dawnscanner 1.4.2 → 1.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.ruby-version +1 -1
- data/Changelog.md +85 -9
- data/KnowledgeBase.md +206 -5
- data/README.md +25 -25
- data/Rakefile +19 -5
- data/Roadmap.md +104 -46
- data/VERSION +10 -10
- data/bin/dawn +96 -15
- data/checksum/dawnscanner-1.4.2.gem.sha1 +1 -0
- data/dawnscanner.gemspec +21 -4
- data/doc/dawn_1_5_announcement.md +66 -0
- data/doc/{codesake-dawn.yaml.sample → dawnscanner.yaml.sample} +0 -0
- data/doc/new_knowledge_base_v1.0.md +78 -0
- data/lib/dawn/core.rb +22 -28
- data/lib/dawn/engine.rb +111 -54
- data/lib/dawn/kb/basic_check.rb +3 -0
- data/lib/dawn/kb/cve_2014_3483.rb +1 -0
- data/lib/dawn/kb/cve_2015_1819.rb +34 -0
- data/lib/dawn/kb/cve_2015_4020.rb +34 -0
- data/lib/dawn/kb/gem_check.rb +43 -0
- data/lib/dawn/kb/osvdb_115654.rb +33 -0
- data/lib/dawn/kb/osvdb_116010.rb +30 -0
- data/lib/dawn/kb/osvdb_117903.rb +30 -0
- data/lib/dawn/kb/osvdb_118954.rb +5 -3
- data/lib/dawn/kb/osvdb_119878.rb +3 -3
- data/lib/dawn/kb/osvdb_120415.rb +31 -0
- data/lib/dawn/kb/osvdb_120857.rb +34 -0
- data/lib/dawn/kb/osvdb_121701.rb +30 -0
- data/lib/dawn/kb/owasp_ror_cheatsheet.rb +23 -31
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +16 -20
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +31 -31
- data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +22 -22
- data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +23 -23
- data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +25 -25
- data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +21 -21
- data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +24 -24
- data/lib/dawn/kb/version_check.rb +4 -0
- data/lib/dawn/knowledge_base.rb +36 -4
- data/lib/dawn/registry.rb +43 -0
- data/lib/dawn/reporter.rb +88 -47
- data/lib/dawn/utils.rb +3 -4
- data/lib/dawn/version.rb +4 -4
- data/lib/dawnscanner.rb +4 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +40 -0
- data/spec/lib/kb/cve_2014_3483_spec.rb +5 -1
- data/spec/lib/kb/cve_2015_1819_spec.rb +16 -0
- data/spec/lib/kb/cve_2015_4020_spec.rb +24 -0
- data/spec/lib/kb/osvdb_115654_spec.rb +15 -0
- data/spec/lib/kb/osvdb_116010_spec.rb +15 -0
- data/spec/lib/kb/osvdb_117903_spec.rb +23 -0
- data/spec/lib/kb/osvdb_118954_spec.rb +13 -1
- data/spec/lib/kb/osvdb_119878_spec.rb +8 -9
- data/spec/lib/kb/osvdb_120415_spec.rb +16 -0
- data/spec/lib/kb/osvdb_120857_spec.rb +32 -0
- data/spec/lib/kb/osvdb_121701_spec.rb +15 -0
- metadata +153 -12
- metadata.gz.sig +0 -0
- data/BUGS.md +0 -14
data/README.md
CHANGED
@@ -1,11 +1,11 @@
|
|
1
|
-
#
|
1
|
+
# Dawnscanner - The raising security scanner for ruby web applications
|
2
2
|
|
3
|
-
|
3
|
+
dawnscanner is a source code scanner designed to review your ruby code for security
|
4
4
|
issues.
|
5
5
|
|
6
|
-
|
6
|
+
dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but
|
7
7
|
all its features are unleashed when dealing with web applications source code.
|
8
|
-
|
8
|
+
dawnscanner is able to scan major MVC (Model View Controller) frameworks, out of the
|
9
9
|
box:
|
10
10
|
|
11
11
|
* [Ruby on Rails](http://rubyonrails.org)
|
@@ -23,13 +23,13 @@ box:
|
|
23
23
|
|
24
24
|
---
|
25
25
|
|
26
|
-
|
26
|
+
dawnscanner version 1.5.0 has 209 security checks loaded in its knowledge
|
27
27
|
base. Most of them are CVE bulletins applying to gems or the ruby interpreter
|
28
28
|
itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
|
29
29
|
|
30
30
|
## An overall introduction
|
31
31
|
|
32
|
-
When you run
|
32
|
+
When you run dawnscanner on your code it parses your project Gemfile.lock
|
33
33
|
looking for the gems used and it tries to detect the ruby interpreter version
|
34
34
|
you are using or you declared in your ruby version management tool you like
|
35
35
|
most (RVM, rbenv, ...).
|
@@ -38,12 +38,12 @@ Then the tool tries to detect the MVC framework your web application uses and
|
|
38
38
|
it applies the security check accordingly. There checks designed to match rails
|
39
39
|
application or checks that are appliable to any ruby code.
|
40
40
|
|
41
|
-
|
41
|
+
dawnscanner can also understand the code in your views and to backtrack
|
42
42
|
sinks to spot cross site scripting and sql injections introduced by the code
|
43
43
|
you actually wrote. In the project roadmap this is the code most of the future
|
44
44
|
development effort will be focused on.
|
45
45
|
|
46
|
-
|
46
|
+
dawnscanner security scan result is a list of vulnerabilities with some
|
47
47
|
mitigation actions you want to follow in order to build a stronger web
|
48
48
|
application.
|
49
49
|
|
@@ -57,7 +57,7 @@ public signing certificate as trusted to your gem specific keyring.
|
|
57
57
|
$ gem cert --add <(curl -Ls https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/certs/paolo_at_dawnscanner_dot_org.pem)
|
58
58
|
```
|
59
59
|
|
60
|
-
You can install latest
|
60
|
+
You can install latest dawnscanner version, fetching it from
|
61
61
|
[Rubygems](https://rubygems.org) by typing:
|
62
62
|
|
63
63
|
```
|
@@ -66,7 +66,7 @@ $ gem install dawnscanner -P MediumSecurity
|
|
66
66
|
|
67
67
|
The MediumSecurity trust profile will verify signed gems, but allow the
|
68
68
|
installation of unsigned dependencies. This is necessary because not all of
|
69
|
-
|
69
|
+
dawnscanner’s dependencies are signed, so we cannot use HighSecurity.
|
70
70
|
|
71
71
|
In order to install a release candidate version, the gem install command line
|
72
72
|
is the following:
|
@@ -99,10 +99,10 @@ that.
|
|
99
99
|
|
100
100
|
## Usage
|
101
101
|
|
102
|
-
You can start your code review with
|
102
|
+
You can start your code review with dawnscanner very easily. Simply tell the tool
|
103
103
|
where the project root directory.
|
104
104
|
|
105
|
-
Underlying MVC framework is autodetected by
|
105
|
+
Underlying MVC framework is autodetected by dawnscanner using target Gemfile.lock
|
106
106
|
file. If autodetect fails for some reason, the tool will complain about it and
|
107
107
|
you have to specify if it's a rails, sinatra or padrino web application by
|
108
108
|
hand.
|
@@ -147,7 +147,7 @@ Disable security check family
|
|
147
147
|
--disable-owasp-ror-cheatsheet disable all Owasp Ruby on Rails cheatsheet checks
|
148
148
|
--disable-owasp-top-10 disable all Owasp Top 10 checks
|
149
149
|
|
150
|
-
Flags useful to query
|
150
|
+
Flags useful to query dawnscanner
|
151
151
|
|
152
152
|
-S, --search-knowledge-base [check_name] search check_name in the knowledge base
|
153
153
|
--list-knowledge-base list knowledge-base content
|
@@ -164,7 +164,7 @@ Service flags
|
|
164
164
|
|
165
165
|
### Rake task
|
166
166
|
|
167
|
-
To include
|
167
|
+
To include dawnscanner in your rake task list, you simply have to put this line in
|
168
168
|
your ```Rakefile```
|
169
169
|
|
170
170
|
```
|
@@ -203,15 +203,15 @@ $ dawn -S this_test_does_not_exist
|
|
203
203
|
this_test_does_not_exist not found in knowledgebase
|
204
204
|
```
|
205
205
|
|
206
|
-
###
|
206
|
+
### dawnscanner security scan in action
|
207
207
|
|
208
|
-
As output,
|
208
|
+
As output, dawnscanner will put all security checks that are failed during the scan.
|
209
209
|
|
210
|
-
This the result of Codedake::
|
210
|
+
This the result of Codedake::dawnscanner running against a
|
211
211
|
[Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
|
212
212
|
delivered in 2013 at [Railsberry conference](http://www.railsberry.com).
|
213
213
|
|
214
|
-
As you may see,
|
214
|
+
As you may see, dawnscanner first detects MVC running the application by
|
215
215
|
looking at Gemfile.lock, than it discards all security checks not appliable to
|
216
216
|
Sinatra (49 security checks, in version 1.0, especially designed for Ruby on
|
217
217
|
Rails) and it applies them.
|
@@ -236,11 +236,11 @@ $ dawn ~/src/hacking/railsberry2013
|
|
236
236
|
|
237
237
|
---
|
238
238
|
|
239
|
-
When you run
|
239
|
+
When you run dawnscanner on a web application with up to date dependencies,
|
240
240
|
it's likely to return a friendly _no vulnerabilities found_ message. Keep it up
|
241
241
|
working that way!
|
242
242
|
|
243
|
-
This is
|
243
|
+
This is dawnscanner running against a Padrino web application I wrote for [a
|
244
244
|
scorecard quiz game about application security](http://scorecard.armoredcode.com).
|
245
245
|
Italian language only. Sorry.
|
246
246
|
|
@@ -254,7 +254,7 @@ Italian language only. Sorry.
|
|
254
254
|
18:42:39 [*] dawn is leaving
|
255
255
|
```
|
256
256
|
|
257
|
-
If you need a fancy HTML report about your scan, just ask it to
|
257
|
+
If you need a fancy HTML report about your scan, just ask it to dawnscanner
|
258
258
|
with the ```--html``` flag used with the ```--file``` since I wanto to save the
|
259
259
|
HTML to disk.
|
260
260
|
|
@@ -285,7 +285,7 @@ Feedbacks are great and we really love to hear your voice.
|
|
285
285
|
If you're a proud dawnscanner user, if you find it useful, if you integrated
|
286
286
|
it in your release process and if you want to openly support the project you
|
287
287
|
can put your reference here. Just open an
|
288
|
-
[issue](https://github.com/thesp0nge/
|
288
|
+
[issue](https://github.com/thesp0nge/dawnscanner/issues/new) with a statement saying
|
289
289
|
how do you feel the tool and your company logo if any.
|
290
290
|
|
291
291
|
More easily you can drop an email to
|
@@ -304,9 +304,9 @@ Thank you.
|
|
304
304
|
|
305
305
|
[Matteo](https://github.com/matteocollina): for ideas on API and their usage with [github.com](https://github.com) hooks
|
306
306
|
|
307
|
-
## Contribute to
|
307
|
+
## Contribute to dawnscannerscanner
|
308
308
|
|
309
|
-
Are you interested in contributing to
|
309
|
+
Are you interested in contributing to dawnscanner project? Great, here is
|
310
310
|
some very basic rules in order to make rocking pull requests.
|
311
311
|
|
312
312
|
First of all, I use the branching model described in [this
|
@@ -328,7 +328,7 @@ In this case, the branch name must be something like _issue\_#xx\_description_
|
|
328
328
|
|
329
329
|
## LICENSE
|
330
330
|
|
331
|
-
Copyright (c) 2013
|
331
|
+
Copyright (c) 2013-2015 Paolo Perego <paolo@dawnscanner.org>
|
332
332
|
|
333
333
|
MIT License
|
334
334
|
|
data/Rakefile
CHANGED
@@ -111,7 +111,14 @@ task :cve, :name do |t,args|
|
|
111
111
|
file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
|
112
112
|
file.puts "\t\t# @check.debug = true"
|
113
113
|
file.puts "\tend"
|
114
|
-
file.puts "\tit \"is reported when
|
114
|
+
file.puts "\tit \"is reported when the vulnerable gem is detected\" do"
|
115
|
+
file.puts "\t\t@check.dependencies = [{:name=>\"\", :version=>\"\"}]"
|
116
|
+
file.puts "\t\t@check.vuln?.should == true"
|
117
|
+
file.puts "\tend"
|
118
|
+
file.puts "\tit \"is not reported when a fixed release is detected\" do"
|
119
|
+
file.puts "\t\t@check.dependencies = [{:name=>\"\", :version=>\"\"}]"
|
120
|
+
file.puts "\t\t@check.vuln?.should == false"
|
121
|
+
file.puts "\tend"
|
115
122
|
file.puts "end"
|
116
123
|
end
|
117
124
|
puts "#{spec_filename} created"
|
@@ -173,7 +180,14 @@ task :osvdb, :name do |t,args|
|
|
173
180
|
file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
|
174
181
|
file.puts "\t\t# @check.debug = true"
|
175
182
|
file.puts "\tend"
|
176
|
-
file.puts "\tit \"is reported when
|
183
|
+
file.puts "\tit \"is reported when the vulnerable gem is detected\" do"
|
184
|
+
file.puts "\t\t@check.dependencies = [{:name=>\"\", :version=>\"\"}]"
|
185
|
+
file.puts "\t\t@check.vuln?.should == true"
|
186
|
+
file.puts "\tend"
|
187
|
+
file.puts "\tit \"is not reported when a fixed release is detected\" do"
|
188
|
+
file.puts "\t\t@check.dependencies = [{:name=>\"\", :version=>\"\"}]"
|
189
|
+
file.puts "\t\t@check.vuln?.should == false"
|
190
|
+
file.puts "\tend"
|
177
191
|
file.puts "end"
|
178
192
|
end
|
179
193
|
puts "#{spec_filename} created"
|
@@ -266,13 +280,13 @@ namespace :kb do
|
|
266
280
|
task :create do
|
267
281
|
checks = Dawn::KnowledgeBase.new.all
|
268
282
|
open("KnowledgeBase.md", "w") do |file|
|
269
|
-
file.puts "#
|
270
|
-
file.puts "\nThe knowledge base library for
|
283
|
+
file.puts "# Dawnscanner Knowledge base"
|
284
|
+
file.puts "\nThe knowledge base library for dawnscanner version #{Dawn::VERSION} contains #{checks.count} security checks."
|
271
285
|
file.puts "---"
|
272
286
|
checks.each do |c|
|
273
287
|
file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
|
274
288
|
file.puts "* [#{c.name}](#{c.osvdb_link}): #{c.message}" if c.name.start_with?('OSVDB')
|
275
|
-
file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
|
289
|
+
file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE') && c.name.start_with?('OSVDB')
|
276
290
|
end
|
277
291
|
|
278
292
|
file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"
|
data/Roadmap.md
CHANGED
@@ -7,67 +7,125 @@ frameworks.
|
|
7
7
|
|
8
8
|
This is an ongoing roadmap for the Dawnscanner source code review tool.
|
9
9
|
|
10
|
-
|
10
|
+
The document is _dynamic_ and feature schedule may vary. If you do need a
|
11
|
+
feature to be included sooner, please open an [issue on
|
12
|
+
github](https://github.com/thesp0nge/dawnscanner/issues/new)
|
13
|
+
|
14
|
+
_latest update: Thu Dec 3 18:29:11 CET 2015_
|
15
|
+
|
16
|
+
|
17
|
+
## Version 1.5.5 (est. Jan 2016)
|
18
|
+
|
19
|
+
* close all issues on github markedsfor milestone 1.5.5
|
20
|
+
* Issue #131 - Adding a check for OSVDB 119927 : http Gem for Ruby SSL Certificate Validation MitM Spoofing
|
21
|
+
* Issue #119 - Adding a check for OSVDB 114641 : Ruby lib/rexml/entity.rb NULL String Handling Recursive XML External Entity (XXE) Expansion Resource Consumption Remote DoS
|
22
|
+
* Issue #118 - Adding a check for OSVDB 113965 : Sprockets Gem for Ruby Unspecified Request Handling File Enumeration
|
23
|
+
* Issue #117 - Adding a check for OSVDB 113986 : Ruby on Rails Action Pack Gem Unspecified Request Handling File Enumeration
|
24
|
+
* Issue #116 - Adding a check for OSVDB 113747 : Ruby lib/rexml/entity.rb XML External Entity (XXE) Expansion Remote DoS
|
25
|
+
* Issue #115 - Adding a check for OSVDB 112346 : Web Console Gem for Ruby on Rails Unspecified Issue
|
26
|
+
* Issue #114 - Adding a check for OSVDB 112347 : Ruby on Rails Active Job Global ID String Argument Deserialization Unspecified Object Injection
|
27
|
+
* Issue #113 - Adding a check for OSVDB 112683 : as Gem for Ruby Process List Local Plaintext Credentials Disclosure
|
28
|
+
* Issue #112 - Adding a check for OSVDB 115891 : Active Resource (ARes) Gem for Ruby lib/active_resource/base.rb Thread Object Instantiation Unspecified Issue
|
29
|
+
* Issue #111 - Adding a check for OSVDB 110796 : FlavourSaver Gem for Ruby Kernel::send Method Template Helper Calling Remote Code Execution
|
30
|
+
* Issue #110 - Adding a check for OSVDB 108971 : Ruby pack.c encodes() Function Remote Stack Buffer Overflow
|
31
|
+
* Issue #109 - Adding a check for OSVDB 110439 : Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution
|
32
|
+
* Issue #108 - Adding a check for OSVDB 110147 : Active Record Gem for Ruby create_with Method Strong Parameter Protection Bypass
|
33
|
+
* Issue #107 - Adding a check for OSVDB 110004 : Bundler Gem for Ruby Multiple Top-level Source Lines Gemfile Handling Gem Installation Spoofing
|
34
|
+
* Issue #106 - Adding a check for OSVDB 108899 : brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection
|
35
|
+
* Issue #105 - Adding a check for OSVDB 108901 : brbackup Gem for Ruby Process List Local Plaintext Password Disclosure
|
36
|
+
* Issue #104 - Adding a check for OSVDB 108900 : brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote Command Execution
|
37
|
+
* Issue #103 - Ruby pack.c encodes() Function Remote Stack Buffer Overflow
|
38
|
+
* Issue #96 - Sinatra apps without views: NoMethodError
|
39
|
+
* adding test for CVE-2011-4969 XSS in jquery < 1.6.2
|
40
|
+
|
41
|
+
|
42
|
+
## Version 2.0.0 (est. June 2016)
|
43
|
+
|
44
|
+
### New supported frameworks
|
45
|
+
|
46
|
+
* Add Lotus support
|
47
|
+
* Add Maven support (this will lead of creating the skeleton of a
|
48
|
+
dawnscanner-java gem. I will decide later if it will stay with the core or if
|
49
|
+
it will be a separted gem plugging into dawnscanner as plugin).
|
50
|
+
* Add support for pure Rack applications
|
51
|
+
* Add basic support for Javascript. At the beginning, it will be a signature
|
52
|
+
based support. dawnscanner will try to detect the js library version by using
|
53
|
+
SHA hashing functions, comparing it with fingerprint of vulnerable libraies.
|
54
|
+
Of course, this will lead to false negatives if a user tamper the original
|
55
|
+
JS. We must consider also minified versions and we're not able to deal with
|
56
|
+
obfuscated code.
|
11
57
|
|
12
|
-
|
58
|
+
### New checks
|
13
59
|
|
14
|
-
*
|
15
|
-
|
60
|
+
* Add a language check. It will handle a ruby script as input and a
|
61
|
+
ruby\_parser line as unsafe pattern. It will compile the ruby and look for
|
62
|
+
the unsafe pattern
|
63
|
+
* Cross Site Scripting, SQL injection and CSRF detection: it must be done for
|
64
|
+
all MVC frameworks (including Rack) and it must cover either reflected than
|
65
|
+
stored attack patterns
|
66
|
+
* Owasp RoR cheatsheet check for backup files **MUST** be integrated in
|
67
|
+
dawnscanner the proper way. This is a dynamic tests that it must be run in a
|
68
|
+
static way, looking for the public directory for old and backup files
|
69
|
+
pattern.
|
70
|
+
* Security checks for vulnerabilities out until 31 May 2016.
|
71
|
+
|
72
|
+
### New features
|
73
|
+
|
74
|
+
* Separate dependencies check from model, view and controller analysis.
|
75
|
+
* Add a '--ab-decision' flag. Can be a good idea to make dawnscanner able just
|
76
|
+
to say a quick "go/no go" for a release with a small json output like
|
77
|
+
{decision:"GO", vulns: 12, mean\_cvss: 3.2} or {decision:"NO GO", vulns: 9,
|
78
|
+
mean\_cvss:9.2}
|
16
79
|
* Add a --github option to Dawnscanner to clone a remote repository, perform
|
17
80
|
a bundle install and do a code review.
|
18
|
-
* create a task to check for new CVE in NVD website
|
19
81
|
* SQLite3 integration for saving data. Each project will have its own SQLite
|
20
|
-
database containing reviews, findings and all. A table with Dawnscanner
|
21
|
-
created the database will be inserted as well
|
22
|
-
*
|
23
|
-
ruby\_parser line as unsafe pattern. It will compile the ruby and look for
|
24
|
-
the unsafe pattern
|
25
|
-
* Issue #7: Improving HTML output and let the user the capability to provide a
|
26
|
-
basic layout to customize report
|
27
|
-
* adding test for CVE-2011-4969 XSS in jquery < 1.6.2
|
28
|
-
* add source code metrics gathering (lines of code, lines of comments,
|
82
|
+
database containing reviews, findings and all. A table with Dawnscanner
|
83
|
+
version it created the database will be inserted as well
|
84
|
+
* Add source code metrics gathering (lines of code, lines of comments,
|
29
85
|
cyclomatic complexity index, ...)
|
30
|
-
|
31
|
-
|
32
|
-
## Version 1.6.0
|
33
|
-
|
34
86
|
* Add a ruby deprecation check, accordingly to
|
35
87
|
https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
|
36
|
-
* Add preliminary Cross Site Scripting detection for Ruby on Rails.
|
37
|
-
* Add support for ERB for in detect\_views
|
38
|
-
* Add preliminary javascript support
|
39
|
-
* add support for pure Rack applications
|
40
|
-
* Cross Site Scripting detection: it must be done for all MVC frameworks
|
41
|
-
(including Rack) and it must cover either reflected than stored attack
|
42
|
-
patterns
|
43
88
|
* Add support for github hooks
|
44
|
-
* Add
|
89
|
+
* Add a new way to handle KB. Like wpscan, the KB must be separated and
|
90
|
+
deployed using dawnscanner.org web site and a --update flag, people can use
|
91
|
+
to upgrade and have new checks. Of course, new checks would be also rely on
|
92
|
+
newer APIs, so a require dawnscanner info must be given and user forced also
|
93
|
+
to upgrade the tool. KB download must be digitally signed and encrypted.
|
94
|
+
* Improving HTML output
|
95
|
+
|
96
|
+
### New Knowledge Base
|
97
|
+
|
98
|
+
* Issue #147 : In the KB revamp, a task to automate security issues search
|
99
|
+
either in CVE archive than OSVDB or Ruby related mailing lists, it must be
|
100
|
+
created.
|
101
|
+
|
102
|
+
### Issues
|
103
|
+
|
104
|
+
* Issue #148 - Adding a check for CVE-2011-4969: XSS in jquery < 1.6.2
|
45
105
|
|
46
|
-
|
106
|
+
### Deprecates
|
47
107
|
|
48
|
-
*
|
49
|
-
* SQL Injection detection: it must be done for all MVC frameworks (including Rack)
|
50
|
-
* Add automatic mitigation patch generation
|
51
|
-
* Add support for Javascript
|
108
|
+
* BasicCheck.priority
|
52
109
|
|
53
|
-
|
110
|
+
### Other
|
54
111
|
|
55
|
-
*
|
112
|
+
* clean rake kb:lint output
|
113
|
+
* clean rspec 'passing' tests
|
56
114
|
|
57
|
-
|
115
|
+
## Version 2.5.0 (est. December 2016)
|
58
116
|
|
59
|
-
|
60
|
-
|
61
|
-
|
117
|
+
* Add automatic mitigation patch generation for Ruby
|
118
|
+
* Add node.js support
|
119
|
+
* Add Opal support
|
62
120
|
|
63
|
-
|
64
|
-
Dawnscanner can be wrote also to support them:
|
121
|
+
## Long term Roadmap
|
65
122
|
|
66
|
-
|
67
|
-
|
68
|
-
language.
|
123
|
+
This section is the long term part of dawnscanner roadmap. It anticipates
|
124
|
+
features they will come from version 3 or later.
|
69
125
|
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
|
126
|
+
* Some dynamic test
|
127
|
+
* Add WordPress themes/plugin support
|
128
|
+
* Add Ember support
|
129
|
+
* Add Joomla support
|
130
|
+
* Add Go support
|
131
|
+
* Add general PHP support
|
data/VERSION
CHANGED
@@ -4,13 +4,13 @@
|
|
4
4
|
#
|
5
5
|
# Future releases
|
6
6
|
#
|
7
|
-
# | Character | Release
|
8
|
-
#
|
9
|
-
# | "Tow Mater" | 1.4.0
|
10
|
-
# | "Finn McMissile"|
|
11
|
-
# | "Fillmore" |
|
12
|
-
# |"Holly Shiftwell"|
|
13
|
-
# | "Guido" |
|
14
|
-
# | "Luigi" |
|
15
|
-
# | "Doc Hudson" |
|
16
|
-
1.
|
7
|
+
# | Character | Release |
|
8
|
+
# |-----------------|---------|
|
9
|
+
# | "Tow Mater" | 1.4.0 |
|
10
|
+
# | "Finn McMissile"| x.x.0 |
|
11
|
+
# | "Fillmore" | x.x.0 |
|
12
|
+
# |"Holly Shiftwell"| x.x.0 |
|
13
|
+
# | "Guido" | x.x.0 |
|
14
|
+
# | "Luigi" | x.x.0 |
|
15
|
+
# | "Doc Hudson" | x.x.0 |
|
16
|
+
1.5.0 - Tow Mater
|
data/bin/dawn
CHANGED
@@ -1,35 +1,46 @@
|
|
1
1
|
#!/usr/bin/env ruby
|
2
2
|
|
3
|
+
require 'bundler'
|
3
4
|
require 'getoptlong'
|
4
5
|
require 'json'
|
5
6
|
require 'terminal-table'
|
6
|
-
|
7
7
|
require 'justify'
|
8
8
|
|
9
|
-
# require 'codesake-commons'
|
10
9
|
require 'dawnscanner'
|
11
10
|
|
12
11
|
APPNAME = File.basename($0)
|
13
12
|
LIST_KNOWN_FRAMEWORK = %w(rails sinatra padrino)
|
14
13
|
VALID_OUTPUT_FORMAT = %w(console json csv html)
|
15
14
|
|
16
|
-
#
|
15
|
+
# Datamapper stuff
|
16
|
+
DataMapper.setup(:default, "sqlite3://#{Dawn::Core.registry_db_name}")
|
17
|
+
DataMapper::Logger.new(Dawn::Core.sql_log_name, :debug)
|
18
|
+
DataMapper.finalize
|
19
|
+
DataMapper.auto_upgrade!
|
20
|
+
|
17
21
|
require 'logger'
|
18
22
|
$logger = Logger.new(STDOUT)
|
19
23
|
$logger.datetime_format = '%Y-%m-%d %H:%M:%S'
|
20
24
|
|
21
25
|
opts = GetoptLong.new(
|
22
26
|
# report formatting options
|
23
|
-
|
27
|
+
|
28
|
+
[ '--ascii-tabular-report', '-a', GetoptLong::NO_ARGUMENT], # Deprecated in 1.5.x - To be removed in 2.0.0
|
29
|
+
[ '--tabular', '-T', GetoptLong::NO_ARGUMENT],
|
24
30
|
[ '--json', '-j', GetoptLong::NO_ARGUMENT],
|
25
31
|
[ '--html', '-H', GetoptLong::NO_ARGUMENT],
|
32
|
+
[ '--console', '-K', GetoptLong::NO_ARGUMENT],
|
26
33
|
|
27
34
|
# MVC forcing
|
35
|
+
# Deprecated in 1.5.x
|
36
|
+
# To be removed in 2.0.0
|
28
37
|
[ '--rails', '-r', GetoptLong::NO_ARGUMENT],
|
29
38
|
[ '--sinatra', '-s', GetoptLong::NO_ARGUMENT],
|
30
39
|
[ '--padrino', '-p', GetoptLong::NO_ARGUMENT],
|
31
40
|
|
32
|
-
[ '--gem-lock', '-G', GetoptLong::REQUIRED_ARGUMENT],
|
41
|
+
[ '--gem-lock', '-G', GetoptLong::REQUIRED_ARGUMENT], # Deprecated in 1.5.x - To be removed in 2.0.0
|
42
|
+
[ '--dependencies', '-d', GetoptLong::REQUIRED_ARGUMENT],
|
43
|
+
|
33
44
|
[ '--count-only', '-C', GetoptLong::NO_ARGUMENT],
|
34
45
|
[ '--exit-on-warn', '-z', GetoptLong::NO_ARGUMENT],
|
35
46
|
|
@@ -46,6 +57,7 @@ opts = GetoptLong.new(
|
|
46
57
|
[ '--list-knowledge-base', GetoptLong::NO_ARGUMENT],
|
47
58
|
[ '--list-known-framework', GetoptLong::NO_ARGUMENT],
|
48
59
|
[ '--list-known-families', GetoptLong::NO_ARGUMENT],
|
60
|
+
[ '--list-scan-registry', GetoptLong::NO_ARGUMENT],
|
49
61
|
# please save output to file
|
50
62
|
[ '--file', '-F', GetoptLong::REQUIRED_ARGUMENT],
|
51
63
|
# specify an alternate config file
|
@@ -66,6 +78,11 @@ options = Dawn::Core.read_conf(Dawn::Core.find_conf(true))
|
|
66
78
|
check = ""
|
67
79
|
guess = {:name=>"", :version=>"", :connected_gems=>[]}
|
68
80
|
|
81
|
+
###############################################################################
|
82
|
+
# CLI argument start.
|
83
|
+
#
|
84
|
+
# Refactoring is necessary here
|
85
|
+
###############################################################################
|
69
86
|
begin
|
70
87
|
opts.each do |opt, val|
|
71
88
|
case opt
|
@@ -99,7 +116,12 @@ opts.each do |opt, val|
|
|
99
116
|
Kernel.exit(0)
|
100
117
|
when '--json'
|
101
118
|
options[:output] = "json"
|
119
|
+
when '--console'
|
120
|
+
options[:output] = "console"
|
121
|
+
when '--tabular'
|
122
|
+
options[:output] = "tabular"
|
102
123
|
when '--ascii-tabular-report'
|
124
|
+
$logger.warn "--ascii-tabular-report' it has been deprecated. It will be removed in version 2.0.0. Please use '--tabular' instead"
|
103
125
|
options[:output] = "tabular"
|
104
126
|
when '--html'
|
105
127
|
options[:output] = "html"
|
@@ -112,11 +134,19 @@ opts.each do |opt, val|
|
|
112
134
|
when '--file'
|
113
135
|
options[:filename] = val
|
114
136
|
when '--gem-lock'
|
137
|
+
options[:gemfile_scan] = true
|
138
|
+
$logger.warn "--gem-lock flag it has been deprecated. It will be removed in version 2.0.0. Please use '--dependencies' instead"
|
139
|
+
unless val.empty?
|
140
|
+
options[:gemfile_name] = val
|
141
|
+
guess = Dawn::Core.guess_mvc(val)
|
142
|
+
end
|
143
|
+
when '--dependencies'
|
115
144
|
options[:gemfile_scan] = true
|
116
145
|
unless val.empty?
|
117
146
|
options[:gemfile_name] = val
|
118
147
|
guess = Dawn::Core.guess_mvc(val)
|
119
148
|
end
|
149
|
+
|
120
150
|
when '--verbose'
|
121
151
|
options[:verbose]=true
|
122
152
|
when '--count-only'
|
@@ -131,9 +161,13 @@ opts.each do |opt, val|
|
|
131
161
|
puts "#{val} found in knowledgebase." if found
|
132
162
|
puts "#{val} not found in knowledgebase" if ! found
|
133
163
|
Kernel.exit(0)
|
164
|
+
when '--list-scan-registry'
|
165
|
+
puts "#{APPNAME} scan registry\n\n"
|
166
|
+
Dawn::Registry.dump
|
167
|
+
Kernel.exit(0)
|
134
168
|
|
135
169
|
when '--list-knowledge-base'
|
136
|
-
|
170
|
+
Dawn::KnowledgeBase.dump(options[:verbose])
|
137
171
|
Kernel.exit(0)
|
138
172
|
when '--list-known-framework'
|
139
173
|
puts "Ruby MVC framework supported by #{APPNAME}:"
|
@@ -146,24 +180,40 @@ opts.each do |opt, val|
|
|
146
180
|
end
|
147
181
|
end
|
148
182
|
rescue GetoptLong::InvalidOption => e
|
149
|
-
|
150
183
|
$logger.helo APPNAME, Dawn::VERSION
|
151
184
|
$logger.error e.message
|
152
185
|
Kernel.exit(Dawn::Core.help)
|
153
186
|
end
|
187
|
+
###############################################################################
|
188
|
+
# CLI argument stop
|
189
|
+
###############################################################################
|
154
190
|
|
155
191
|
target=ARGV.shift
|
156
192
|
|
157
193
|
$logger.helo APPNAME, Dawn::VERSION
|
158
|
-
|
194
|
+
r = Dawn::Registry.new
|
195
|
+
|
196
|
+
unless Dir.exist?(Dawn::Core.registry_db_folder)
|
197
|
+
FileUtils.mkdir_p(Dawn::Core.registry_db_folder)
|
198
|
+
$logger.info "#{Dawn::Core.registry_db_folder} created" if Dir.exist?(Dawn::Core.registry_db_folder)
|
199
|
+
end
|
200
|
+
|
201
|
+
trap("INT") { $logger.die('[INTERRUPTED]') }
|
159
202
|
$logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
|
160
203
|
$logger.die("invalid directory (#{target})") if options[:gemfile_name].empty? &&! Dawn::Core.is_good_target?(target)
|
161
204
|
$logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
|
162
205
|
$logger.debug("security check enabled: #{options[:enabled_checks]}") if options[:debug]
|
163
206
|
|
207
|
+
# MVC flag deprecation warnings
|
208
|
+
$logger.warn("the --rails is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :rails
|
209
|
+
$logger.warn("the --sinatra is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :sinatra
|
210
|
+
$logger.warn("the --padrino is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :padrino
|
211
|
+
|
164
212
|
|
165
213
|
## MVC auto detect.
|
166
|
-
|
214
|
+
|
215
|
+
# Skipping MVC autodetect if it's already been done by guess_mvc when choosing
|
216
|
+
# Gemfile.lock scan
|
167
217
|
|
168
218
|
unless options[:gemfile_scan]
|
169
219
|
begin
|
@@ -176,17 +226,25 @@ unless options[:gemfile_scan]
|
|
176
226
|
engine = Dawn::Padrino.new(target) if options[:mvc] == :padrino
|
177
227
|
end
|
178
228
|
rescue ArgumentError => e
|
229
|
+
r.do_save({:target=>File.basename(target), :scan_started=>DateTime.now, :scan_duration => 0, :issues_found=> -1, :output_dir=> "", :message=>e.message, :scan_status=>:failed})
|
179
230
|
$logger.die(e.message)
|
180
231
|
end
|
181
232
|
else
|
182
233
|
engine = Dawn::GemfileLock.new(target, options[:gemfile_name], guess) # if options[:gemfile_scan]
|
183
234
|
end
|
184
235
|
|
185
|
-
|
236
|
+
|
237
|
+
if engine.nil?
|
238
|
+
$logger.error("MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues")
|
239
|
+
r.do_save({:target=>File.basename(target), :message=>"MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues", :scan_status=>:failed})
|
240
|
+
$logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags")
|
241
|
+
end
|
242
|
+
## end MVC auto detect.
|
186
243
|
|
187
244
|
if options[:exit_on_warn]
|
188
245
|
Kernel.at_exit do
|
189
246
|
if engine.count_vulnerabilities != 0
|
247
|
+
r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
|
190
248
|
Kernel.exit(engine.count_vulnerabilities)
|
191
249
|
end
|
192
250
|
end
|
@@ -197,18 +255,41 @@ if options[:debug]
|
|
197
255
|
engine.debug = true
|
198
256
|
end
|
199
257
|
|
200
|
-
$logger.die "missing target framework option" if engine.nil?
|
201
258
|
$logger.warn "this is a development Dawn version" if Dawn::RELEASE == "(development)"
|
202
|
-
|
259
|
+
|
260
|
+
if engine.nil?
|
261
|
+
r.do_save({:target=>File.basename(target), :message=>"missing target framework option", :scan_status=>:failed})
|
262
|
+
$logger.die "missing target framework option"
|
263
|
+
end
|
264
|
+
|
265
|
+
if ! options[:gemfile_scan] && ! engine.can_apply?
|
266
|
+
r.do_save({:target=>File.basename(target), :message=>"nothing to do on #{target}", :scan_status=>:failed})
|
267
|
+
$logger.die "nothing to do on #{target}"
|
268
|
+
end
|
203
269
|
|
204
270
|
engine.load_knowledge_base(options[:enabled_checks])
|
205
271
|
ret = engine.apply_all
|
206
272
|
|
207
|
-
if options[:output] == "count"
|
208
|
-
puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
|
209
|
-
puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
|
273
|
+
if options[:output] == "count"
|
274
|
+
STDERR.puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
|
275
|
+
STDERR.puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json if options[:output] == "json"
|
276
|
+
|
277
|
+
r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
|
278
|
+
$logger.bye
|
210
279
|
Kernel.exit(0)
|
211
280
|
end
|
212
281
|
|
213
282
|
Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report
|
283
|
+
if (r.do_save({:target=>File.basename(engine.target),
|
284
|
+
:scan_started=>engine.scan_start,
|
285
|
+
:scan_duration => engine.scan_time.round(3),
|
286
|
+
:issues_found=>engine.vulnerabilities.count,
|
287
|
+
:output_dir=>engine.output_dir_name,
|
288
|
+
:scan_status=>:completed}))
|
289
|
+
$logger.info "#{Dawn::Core.registry_db_name} updated with scan infos"
|
290
|
+
else
|
291
|
+
r.errors.each do |error|
|
292
|
+
$logger.error error
|
293
|
+
end
|
294
|
+
end
|
214
295
|
$logger.bye
|