be, a whitelist of possible values should be used and any input should be validated as thoroughly as possible. The Ruby Security Reviewer's Guide has a section on injection and there are a number of OWASP references for it, starting at the top: Command Injection.
 * Owasp Ror CheatSheet: Cross Site Request Forgery: Ruby on Rails has specific, built in support for CSRF tokens. To enable it, or ensure that it is enabled, find the base ApplicationController and look for the protect_from_forgery directive. Note that by default Rails does not provide CSRF protection for any HTTP GET request.
 * Owasp Ror CheatSheet: Session management: By default, Ruby on Rails uses a Cookie based session store. What that means is that unless you change something, the session will not expire on the server. That means that some default applications may be vulnerable to replay attacks. It also means that sensitive information should never be put in the session.
@@ -210,4 +227,4 @@ Setting this to true will essentially strip out any host information.
 This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
 
 
-_Last updated: Tue 08 Jul 17:59:10 CEST 2014_
+_Last updated: Wed 29 Jul 23:06:16 CEST 2015_

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2013 Paolo Perego
+Copyright (c) 2013-2015 Paolo Perego
 
 MIT License
 
@@ -19,4 +19,4 @@ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -23,7 +23,7 @@ box:
 
 ---
 
-Dawn version 1.3 has 180 security checks loaded in its knowledge
+Dawn version 1.3.5 has 192 security checks loaded in its knowledge
 base. Most of them are CVE bulletins applying to gems or the ruby interpreter
 itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
 
@@ -88,7 +88,7 @@ And then upgrade your bundle
 You may want to build it from source, so you have to check it out from github first:
 
     $ git clone https://github.com/thesp0nge/dawnscanner.git
-    $ cd dawn
+    $ cd dawnscanner
     $ bundle install
     $ rake install
 

data/Rakefile

@@ -24,6 +24,44 @@ task :test => :spec
 task :prepare => [:build, :'checksum:calculate', :'checksum:commit']
 task :release => [:prepare]
 
+namespace :version do
+  desc 'Calculate some infos you want to put in version.rb'
+  task :update do
+    build_number  = `git describe --tags --long | cut -d \'-\' -f 2`
+    commit_hash   = `git describe --tags --long | cut -d \'-\' -f 3`
+    release       = Time.now.strftime("%Y%m%d")
+    branch        = `git symbolic-ref HEAD 2> /dev/null`
+    branch_name   = branch.split('/')[2].chomp
+    a=[]
+    File.open("VERSION", "r") do |f|
+      a = f.readlines
+    end
+    version = a[a.length - 1].split('-')[0]# .chomp
+    codename = a[a.length - 1].split('-')[1]
+
+    File.open("./lib/dawn/version.rb", "w") do |f|
+
+      f.puts("module Dawn")
+
+      puts "#{branch_name}|"
+      if branch_name != "master"
+        av = version.split('.')
+        f.puts "    VERSION = \"#{av[0]}.#{av[1]}.#{commit_hash.chop}\""
+        f.puts "    CODENAME = \"#{codename.lstrip!.chop}\""
+        f.puts "    RELEASE = \"(development)\""
+      else
+        puts "here"
+        f.puts "    VERSION = \"#{version.rstrip!}\""
+        f.puts "    CODENAME = \"#{codename.lstrip!.chop}\""
+        f.puts "    RELEASE = \"#{release}\""
+      end
+      f.puts "    BUILD = \"#{build_number.chop}\""
+      f.puts "    COMMIT = \"#{commit_hash.chop}\""
+      f.puts "end"
+    end
+  end
+end
+
 # namespace :check do
 # desc "Create a dependency check"
 # task :dependency, :name do |t, args|
@@ -90,6 +128,68 @@ task :cve, :name do |t,args|
 
 end
 
+desc "Create a new OSVDB security check"
+task :osvdb, :name do |t,args|
+  name      = args.name
+  SRC_DIR   = "./lib/dawn/kb/"
+  SPEC_DIR  = "./spec/lib/kb/"
+
+  raise "### It seems that #{name} is already in Dawn knowledge base" unless Dawn::KnowledgeBase.find(nil, name).nil?
+  raise "### Invalid OSVDB identifier: #{name}" if name.nil? or name.empty? or /\d{6}/.match(name).nil?
+  raise "### No target directory: #{SRC_DIR}" unless Dir.exists?(SRC_DIR)
+  raise "### No rspec directory: #{SPEC_DIR}" unless Dir.exists?(SPEC_DIR)
+
+  puts "Adding #{name} to knowledge base..."
+
+  name = "OSVDB_"+name
+
+  rb_filename = SRC_DIR+name.downcase.gsub("-", "_")+".rb"
+  spec_filename = SPEC_DIR+name.downcase.gsub("-", "_")+"_spec.rb"
+  class_name = name.gsub("-", "_")
+
+  open(rb_filename, "w") do |file|
+    file.puts "module Dawn"
+    file.puts "\t\tmodule Kb"
+    file.puts "\t\t\t# Automatically created with rake on #{Time.now.strftime('%Y-%m-%d')}"
+    file.puts "\t\t\tclass #{class_name}"
+    file.puts "\t\t\t\t# Include the testing skeleton for this Security Check"
+    file.puts "\t\t\t\t# include PatternMatchCheck"
+    file.puts "\t\t\t\t# include DependencyCheck"
+    file.puts "\t\t\t\t# include RubyVersionCheck"
+    file.puts ""
+    file.puts "\t\t\t\tdef initialize"
+    file.puts "\t\t\t\tend"
+    file.puts "\t\t\tend"
+    file.puts "\t\tend"
+    file.puts "end"
+  end
+  puts "#{rb_filename} created"
+
+  open(spec_filename, "w") do |file|
+    file.puts "require 'spec_helper'"
+
+    file.puts "describe \"The #{name} vulnerability\" do"
+    file.puts "\tbefore(:all) do"
+    file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
+    file.puts "\t\t# @check.debug = true"
+    file.puts "\tend"
+    file.puts "\tit \"is reported when...\""
+    file.puts "end"
+  end
+  puts "#{spec_filename} created"
+
+
+  puts "*** PLEASE IMPLEMENT TEST FOR #{name} IN spec/lib/dawn/codesake_knowledgebase_spec.rb in order to reflect changes"
+  puts "*** PLEASE ADD THIS CODE IN lib/dawn/knowledge_base.rb in order to reflect changes"
+  puts "require \"dawn/kb/#{class_name.downcase}\""
+  puts "it \"must have test for #{name}\" do"
+  puts "  sc = kb.find(\"#{name}\")"
+  puts "  sc.should_not   be_nil"
+  puts "  sc.class.should == Dawn::Kb::#{class_name}"
+  puts "end"
+
+end
+
 
 
 desc "Create a new Generic security check"

data/Roadmap.md

@@ -1,4 +1,4 @@
-# Codesake Dawn - roadmap
+# Dawnscanner - roadmap
 
 Dawnscanner is a static analysis security scanner for ruby written web applications.
 It supports [Sinatra](http://www.sinatrarb.com),
@@ -7,10 +7,14 @@ frameworks.
 
 This is an ongoing roadmap for the Dawnscanner source code review tool.
 
-_latest update: Mon Mar 31 13:01:21 CEST 2014_
+_latest update: Tue Feb 24 08:02:56 CET 2015_
 
-## Version 1.2.0
+## Version 1.4.0
 
+* clear Codesake:Commons dependency mess. This will dramatically simplify
+  dawnscanner installation
+* Add a --github option to Dawnscanner to clone a remote repository, perform
+  a bundle install and do a code review.
 * create a task to check for new CVE in NVD website
 * SQLite3 integration for saving data. Each project will have its own SQLite
   database containing reviews, findings and all. A table with Dawnscanner version it
@@ -18,33 +22,38 @@ _latest update: Mon Mar 31 13:01:21 CEST 2014_
 * add a language check. It will handle a ruby script as input and a
   ruby\_parser line as unsafe pattern. It will compile the ruby and look for
   the unsafe pattern
-* Add preliminary Cross Site Scripting detection for Ruby on Rails.
 * Issue #7: Improving HTML output and let the user the capability to provide a
   basic layout to customize report
-* Add a ruby deprecation check, accordingly to
-  https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
+* adding test for CVE-2011-4969  XSS in jquery < 1.6.2
+* add source code metrics gathering (lines of code, lines of comments,
+  cyclomatic complexity index, ...)
+
 
-## Version 1.3.0
+## Version 1.5.0
 
+* Add a ruby deprecation check, accordingly to
+  https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
+* Add preliminary Cross Site Scripting detection for Ruby on Rails.
 * Add support for ERB for in detect\_views
 * Add preliminary javascript support
-* adding test for CVE-2011-4969  XSS in jquery < 1.6.2
 * add support for pure Rack applications
 * Cross Site Scripting detection: it must be done for all MVC frameworks
   (including Rack) and it must cover either reflected than stored attack
   patterns
-* Add a --github option to Dawnscanner to clone a remote repository, perform
-  a bundle install and do a code review.
 * Add support for github hooks
 * Add premilinary SQL injection detection for Ruby on Rails
 
-## Version 1.5.0
+## Version 1.6.0
 
 * Add insecure direct object reference detection for all MVC frameworks (including Rack)
 * SQL Injection detection: it must be done for all MVC frameworks (including Rack)
 * Add automatic mitigation patch generation
 * Add support for Javascript
 
+## Version 1.7.0
+
+* Add automatic mitigation patch generation
+
 # Spinoff projects
 
 Dawnscanner is a security scanner for ruby code. Modern web applications
@@ -57,3 +66,8 @@ Dawnscanner can be wrote also to support them:
 Initially they were in the Dawnscanner roadmap for a 2.0.0 version. However
 we decide to drop this in the name of being focused on ruby programming
 language.
+
+PHP has a good open source code scanners ecosystem, instead JAVA has not.
+Players started open and eventually they turned in big commercial bloatware
+GUIs that are useless from the security specialist perspective. A simple
+bytecode analyzer, with some checks, can be a possible spinoff project.

data/VERSION

@@ -0,0 +1,16 @@
+# Each dawnscanner major release will have a Disney Pixar Cars / Cars2
+# character as codename. My son Daniele loves those films and since I love
+# him too, this is a kinda sort of tribute of my son's passion.
+#
+# Future releases
+#
+# | Character       | Release  |
+# |-----------------|----------|
+# |  "Tow Mater"    |  1.4.0   |
+# | "Finn McMissile"|  1.6.0   |
+# |  "Fillmore"     |  1.8.0   |
+# |"Holly Shiftwell"|  1.10.0  |
+# |   "Guido"       |  1.12.0  |
+# |   "Luigi"       |  1.14.0  |
+# | "Doc Hudson"    |  1.16.0  |
+1.3.5 - Lightning McQueen

data/bin/dawn

@@ -6,14 +6,18 @@ require 'terminal-table'
 
 require 'justify'
 
-require 'codesake-commons'
+# require 'codesake-commons'
 require 'dawnscanner'
 
 APPNAME = File.basename($0)
 LIST_KNOWN_FRAMEWORK  = %w(rails sinatra padrino)
 VALID_OUTPUT_FORMAT   = %w(console json csv html)
 
-$logger  = Codesake::Commons::Logging.instance
+# $logger  = Codesake::Commons::Logging.instance
+require 'logger'
+$logger = Logger.new(STDOUT)
+$logger.datetime_format = '%Y-%m-%d %H:%M:%S'
+
 opts    = GetoptLong.new(
   # report formatting options
   [ '--ascii-tabular-report',   '-a',   GetoptLong::NO_ARGUMENT],
@@ -144,7 +148,7 @@ end
 rescue GetoptLong::InvalidOption => e
 
   $logger.helo APPNAME, Dawn::VERSION
-  $logger.err e.message
+  $logger.error e.message
   Kernel.exit(Dawn::Core.help)
 end
 
@@ -155,7 +159,7 @@ trap("INT")   { $logger.die('[INTERRUPTED]') }
 $logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
 $logger.die("invalid directory (#{target})") if options[:gemfile_name].empty?  &&! Dawn::Core.is_good_target?(target)
 $logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
-$logger.log("security check enabled: #{options[:enabled_checks]}") if options[:debug]
+$logger.debug("security check enabled: #{options[:enabled_checks]}") if options[:debug]
 
 
 ## MVC auto detect.
@@ -165,7 +169,7 @@ unless options[:gemfile_scan]
   begin
     if options[:mvc].empty?
       engine = Dawn::Core.detect_mvc(target)
-      $logger.log("using #{engine.class.name} engine via autodect") if options[:debug]
+      $logger.debug("using #{engine.class.name} engine via autodect") if options[:debug]
     else
       engine = Dawn::Rails.new(target)      if options[:mvc] == :rails
       engine = Dawn::Sinatra.new(target)    if options[:mvc] == :sinatra

data/checksum/dawnscanner-1.3.1.gem.sha1

@@ -0,0 +1 @@
+06aee0b1bba7922a459aca13c5668fc938b120d7

data/dawnscanner.gemspec

@@ -7,11 +7,10 @@ Gem::Specification.new do |gem|
   gem.name          = "dawnscanner"
   gem.version       = Dawn::VERSION
   gem.authors       = ["Paolo Perego"]
-  gem.email         = ["paolo@codesake.com"]
-  gem.description   = %q{Dawn is a security source code scanner for ruby powered code.}
-  gem.summary   = %q{Codesake::Dawn is a security source code scanner for ruby powered code.}
-  gem.homepage      = "http://dawn.codesake.com"
-
+  gem.email         = ["paolo@dawnscanner.org"]
+  gem.description   = %q{Dawn is a security source code scanner for ruby powered code. It is especially designed for web applications, but it works also with general purpose ruby scripts. Dawn supports all major MVC frameworks like ruby on rails, padrino and sinatra; it provides more than 150 security checks with their own mitigation suggestion.}
+  gem.summary       = %q{Dawn is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
+  gem.homepage      = "http://dawnscanner.org"
   gem.files         = `git ls-files`.split($/)
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
@@ -22,7 +21,6 @@ Gem::Specification.new do |gem|
 
   gem.required_ruby_version = '>= 1.9.2'
 
-  gem.add_dependency "codesake-commons", "~> 1.0.0"
   gem.add_dependency 'cvss'
   gem.add_dependency 'haml'
   gem.add_dependency 'parser'
@@ -32,6 +30,7 @@ Gem::Specification.new do |gem|
   gem.add_dependency 'grit'
   gem.add_dependency 'terminal-table'
   gem.add_dependency 'justify'
+  gem.add_dependency 'logger-colors'
 
   gem.add_dependency ('coveralls')
 

data/lib/dawn/kb/basic_check.rb

@@ -121,8 +121,18 @@ module Dawn
         @check_family = :cve if !options[:name].nil? && options[:name].start_with?('CVE-')
 
         if $logger.nil?
-          require 'codesake-commons'
-          $logger  = Codesake::Commons::Logging.instance
+          # This is the old codesake-commons logging.
+          #
+          # Starting from 20150720 we will use the standard library Logger
+          # class. This is mainly to remove codesake-commons dependency and to
+          # have a clean API
+          #
+          # require 'codesake-commons'
+          # $logger  = Codesake::Commons::Logging.instance
+          # $logger.helo "dawn-basic-check", Dawn::VERSION
+
+          require 'dawn/logger'
+          $logger = Logger.new(STDOUT)
           $logger.helo "dawn-basic-check", Dawn::VERSION
         end
       end
@@ -151,6 +161,11 @@ module Dawn
         return "Unknown"
       end
 
+      def cve
+        return @cve unless @cve.nil?
+        return @name.gsub("CVE-", "") if @cve.nil? && @name.start_with?("CVE-")
+      end
+
       def priority
         return (@priority == :none)? "unknown" : @priority.to_s
       end
@@ -166,13 +181,13 @@ module Dawn
             return "critical"
           when 7..9
             return "high"
-          when 4..6
+          when 4..7
             return "medium"
-          when 2..3
+          when 2..4
             return "low"
-          when 0..1
+          when 0..2
             return "info"
-          else 
+          else
             return "unknown"
           end
         else
@@ -213,11 +228,11 @@ module Dawn
       # @return an Array with attributes with a nil value
       def lint
         ret = []
-        ret << :cve if @cve.nil?
+        ret << :cve if self.cve.nil?
         ret << :osvdb if @osvdb.nil?
-        ret << :cvss if @cvss.nil?
-        ret << :severity if @severity == :none
-        ret << :priority if @priority == :none
+        ret << :cvss if self.cvss.nil? || self.cvss.empty? || self.cvss == "not assigned"
+        ret << :severity if self.severity == "unknown"
+        ret << :priority if self.priority == "unknown"
 
         ret
       end