dawnscanner 1.4.2 → 1.5.0

data/README.md

@@ -1,11 +1,11 @@
-# Dawn - The raising security scanner for ruby web applications
+# Dawnscanner - The raising security scanner for ruby web applications
 
-Dawn is a source code scanner designed to review your ruby code for security
+dawnscanner is a source code scanner designed to review your ruby code for security
 issues.
 
-Dawn is able to scan plain ruby scripts (e.g. command line applications) but
+dawnscanner is able to scan plain ruby scripts (e.g. command line applications) but
 all its features are unleashed when dealing with web applications source code.
-Dawn is able to scan major MVC (Model View Controller) frameworks, out of the
+dawnscanner is able to scan major MVC (Model View Controller) frameworks, out of the
 box:
 
 * [Ruby on Rails](http://rubyonrails.org)
@@ -23,13 +23,13 @@ box:
 
 ---
 
-Dawn version 1.4.2 has 201 security checks loaded in its knowledge
+dawnscanner version 1.5.0 has 209 security checks loaded in its knowledge
 base. Most of them are CVE bulletins applying to gems or the ruby interpreter
 itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
 
 ## An overall introduction
 
-When you run Dawn on your code it parses your project Gemfile.lock
+When you run dawnscanner on your code it parses your project Gemfile.lock
 looking for the gems used and it tries to detect the ruby interpreter version
 you are using or you declared in your ruby version management tool you like
 most (RVM, rbenv, ...).
@@ -38,12 +38,12 @@ Then the tool tries to detect the MVC framework your web application uses and
 it applies the security check accordingly. There checks designed to match rails
 application or checks that are appliable to any ruby code.
 
-Dawn can also understand the code in your views and to backtrack
+dawnscanner can also understand the code in your views and to backtrack
 sinks to spot cross site scripting and sql injections introduced by the code
 you actually wrote. In the project roadmap this is the code most of the future
 development effort will be focused on.
 
-Dawn security scan result is a list of vulnerabilities with some
+dawnscanner security scan result is a list of vulnerabilities with some
 mitigation actions you want to follow in order to build a stronger web
 application.
 
@@ -57,7 +57,7 @@ public signing certificate as trusted to your gem specific keyring.
 $ gem cert --add <(curl -Ls https://raw.githubusercontent.com/thesp0nge/dawnscanner/master/certs/paolo_at_dawnscanner_dot_org.pem)
 ```
 
-You can install latest Dawn version, fetching it from
+You can install latest dawnscanner version, fetching it from
 [Rubygems](https://rubygems.org) by typing:
 
 ```
@@ -66,7 +66,7 @@ $ gem install dawnscanner -P MediumSecurity
 
 The MediumSecurity trust profile will verify signed gems, but allow the
 installation of unsigned dependencies. This is necessary because not all of
-Dawn’s dependencies are signed, so we cannot use HighSecurity.
+dawnscanner’s dependencies are signed, so we cannot use HighSecurity.
 
 In order to install a release candidate version, the gem install command line
 is the following:
@@ -99,10 +99,10 @@ that.
 
 ## Usage
 
-You can start your code review with Dawn very easily. Simply tell the tool
+You can start your code review with dawnscanner very easily. Simply tell the tool
 where the project root directory.
 
-Underlying MVC framework is autodetected by Dawn using target Gemfile.lock
+Underlying MVC framework is autodetected by dawnscanner using target Gemfile.lock
 file. If autodetect fails for some reason, the tool will complain about it and
 you have to specify if it's a rails, sinatra or padrino web application by
 hand.
@@ -147,7 +147,7 @@ Disable security check family
        --disable-owasp-ror-cheatsheet   disable all Owasp Ruby on Rails cheatsheet checks
        --disable-owasp-top-10           disable all Owasp Top 10 checks
 
-Flags useful to query Dawn
+Flags useful to query dawnscanner
 
        -S, --search-knowledge-base [check_name]   search check_name in the knowledge base
            --list-knowledge-base                  list knowledge-base content
@@ -164,7 +164,7 @@ Service flags
 
 ### Rake task
 
-To include Dawn in your rake task list, you simply have to put this line in
+To include dawnscanner in your rake task list, you simply have to put this line in
 your ```Rakefile```
 
 ```
@@ -203,15 +203,15 @@ $ dawn -S this_test_does_not_exist
 this_test_does_not_exist not found in knowledgebase
 ```
 
-### Dawn security scan in action
+### dawnscanner security scan in action
 
-As output, Dawn will put all security checks that are failed during the scan.
+As output, dawnscanner will put all security checks that are failed during the scan.
 
-This the result of Codedake::Dawn running against a
+This the result of Codedake::dawnscanner running against a
 [Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
 delivered in 2013 at [Railsberry conference](http://www.railsberry.com).
 
-As you may see, Dawn first detects MVC running the application by
+As you may see, dawnscanner first detects MVC running the application by
 looking at Gemfile.lock, than it discards all security checks not appliable to
 Sinatra (49 security checks, in version 1.0, especially designed for Ruby on
 Rails) and it applies them.
@@ -236,11 +236,11 @@ $ dawn ~/src/hacking/railsberry2013
 
 ---
 
-When you run Dawn on a web application with up to date dependencies,
+When you run dawnscanner on a web application with up to date dependencies,
 it's likely to return a friendly _no vulnerabilities found_ message. Keep it up
 working that way!
 
-This is Dawn running against a Padrino web application I wrote for [a
+This is dawnscanner running against a Padrino web application I wrote for [a
 scorecard quiz game about application security](http://scorecard.armoredcode.com).
 Italian language only. Sorry.
 
@@ -254,7 +254,7 @@ Italian language only. Sorry.
 18:42:39 [*] dawn is leaving
 ```
 
-If you need a fancy HTML report about your scan, just ask it to Dawn
+If you need a fancy HTML report about your scan, just ask it to dawnscanner
 with the ```--html``` flag used with the ```--file``` since I wanto to save the
 HTML to disk.
 
@@ -285,7 +285,7 @@ Feedbacks are great and we really love to hear your voice.
 If you're a proud dawnscanner user, if you find it useful, if you integrated
 it in your release process and if you want to openly support the project you
 can put your reference here. Just open an
-[issue](https://github.com/thesp0nge/dawn/issues/new) with a statement saying
+[issue](https://github.com/thesp0nge/dawnscanner/issues/new) with a statement saying
 how do you feel the tool and your company logo if any.
 
 More easily you can drop an email to
@@ -304,9 +304,9 @@ Thank you.
 
 [Matteo](https://github.com/matteocollina): for ideas on API and their usage with [github.com](https://github.com) hooks
 
-## Contribute to Dawn
+## Contribute to dawnscannerscanner
 
-Are you interested in contributing to Dawn project? Great, here is
+Are you interested in contributing to dawnscanner project? Great, here is
 some very basic rules in order to make rocking pull requests.
 
 First of all, I use the branching model described in [this
@@ -328,7 +328,7 @@ In this case, the branch name must be something like _issue\_#xx\_description_
 
 ## LICENSE
 
-Copyright (c) 2013, 2014, 2015 Paolo Perego
+Copyright (c) 2013-2015 Paolo Perego <paolo@dawnscanner.org>
 
 MIT License
 

data/Rakefile

@@ -111,7 +111,14 @@ task :cve, :name do |t,args|
     file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
     file.puts "\t\t# @check.debug = true"
     file.puts "\tend"
-    file.puts "\tit \"is reported when...\""
+    file.puts "\tit \"is reported when the vulnerable gem is detected\" do"
+    file.puts "\t\t@check.dependencies = [{:name=>\"\", :version=>\"\"}]"
+    file.puts "\t\t@check.vuln?.should   == true"
+    file.puts "\tend"
+    file.puts "\tit \"is not reported when a fixed release is detected\" do"
+    file.puts "\t\t@check.dependencies = [{:name=>\"\", :version=>\"\"}]"
+    file.puts "\t\t@check.vuln?.should   == false"
+    file.puts "\tend"
     file.puts "end"
   end
   puts "#{spec_filename} created"
@@ -173,7 +180,14 @@ task :osvdb, :name do |t,args|
     file.puts "\t\t@check = Dawn::Kb::#{class_name}.new"
     file.puts "\t\t# @check.debug = true"
     file.puts "\tend"
-    file.puts "\tit \"is reported when...\""
+    file.puts "\tit \"is reported when the vulnerable gem is detected\" do"
+    file.puts "\t\t@check.dependencies = [{:name=>\"\", :version=>\"\"}]"
+    file.puts "\t\t@check.vuln?.should   == true"
+    file.puts "\tend"
+    file.puts "\tit \"is not reported when a fixed release is detected\" do"
+    file.puts "\t\t@check.dependencies = [{:name=>\"\", :version=>\"\"}]"
+    file.puts "\t\t@check.vuln?.should   == false"
+    file.puts "\tend"
     file.puts "end"
   end
   puts "#{spec_filename} created"
@@ -266,13 +280,13 @@ namespace :kb do
   task :create do
     checks = Dawn::KnowledgeBase.new.all
     open("KnowledgeBase.md", "w") do |file|
-      file.puts "# Dawn Knowledge base"
-      file.puts "\nThe knowledge base library for Dawn version #{Dawn::VERSION} contains #{checks.count} security checks."
+      file.puts "# Dawnscanner Knowledge base"
+      file.puts "\nThe knowledge base library for dawnscanner version #{Dawn::VERSION} contains #{checks.count} security checks."
       file.puts "---"
       checks.each do |c|
         file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
         file.puts "* [#{c.name}](#{c.osvdb_link}): #{c.message}" if c.name.start_with?('OSVDB')
-        file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
+        file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE') && c.name.start_with?('OSVDB')
       end
 
       file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"

data/Roadmap.md

@@ -7,67 +7,125 @@ frameworks.
 
 This is an ongoing roadmap for the Dawnscanner source code review tool.
 
-_latest update: Tue Feb 24 08:02:56 CET 2015_
+The document is _dynamic_ and feature schedule may vary. If you do need a
+feature to be included sooner, please open an [issue on
+github](https://github.com/thesp0nge/dawnscanner/issues/new)
+
+_latest update: Thu Dec  3 18:29:11 CET 2015_
+
+
+## Version 1.5.5 (est. Jan 2016)
+
+* close all issues on github markedsfor milestone 1.5.5
+* Issue #131 - Adding a check for OSVDB 119927 : http Gem for Ruby SSL Certificate Validation MitM Spoofing
+* Issue #119 - Adding a check for OSVDB 114641 : Ruby lib/rexml/entity.rb NULL String Handling Recursive XML External Entity (XXE) Expansion Resource Consumption Remote DoS
+* Issue #118 - Adding a check for OSVDB 113965 : Sprockets Gem for Ruby Unspecified Request Handling File Enumeration
+* Issue #117 - Adding a check for OSVDB 113986 : Ruby on Rails Action Pack Gem Unspecified Request Handling File Enumeration
+* Issue #116 - Adding a check for OSVDB 113747 : Ruby lib/rexml/entity.rb XML External Entity (XXE) Expansion Remote DoS
+* Issue #115 - Adding a check for OSVDB 112346 : Web Console Gem for Ruby on Rails Unspecified Issue
+* Issue #114 - Adding a check for OSVDB 112347 : Ruby on Rails Active Job Global ID String Argument Deserialization Unspecified Object Injection
+* Issue #113 - Adding a check for OSVDB 112683 : as Gem for Ruby Process List Local Plaintext Credentials Disclosure
+* Issue #112 - Adding a check for OSVDB 115891 : Active Resource (ARes) Gem for Ruby lib/active_resource/base.rb Thread Object Instantiation Unspecified Issue
+* Issue #111 - Adding a check for OSVDB 110796 : FlavourSaver Gem for Ruby Kernel::send Method Template Helper Calling Remote Code Execution
+* Issue #110 - Adding a check for OSVDB 108971 : Ruby pack.c encodes() Function Remote Stack Buffer Overflow
+* Issue #109 - Adding a check for OSVDB 110439 : Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution
+* Issue #108 - Adding a check for OSVDB 110147 : Active Record Gem for Ruby create_with Method Strong Parameter Protection Bypass
+* Issue #107 - Adding a check for OSVDB 110004 : Bundler Gem for Ruby Multiple Top-level Source Lines Gemfile Handling Gem Installation Spoofing
+* Issue #106 - Adding a check for OSVDB 108899 : brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection
+* Issue #105 - Adding a check for OSVDB 108901 : brbackup Gem for Ruby Process List Local Plaintext Password Disclosure
+* Issue #104 - Adding a check for OSVDB 108900 : brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote Command Execution
+* Issue #103 - Ruby pack.c encodes() Function Remote Stack Buffer Overflow
+* Issue #96 - Sinatra apps without views: NoMethodError
+* adding test for CVE-2011-4969  XSS in jquery < 1.6.2
+
+
+## Version 2.0.0 (est. June 2016)
+
+### New supported frameworks
+
+* Add Lotus support
+* Add Maven support (this will lead of creating the skeleton of a
+  dawnscanner-java gem. I will decide later if it will stay with the core or if
+  it will be a separted gem plugging into dawnscanner as plugin).
+* Add support for pure Rack applications
+* Add basic support for Javascript. At the beginning, it will be a signature
+  based support. dawnscanner will try to detect the js library version by using
+  SHA hashing functions, comparing it with fingerprint of vulnerable libraies.
+  Of course, this will lead to false negatives if a user tamper the original
+  JS. We must consider also minified versions and we're not able to deal with
+  obfuscated code.
 
-## Version 1.5.0
+### New checks
 
-* clear Codesake:Commons dependency mess. This will dramatically simplify
-  dawnscanner installation
+* Add a language check. It will handle a ruby script as input and a
+  ruby\_parser line as unsafe pattern. It will compile the ruby and look for
+  the unsafe pattern
+* Cross Site Scripting, SQL injection and CSRF detection: it must be done for
+  all MVC frameworks (including Rack) and it must cover either reflected than
+  stored attack patterns
+* Owasp RoR cheatsheet check for backup files **MUST** be integrated in
+  dawnscanner the proper way. This is a dynamic tests that it must be run in a
+  static way, looking for the public directory for old and backup files
+  pattern.
+* Security checks for vulnerabilities out until 31 May 2016.
+
+### New features
+
+* Separate dependencies check from model, view and controller analysis.
+* Add a '--ab-decision' flag. Can be a good idea to make dawnscanner able just
+  to say a quick "go/no go" for a release with a small json output like
+  {decision:"GO", vulns: 12, mean\_cvss: 3.2} or {decision:"NO GO", vulns: 9,
+  mean\_cvss:9.2}
 * Add a --github option to Dawnscanner to clone a remote repository, perform
   a bundle install and do a code review.
-* create a task to check for new CVE in NVD website
 * SQLite3 integration for saving data. Each project will have its own SQLite
-  database containing reviews, findings and all. A table with Dawnscanner version it
-  created the database will be inserted as well
-* add a language check. It will handle a ruby script as input and a
-  ruby\_parser line as unsafe pattern. It will compile the ruby and look for
-  the unsafe pattern
-* Issue #7: Improving HTML output and let the user the capability to provide a
-  basic layout to customize report
-* adding test for CVE-2011-4969  XSS in jquery < 1.6.2
-* add source code metrics gathering (lines of code, lines of comments,
+  database containing reviews, findings and all. A table with Dawnscanner
+  version it created the database will be inserted as well
+* Add source code metrics gathering (lines of code, lines of comments,
   cyclomatic complexity index, ...)
-
-
-## Version 1.6.0
-
 * Add a ruby deprecation check, accordingly to
   https://bugs.ruby-lang.org/projects/ruby/wiki/ReleaseEngineering
-* Add preliminary Cross Site Scripting detection for Ruby on Rails.
-* Add support for ERB for in detect\_views
-* Add preliminary javascript support
-* add support for pure Rack applications
-* Cross Site Scripting detection: it must be done for all MVC frameworks
-  (including Rack) and it must cover either reflected than stored attack
-  patterns
 * Add support for github hooks
-* Add premilinary SQL injection detection for Ruby on Rails
+* Add a new way to handle KB. Like wpscan, the KB must be separated and
+  deployed using dawnscanner.org web site and a --update flag, people can use
+  to upgrade and have new checks. Of course, new checks would be also rely on
+  newer APIs, so a require dawnscanner info must be given and user forced also
+  to upgrade the tool. KB download must be digitally signed and encrypted.
+* Improving HTML output
+
+### New Knowledge Base
+
+* Issue #147 : In the KB revamp, a task to automate security issues search
+  either in CVE archive than OSVDB or Ruby related mailing lists, it must be
+  created.
+
+### Issues
+
+* Issue #148 - Adding a check for CVE-2011-4969:  XSS in jquery < 1.6.2
 
-## Version 1.7.0
+### Deprecates
 
-* Add insecure direct object reference detection for all MVC frameworks (including Rack)
-* SQL Injection detection: it must be done for all MVC frameworks (including Rack)
-* Add automatic mitigation patch generation
-* Add support for Javascript
+* BasicCheck.priority
 
-## Version 1.8.0
+### Other
 
-* Add automatic mitigation patch generation
+* clean rake kb:lint output
+* clean rspec 'passing' tests
 
-# Spinoff projects
+## Version 2.5.0 (est. December 2016)
 
-Dawnscanner is a security scanner for ruby code. Modern web applications
-however are wrote in a plenty of great technologies deserving a good tool for
-security scan.
+* Add automatic mitigation patch generation for Ruby
+* Add node.js support
+* Add Opal support
 
-Node.js and Go are very promising programming languages and a tool similiar to
-Dawnscanner can be wrote also to support them:
+## Long term Roadmap
 
-Initially they were in the Dawnscanner roadmap for a 2.0.0 version. However
-we decide to drop this in the name of being focused on ruby programming
-language.
+This section is the long term part of dawnscanner roadmap. It anticipates
+features they will come from version 3 or later.
 
-PHP has a good open source code scanners ecosystem, instead JAVA has not.
-Players started open and eventually they turned in big commercial bloatware
-GUIs that are useless from the security specialist perspective. A simple
-bytecode analyzer, with some checks, can be a possible spinoff project.
+* Some dynamic test
+* Add WordPress themes/plugin support
+* Add Ember support
+* Add Joomla support
+* Add Go support
+* Add general PHP support

data/VERSION

@@ -4,13 +4,13 @@
 #
 # Future releases
 #
-# | Character       | Release  |
-# |-----------------|----------|
-# |  "Tow Mater"    |  1.4.0   |
-# | "Finn McMissile"|  1.6.0   |
-# |  "Fillmore"     |  1.8.0   |
-# |"Holly Shiftwell"|  1.10.0  |
-# |   "Guido"       |  1.12.0  |
-# |   "Luigi"       |  1.14.0  |
-# | "Doc Hudson"    |  1.16.0  |
-1.4.2 - Tow Mater
+# | Character       | Release |
+# |-----------------|---------|
+# |  "Tow Mater"    |  1.4.0  |
+# | "Finn McMissile"|  x.x.0  |
+# |  "Fillmore"     |  x.x.0  |
+# |"Holly Shiftwell"|  x.x.0  |
+# |   "Guido"       |  x.x.0  |
+# |   "Luigi"       |  x.x.0  |
+# | "Doc Hudson"    |  x.x.0  |
+1.5.0 - Tow Mater

data/bin/dawn

@@ -1,35 +1,46 @@
 #!/usr/bin/env ruby
 
+require 'bundler'
 require 'getoptlong'
 require 'json'
 require 'terminal-table'
-
 require 'justify'
 
-# require 'codesake-commons'
 require 'dawnscanner'
 
 APPNAME = File.basename($0)
 LIST_KNOWN_FRAMEWORK  = %w(rails sinatra padrino)
 VALID_OUTPUT_FORMAT   = %w(console json csv html)
 
-# $logger  = Codesake::Commons::Logging.instance
+# Datamapper stuff
+DataMapper.setup(:default, "sqlite3://#{Dawn::Core.registry_db_name}")
+DataMapper::Logger.new(Dawn::Core.sql_log_name, :debug)
+DataMapper.finalize
+DataMapper.auto_upgrade!
+
 require 'logger'
 $logger = Logger.new(STDOUT)
 $logger.datetime_format = '%Y-%m-%d %H:%M:%S'
 
 opts    = GetoptLong.new(
   # report formatting options
-  [ '--ascii-tabular-report',   '-a',   GetoptLong::NO_ARGUMENT],
+
+  [ '--ascii-tabular-report',   '-a',   GetoptLong::NO_ARGUMENT], # Deprecated in 1.5.x - To be removed in 2.0.0
+  [ '--tabular',                '-T',   GetoptLong::NO_ARGUMENT],
   [ '--json',                   '-j',   GetoptLong::NO_ARGUMENT],
   [ '--html',                   '-H',   GetoptLong::NO_ARGUMENT],
+  [ '--console',                '-K',   GetoptLong::NO_ARGUMENT],
 
   # MVC forcing
+  # Deprecated in 1.5.x
+  # To be removed in 2.0.0
   [ '--rails',                  '-r',   GetoptLong::NO_ARGUMENT],
   [ '--sinatra',                '-s',   GetoptLong::NO_ARGUMENT],
   [ '--padrino',                '-p',   GetoptLong::NO_ARGUMENT],
 
-  [ '--gem-lock',               '-G',   GetoptLong::REQUIRED_ARGUMENT],
+  [ '--gem-lock',               '-G',   GetoptLong::REQUIRED_ARGUMENT], # Deprecated in 1.5.x - To be removed in 2.0.0
+  [ '--dependencies',           '-d',   GetoptLong::REQUIRED_ARGUMENT],
+
   [ '--count-only',             '-C',   GetoptLong::NO_ARGUMENT],
   [ '--exit-on-warn',           '-z',   GetoptLong::NO_ARGUMENT],
 
@@ -46,6 +57,7 @@ opts    = GetoptLong.new(
   [ '--list-knowledge-base',            GetoptLong::NO_ARGUMENT],
   [ '--list-known-framework',           GetoptLong::NO_ARGUMENT],
   [ '--list-known-families',            GetoptLong::NO_ARGUMENT],
+  [ '--list-scan-registry',             GetoptLong::NO_ARGUMENT],
   # please save output to file
   [ '--file',                   '-F',   GetoptLong::REQUIRED_ARGUMENT],
   # specify an alternate config file
@@ -66,6 +78,11 @@ options = Dawn::Core.read_conf(Dawn::Core.find_conf(true))
 check = ""
 guess = {:name=>"", :version=>"", :connected_gems=>[]}
 
+###############################################################################
+# CLI argument start.
+#
+# Refactoring is necessary here
+###############################################################################
 begin
 opts.each do |opt, val|
   case opt
@@ -99,7 +116,12 @@ opts.each do |opt, val|
     Kernel.exit(0)
   when '--json'
     options[:output] = "json"
+  when '--console'
+    options[:output] = "console"
+  when '--tabular'
+    options[:output] = "tabular"
   when '--ascii-tabular-report'
+    $logger.warn "--ascii-tabular-report' it has been deprecated. It will be removed in version 2.0.0. Please use '--tabular' instead"
     options[:output] = "tabular"
   when '--html'
     options[:output] = "html"
@@ -112,11 +134,19 @@ opts.each do |opt, val|
   when '--file'
     options[:filename] = val
   when '--gem-lock'
+    options[:gemfile_scan] = true
+    $logger.warn "--gem-lock flag it has been deprecated. It will be removed in version 2.0.0. Please use '--dependencies' instead"
+    unless val.empty?
+      options[:gemfile_name] = val
+      guess = Dawn::Core.guess_mvc(val)
+    end
+  when '--dependencies'
     options[:gemfile_scan] = true
     unless val.empty?
       options[:gemfile_name] = val
       guess = Dawn::Core.guess_mvc(val)
     end
+
   when '--verbose'
     options[:verbose]=true
   when '--count-only'
@@ -131,9 +161,13 @@ opts.each do |opt, val|
     puts "#{val} found in knowledgebase." if found
     puts "#{val} not found in knowledgebase" if ! found
     Kernel.exit(0)
+  when '--list-scan-registry'
+    puts "#{APPNAME} scan registry\n\n"
+    Dawn::Registry.dump
+    Kernel.exit(0)
 
   when '--list-knowledge-base'
-    puts Dawn::Core.dump_knowledge_base(options[:verbose])
+    Dawn::KnowledgeBase.dump(options[:verbose])
     Kernel.exit(0)
   when '--list-known-framework'
     puts "Ruby MVC framework supported by #{APPNAME}:"
@@ -146,24 +180,40 @@ opts.each do |opt, val|
   end
 end
 rescue GetoptLong::InvalidOption => e
-
   $logger.helo APPNAME, Dawn::VERSION
   $logger.error e.message
   Kernel.exit(Dawn::Core.help)
 end
+###############################################################################
+# CLI argument stop
+###############################################################################
 
 target=ARGV.shift
 
 $logger.helo APPNAME, Dawn::VERSION
-trap("INT")   { $logger.die('[INTERRUPTED]') }
+r = Dawn::Registry.new
+
+unless Dir.exist?(Dawn::Core.registry_db_folder)
+  FileUtils.mkdir_p(Dawn::Core.registry_db_folder)
+  $logger.info "#{Dawn::Core.registry_db_folder} created" if Dir.exist?(Dawn::Core.registry_db_folder)
+end
+
+trap("INT") { $logger.die('[INTERRUPTED]') }
 $logger.die("missing target") if target.nil? && options[:gemfile_name].empty?
 $logger.die("invalid directory (#{target})") if options[:gemfile_name].empty?  &&! Dawn::Core.is_good_target?(target)
 $logger.die("if scanning Gemfile.lock file you must not force target MVC using one from -r, -s or -p flag") if ! options[:mvc].empty? && options[:gemfile_scan]
 $logger.debug("security check enabled: #{options[:enabled_checks]}") if options[:debug]
 
+# MVC flag deprecation warnings
+$logger.warn("the --rails is deprecated and it will be removed in version 2.0.0")   if options[:mvc] == :rails
+$logger.warn("the --sinatra is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :sinatra
+$logger.warn("the --padrino is deprecated and it will be removed in version 2.0.0") if options[:mvc] == :padrino
+
 
 ## MVC auto detect.
-# Skipping MVC autodetect if it's already been done by guess_mvc when choosing Gemfile.lock scan
+
+# Skipping MVC autodetect if it's already been done by guess_mvc when choosing
+# Gemfile.lock scan
 
 unless options[:gemfile_scan]
   begin
@@ -176,17 +226,25 @@ unless options[:gemfile_scan]
       engine = Dawn::Padrino.new(target)    if options[:mvc] == :padrino
     end
   rescue ArgumentError => e
+    r.do_save({:target=>File.basename(target), :scan_started=>DateTime.now, :scan_duration => 0, :issues_found=> -1, :output_dir=> "", :message=>e.message, :scan_status=>:failed})
     $logger.die(e.message)
   end
 else
   engine = Dawn::GemfileLock.new(target, options[:gemfile_name], guess) # if options[:gemfile_scan]
 end
 
-$logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags") if engine.nil?
+
+if engine.nil?
+  $logger.error("MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues")
+  r.do_save({:target=>File.basename(target), :message=>"MVC detection failure. Please open an issue at https://github.com/thesp0nge/dawnscanner/issues", :scan_status=>:failed})
+  $logger.die("ruby framework auto detect failed. Please force if rails, sinatra or padrino with -r, -s or -p flags")
+end
+## end MVC auto detect.
 
 if options[:exit_on_warn]
   Kernel.at_exit do
     if engine.count_vulnerabilities != 0
+      r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
       Kernel.exit(engine.count_vulnerabilities)
     end
   end
@@ -197,18 +255,41 @@ if options[:debug]
   engine.debug = true
 end
 
-$logger.die "missing target framework option" if engine.nil?
 $logger.warn "this is a development Dawn version" if Dawn::RELEASE == "(development)"
-$logger.die "nothing to do on #{target}" if ! options[:gemfile_scan] && ! engine.can_apply? 
+
+if engine.nil?
+  r.do_save({:target=>File.basename(target), :message=>"missing target framework option", :scan_status=>:failed})
+  $logger.die "missing target framework option"
+end
+
+if ! options[:gemfile_scan] && ! engine.can_apply?
+  r.do_save({:target=>File.basename(target), :message=>"nothing to do on #{target}", :scan_status=>:failed})
+  $logger.die "nothing to do on #{target}"
+end
 
 engine.load_knowledge_base(options[:enabled_checks])
 ret = engine.apply_all
 
-if options[:output] == "count" 
-  puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
-  puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json
+if options[:output] == "count"
+  STDERR.puts (ret)? engine.vulnerabilities.count : "-1" unless options[:output] == "json"
+  STDERR.puts (ret)? {:status=>"OK", :vulnerabilities_count=>engine.count_vulnerabilities}.to_json : {:status=>"KO", :vulnerabilities_count=>-1}.to_json if options[:output] == "json"
+
+  r.do_save({:target=>engine.target, :scan_started=>engine.scan_start, :scan_duration => engine.scan_time.round(3), :issues_found=>engine.vulnerabilities.count, :output_dir=>engine.output_dir_name, :scan_status=>:completed})
+  $logger.bye
   Kernel.exit(0)
 end
 
 Dawn::Reporter.new({:engine=>engine, :apply_all_code=>ret, :format=>options[:output].to_sym, :filename=>options[:filename]}).report
+if (r.do_save({:target=>File.basename(engine.target),
+           :scan_started=>engine.scan_start,
+           :scan_duration => engine.scan_time.round(3),
+           :issues_found=>engine.vulnerabilities.count,
+           :output_dir=>engine.output_dir_name,
+           :scan_status=>:completed}))
+  $logger.info "#{Dawn::Core.registry_db_name} updated with scan infos"
+else
+  r.errors.each do |error|
+    $logger.error error
+  end
+end
 $logger.bye