dawnscanner 1.4.2 → 1.5.0

data/checksum/dawnscanner-1.4.2.gem.sha1

@@ -0,0 +1 @@
+3ac33d4e0894c508d68f56ca9e76d60881a6f7ab

data/dawnscanner.gemspec

@@ -12,6 +12,7 @@ Gem::Specification.new do |gem|
   gem.summary       = %q{Dawnscanner is a security source code scanner for ruby powered code. It is crafted with love to make your sinatra, padrino and ruby on rails web applications secure.}
   gem.homepage      = "http://dawnscanner.org"
   gem.files         = `git ls-files`.split($/)
+  gem.license       = "MIT"
   gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
@@ -23,17 +24,33 @@ Gem::Specification.new do |gem|
 
   gem.add_dependency 'cvss'
   gem.add_dependency 'haml'
-  gem.add_dependency 'parser'
-  gem.add_dependency 'ptools'
   gem.add_dependency 'ruby_parser'
   gem.add_dependency 'sys-uname'
-  gem.add_dependency 'grit'
   gem.add_dependency 'terminal-table'
   gem.add_dependency 'justify'
   gem.add_dependency 'logger-colors'
+  gem.add_dependency 'ptools'
+  gem.add_dependency 'sqlite3'
+  gem.add_dependency 'dm-sqlite-adapter'
+  gem.add_dependency 'data_mapper'
 
-  gem.add_development_dependency ('coveralls')
+  # Dependencies for code stats
+  gem.add_dependency 'code_metrics'
+  gem.add_dependency 'metric_fu-Saikuro'
+  gem.add_dependency 'flay'
+  gem.add_dependency 'churn'
+  gem.add_dependency 'flog'
+  gem.add_dependency 'reek'
+  gem.add_dependency 'cane'
 
+  # This gem is used to extract info from a git archives. This feature will be
+  # available in dawnscanner 2.0.0. Disabling the dependency right now.
+  # gem.add_dependency 'grit'
+
+  # Marked to be unused right now
+  # gem.add_dependency 'parser'
+
+  gem.add_development_dependency ('coveralls')
   gem.add_development_dependency 'rake'
   gem.add_development_dependency 'rspec'
   gem.add_development_dependency('tomdoc')

data/doc/dawn_1_5_announcement.md

@@ -0,0 +1,66 @@
+## Press announcement
+
+Today, the December 9th 2015, the fifth, and last, minor dawnscanner rubygem
+version it has been released.
+
+dawnscanner is a source code scanner designed to review your code for
+security issues.
+
+dawnscanner is able to scan your ruby standalone programs but its main usage
+is to deal with web applications. It supports applications written using majors
+MVC (Model View Controller) frameworks, like:
+
+* [Ruby on Rails](http://rubyonrails.org)
+* [Sinatra](http://www.sinatrarb.com)
+* [Padrino](http://www.padrinorb.com)
+
+dawnscanner version 1.5.0 has 209 security checks loaded in its knowledge
+base. Most of them are CVE bulletins applying to gems or the ruby interpreter
+itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
+
+Writing safe code it's important, but sometimes security issues are introduced
+by third party code your application relies on. As example, consider a SQL
+Injection vulnerability introduced by Ruby on Rails framework.
+
+Despite the effort you spend in sanitizing inputs, your web application
+inherits the vulnerability suffering as well. An attacker can easily exploit it
+and break into your database unless you upgrade the offended gem.
+
+There is a comprehensive set of command line flags you can read more by issuing
+```dawn --list-knowledge-base``` flag or by reading [project
+README](https://github.com/codesake/codesake-dawn/raw/master/README.md) file.
+
+The list of security checks included in version 1.5.0 can be found online at:
+[http://dawnscanner.org/knowledge-base.html](http://dawnscanner.org/knowledge-base.html).
+
+You can use [facilities provided by
+github](https://github.com/thesp0nge/dawnscanner/issues) to submit bug
+reports, product enhancements, new security checks you want to me to add in
+future releases and even success stories.
+
+Now it's time for you to install dawnscanner version 1.5.0 with the
+following command and start reviewing your code for security issues:
+
+```
+$ gem install -P MediumSecurity dawnscanner
+```
+
+You can find the announcement on the web here: [http://dawnscanner.org/announce-codesake-dawn-v1-5-0-released.html/](http://dawnscanner.org/announce-codesake-dawn-v1-5-0-released.html/)
+Enjoy it!
+Paolo - paolo@dawnscanner.org
+
+## Twitter announcement
+
+### version 1.5.0
+@dawnscanner version 1.5.0 is out. 209 security checks, SQLite3 integration, better reports and tons of bug fixes. Read the announcement here: http://dawnscanner.org/announce-codesake-dawn-v1-5-0-released.html/ #ruby #rails #sinatra #padrino #security #appsec #cyber
+
+## Linkedin announcement
+
+### version 1.5.0
+@dawnscanner version 1.5.0 is out. Read the announcement online. dawnscanner makes security code review fun for ruby developers, it scans 209 CVE and OSVDB bulletins and future release will be able to scan custom ruby code for XSS, SQL Injections and business logic flaws. It supports Sinatra, Padrino and Ruby on Rails MVC frameworks out of the box.
+
+$ gem install dawnscanner
+$ have fun
+
+## HN Link
+## Reddit

data/doc/new_knowledge_base_v1.0.md

@@ -0,0 +1,78 @@
+# The Knowledge Base
+
+For future releases, the dawnscanner knowledge base must be improved. Now, each
+new test is included in the whole binary gem, requiring the user to manually
+upgrade his bundle to reflect the support of newest vulnerabilities.
+
+This has some major drawbacks:
+
+* people must manually check if a new dawnscanner gem is available
+* upgrading a bundle, sometimes must not be possible due to dependencies
+* new vulnerabilities will require KB to be upgraded very quickly. People must
+  upgrade daily, as their anti virus tool, but dawnscanner core should not be
+  forced to go at the same speed.
+* upgrade must be automatic on tool startup, to avoid people being exposed to
+  vulnerabilities.
+
+For such a reason, security checks must be separated from the tool core. They
+must be a set of independent archives, deployed on the Internet in a digitally
+encrypted and signed format.
+
+They must have an information about dawnscanner API version it has been able to
+consume it. In example, we can introduce a new option in DepedencyCheck in
+dawnscanner version 1.10. Each check will contain a required version, so to be
+excluded when old dawnscanner would try consuming those archives.
+
+## Format
+
+Now, security checks are standard ruby classes. This could have an impact in
+terms of memory utilization. At the time, no benchmarks are available.
+An option can be, translating check's initialize methods in YAML format,
+letting the generic class DepdencyCheck, PatternMatchingCheck and friends, to
+answer to the vuln? method (like today).
+
+This can have the benefit of having 4 classes, reading YAML files, instead of
+having tons of superclasses instanciating those magic 4. The core rules,
+understanding if a vulnerability is present, is already in the base API. It's
+just a matter of translating initialiation in YAML file and creating a method
+reading the YAML file populating internal data.
+
+Instead of YAML we can think also to sqlite db or JSON files. Latter option can
+be a good idea since it's web and API friendly.
+
+## Archives
+
+Checks organization will be different upon the format to be chosen. In case of
+YAML files, a standard directory hierachy is enough:
+
+  vulnerabilities/
+    kb.txt <-- where info about the archive, like version, it must be stored
+    third\_party\_gems/
+      CVE\_2013\_2103.yaml
+      CVE\_2013\_2104.yaml
+    ruby_interpreter/
+      CVE\_1023\_4302.yaml
+    misc/
+      CVE\_9999\_1211.yaml
+
+In case of JSON, we can gather together vulnerabilities in files:
+
+  vulnerabilities/
+    third\_party\_gems_20151116_01.json
+    ruby\_interpreter_20151116_01.json
+
+SQL approach would be eventually, really close to JSON one, with tables instead
+of files.
+
+## Info
+
+Using either CVE or OSVDB identifiers as vulnerability keys is a poor choice.
+This lead of duplicated vulns in knowledge base and a lot of effort in checking
+if a vuln is present.
+
+## Benchmark
+
+Those solutions must be benchmarked
+
+
+_last update: Mon Nov 16 17:38:45 CET 2015_

data/lib/dawn/core.rb

@@ -3,6 +3,16 @@ require "yaml"
 module Dawn
   class Core
 
+    def self.registry_db_folder
+      "#{File.join(Dir.home, 'dawnscanner', 'db')}"
+    end
+    def self.registry_db_name
+      "#{File.join(registry_db_folder, 'dawnscanner.db')}"
+    end
+    def self.sql_log_name
+      "#{File.join(registry_db_folder, 'dawnscanner-sql.log')}"
+    end
+
     # TODO.20140326
     # All those methods must moved from here to Util class and a
     # Dawn::Core namespace must be created.
@@ -14,12 +24,15 @@ module Dawn
       puts "\t$ dawn -C --json a_sinatra_webapp_directory"
       puts "\t$ dawn --ascii-tabular-report my_rails_blog_ecommerce"
       puts "\t$ dawn --html -F my_report.html my_rails_blog_ecommerce"
-      printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application"
-      printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application"
-      printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application"
-      printf "\n   -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
-      printf "\n   -a, --ascii-tabular-report\t\t\tcause dawn to format findings using table in ascii art"
+      printf "\n   -r, --rails\t\t\t\t\tforce dawn to consider the target a rails application (DEPRECATED)"
+      printf "\n   -s, --sinatra\t\t\t\tforce dawn to consider the target a sinatra application (DEPRECATED)"
+      printf "\n   -p, --padrino\t\t\t\tforce dawn to consider the target a padrino application (DEPRECATED)"
+      printf "\n   -G, --gem-lock\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock (DEPRECATED)"
+      printf "\n   -d, --dependencies\t\t\t\tforce dawn to scan only for vulnerabilities affecting dependencies in Gemfile.lock"
+      printf "\n\nReporting\n"
+      printf "\n   -a, --ascii-tabular-report\t\t\tcause dawn to format findings using tables in ascii art (DEPRECATED)"
       printf "\n   -j, --json\t\t\t\t\tcause dawn to format findings using json"
+      printf "\n   -K, --console\t\t\t\t\tcause dawn to format findings using plain ascii text"
       printf "\n   -C, --count-only\t\t\t\tdawn will only count vulnerabilities (useful for scripts)"
       printf "\n   -z, --exit-on-warn\t\t\t\tdawn will return number of found vulnerabilities as exit code"
       printf "\n   -F, --file filename\t\t\t\ttells dawn to write output to filename"
@@ -35,6 +48,7 @@ module Dawn
       printf "\n       --list-knowledge-base\t\t\tlist knowledge-base content"
       printf "\n       --list-known-families\t\t\tlist security check families contained in dawn's knowledge base"
       printf "\n       --list-known-framework\t\t\tlist ruby MVC frameworks supported by dawn"
+      printf "\n       --list-scan-registry\t\t\tlist past scan informations stored in scan registry (#{Dawn::Core.registry_db_name})"
       printf "\n\nService flags\n"
       printf "\n   -D, --debug\t\t\t\t\tenters dawn debug mode"
       printf "\n   -V, --verbose\t\t\t\tthe output will be more verbose"
@@ -44,26 +58,6 @@ module Dawn
       true
     end
 
-    def self.dump_knowledge_base(verbose = false)
-      kb = Dawn::KnowledgeBase.new
-      lines = []
-      lines << "Security checks currently supported:\n"
-
-      kb.all.each do |check|
-        if verbose
-          lines << "Name: #{check.name}\tCVSS: #{check.cvss_score}\tReleased: #{check.release_date}"
-          lines << "Description\n#{check.message}"
-          lines << "Remediation\n#{check.remediation}\n\n"
-        else
-          lines << "#{check.name}"
-        end
-      end
-      lines << "-----\nTotal: #{kb.all.count}"
-
-      lines.empty? ? 0 : lines.compact.join("\n")
-
-    end
-
     # guess_mvc is very close to detect_mvc despite it accepts a
     # filename as input and it tries to guess the mvc framework used from the
     # gems it founds in Gemfile.lock without creating an engine.
@@ -111,7 +105,7 @@ module Dawn
     end
 
     def self.find_conf(create_if_none = false)
-      conf_name  = 'codesake-dawn.yaml'
+      conf_name  = 'dawnscanner.yaml'
       path_order = [
         './',
         '~/',
@@ -131,7 +125,7 @@ module Dawn
 
       # If create_if_none flag is set to true, than I'll create a config file
       # on the current directory with the default configuration.
-      conf = {"config"=>{:verbose=>false, :output=>"console", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}}
+      conf = {"config"=>{:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}}
 
       # Calculate the conf file path
       conf_path = File.expand_path('~') +'/.'+conf_name
@@ -145,7 +139,7 @@ module Dawn
     end
 
     def self.read_conf(file=nil)
-      conf = {:verbose=>false, :output=>"console", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
+      conf = {:verbose=>false, :output=>"tabular", :mvc=>"", :gemfile_scan=>false, :gemfile_name=>"", :filename=>nil, :debug=>false, :exit_on_warn => false, :enabled_checks=> Dawn::Kb::BasicCheck::ALLOWED_FAMILIES}
       begin
         return conf if file.nil?
         file = file.chop if (not file.nil? and file.end_with? '/')

data/lib/dawn/engine.rb

@@ -1,4 +1,5 @@
-require 'bundler'
+# Statistics stuff
+require 'code_metrics/statistics'
 
 module Dawn
   module Engine
@@ -20,6 +21,7 @@ module Dawn
     attr_reader :ruby_version
 
     attr_reader :engine_error
+    attr_reader :stats
 
     attr_reader :reflected_xss
 
@@ -43,6 +45,8 @@ module Dawn
     attr_reader   :applied_checks
     attr_reader   :skipped_checks
 
+    attr_reader   :output_dir_name
+
     def initialize(dir=nil, name="", options={})
       @name = name
       @scan_start = Time.now
@@ -67,12 +71,17 @@ module Dawn
       @ruby_version = get_ruby_version if dir.nil?
       @gemfile_lock = options[:gemfile_name] unless options[:gemfile_name].nil? 
 
-      @views        = detect_views 
+      @stats        = gather_statistics
+
+      @views        = detect_views
       @controllers  = detect_controllers
       @models       = detect_models
 
+      @output_dir_name = output_dir
+
       if $logger.nil?
-        $logger  = Codesake::Commons::Logging.instance
+        require 'logger'
+        $logger = Logger.new(STDOUT)
         $logger.helo "dawn-engine", Dawn::VERSION
 
       end
@@ -85,7 +94,7 @@ module Dawn
         # impersonificate the engine for the mvc it was detected
         debug_me "now I'm switching my name from #{@name} to #{options[:guessed_mvc][:name]}" 
         $logger.err "there are no connected gems... it seems Gemfile.lock parsing failed" if options[:guessed_mvc][:connected_gems].empty?
-        @name = options[:guessed_mvc][:name] 
+        @name = options[:guessed_mvc][:name]
         @mvc_version = options[:guessed_mvc][:version]
         @connected_gems = options[:guessed_mvc][:connected_gems]
         @gemfile_lock_sudo = true
@@ -205,9 +214,44 @@ module Dawn
     end
 
     def get_mvc_version
-      "#{@mvc_version}" if is_good_mvc? 
+      "#{@mvc_version}" if is_good_mvc?
     end
 
+    ########################################################################
+    ## Output stuff - START
+    ########################################################################
+
+    # Creates the directory name where dawnscanner results will be saved
+    #
+    # Examples
+    #   engine.create_output_dir
+    #   # => /Users/thesp0nge/dawnscanner/results/railsgoat/20151123
+    #   # => /Users/thesp0nge/dawnscanner/results/railsgoat/20151123_1 (if
+    #               previous directory name exists)
+    def output_dir
+      @output_dir_name = File.join(Dir.home, 'dawnscanner', 'results', File.basename(@target), Time.now.strftime('%Y%m%d'))
+      if Dir.exist?(@output_dir_name)
+        i=1
+        while (Dir.exist?(@output_dir_name)) do
+          @output_dir_name = File.join(Dir.home, 'dawnscanner', 'results', File.basename(@target), "#{Time.now.strftime('%Y%m%d')}_#{i}")
+          i+=1
+        end
+      end
+      @output_dir_name
+    end
+
+    # Creates the directory
+    def create_output_dir
+      FileUtils.mkdir_p(@output_dir_name)
+      @output_dir_name
+    end
+
+    ########################################################################
+    ## Output stuff - END
+    ########################################################################
+
+
+
     ## Security stuff applies here
     #
     # Public it applies a single security check given by its name
@@ -215,8 +259,8 @@ module Dawn
     # name - the security check to be applied
     #
     # Examples
-    #   
-    #   engine.apply("CVE-2013-1800") 
+    #
+    #   engine.apply("CVE-2013-1800")
     #   # => boolean
     #
     # Returns a true value if the security check was successfully applied or false
@@ -238,30 +282,7 @@ module Dawn
       return false if @checks.empty?
 
       @checks.each do |check|
-        if check.name == name
-          unless ((check.kind == Dawn::KnowledgeBase::PATTERN_MATCH_CHECK || check.kind == Dawn::KnowledgeBase::COMBO_CHECK ) && @name == "Gemfile.lock")
-            debug_me "applying check #{check.name}" 
-            @applied_checks += 1
-            @applied << { :name=>name }
-            check.ruby_version = @ruby_version[:version]
-            check.detected_ruby  = @ruby_version if check.kind == Dawn::KnowledgeBase::RUBY_VERSION_CHECK
-            check.dependencies = self.connected_gems if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK
-            check.root_dir = self.target if check.kind  == Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
-            check.options = {:detected_ruby => self.ruby_version, :dependencies => self.connected_gems, :root_dir => self.target } if check.kind == Dawn::KnowledgeBase::COMBO_CHECK
-
-            check_vuln = check.vuln?
-
-            @vulnerabilities  << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check_vuln && check.kind !=  Dawn::KnowledgeBase::COMBO_CHECK
-
-            @vulnerabilities  << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>check.vulnerable_checks} if check_vuln && check.kind ==  Dawn::KnowledgeBase::COMBO_CHECK
-
-            @mitigated_issues << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check.mitigated?
-            return true
-          else
-            debug_me "skipping check #{check.name}"
-            @skipped_checks += 1
-          end
-        end
+        _do_apply(check) if check.name == name
       end
 
       false
@@ -270,6 +291,7 @@ module Dawn
     def apply_all
       @scan_start = Time.now
       debug_me("SCAN STARTED: #{@scan_start}")
+
       # FIXME.20140325
       # Now if no checks are loaded because knowledge base was not previously called, apply and apply_all proudly refuse to run.
       # Reason is simple, load_knowledge_base now needs enabled check array
@@ -290,29 +312,9 @@ module Dawn
       end
 
       @checks.each do |check|
-        unless ((check.kind == Dawn::KnowledgeBase::PATTERN_MATCH_CHECK || check.kind == Dawn::KnowledgeBase::COMBO_CHECK ) && @gemfile_lock_sudo)
-
-          @applied << { :name => name }
-          debug_me "applying check #{check.name}" 
-          @applied_checks += 1
-
-          check.ruby_version = @ruby_version[:version]
-          check.detected_ruby  = @ruby_version if check.kind == Dawn::KnowledgeBase::RUBY_VERSION_CHECK
-          check.dependencies = self.connected_gems if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK
-          check.root_dir = self.target if check.kind  == Dawn::KnowledgeBase::PATTERN_MATCH_CHECK 
-          check.options = {:detected_ruby => self.ruby_version, :dependencies => self.connected_gems, :root_dir => self.target } if check.kind == Dawn::KnowledgeBase::COMBO_CHECK
-          check_vuln = check.vuln?
-
-          @vulnerabilities  << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check_vuln && check.kind !=  Dawn::KnowledgeBase::COMBO_CHECK
-
-          @vulnerabilities  << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>check.vulnerable_checks} if check_vuln && check.kind ==  Dawn::KnowledgeBase::COMBO_CHECK
-
-          @mitigated_issues << {:name=> check.name, :severity=>check.severity, :priority=>check.priority, :kind=>check.check_family, :message=>check.message, :remediation=>check.remediation, :evidences=>check.evidences, :vulnerable_checks=>nil} if check.mitigated?
-        else
-          debug_me "skipping check #{check.name}"
-          @skipped_checks += 1
-        end
+        _do_apply(check)
       end
+
       @scan_stop = Time.now
       debug_me("SCAN STOPPED: #{@scan_stop}")
 
@@ -355,7 +357,7 @@ module Dawn
     end
 
     def count_vulnerabilities
-      ret = 0 
+      ret = 0
       ret = @vulnerabilities.count unless @vulnerabilities.nil?
       ret +=  @reflected_xss.count unless @reflected_xss.nil?
 
@@ -373,6 +375,61 @@ module Dawn
       hash = File.read(File.join(@target, '.ruby-version')).split('-')
       return {:version=>hash[0], :patchlevel=>hash[1]}
     end
+    def _do_apply(check)
+      unless ((check.kind == Dawn::KnowledgeBase::PATTERN_MATCH_CHECK || check.kind == Dawn::KnowledgeBase::COMBO_CHECK ) && @gemfile_lock_sudo)
+
+        @applied << { :name => name }
+        debug_me "applying check #{check.name}"
+        @applied_checks += 1
+
+        check.ruby_version  = @ruby_version[:version]
+        check.detected_ruby = @ruby_version                           if check.kind == Dawn::KnowledgeBase::RUBY_VERSION_CHECK
+        check.dependencies  = self.connected_gems                     if check.kind == Dawn::KnowledgeBase::DEPENDENCY_CHECK
+        check.root_dir      = self.target                             if check.kind == Dawn::KnowledgeBase::PATTERN_MATCH_CHECK
+        check.options       = {:detected_ruby => self.ruby_version,
+                               :dependencies => self.connected_gems,
+                               :root_dir => self.target }             if check.kind == Dawn::KnowledgeBase::COMBO_CHECK
+        check_vuln          = check.vuln?
+
+        if check_vuln
+
+          vc = nil
+          vc = check.vulnerable_checks if check.kind == Dawn::KnowledgeBase::COMBO_CHECK
+
+          @vulnerabilities  << {:name=> check.name,
+                                :severity=>check.severity,
+                                :priority=>check.priority,
+                                :kind=>check.check_family,
+                                :message=>check.message,
+                                :remediation=>check.remediation,
+                                :evidences=>check.evidences,
+                                :cve_link=>check.cve_link,
+                                :cvss_score=>check.cvss_score,
+                                :vulnerable_checks=>vc}
 
+        end
+
+        @mitigated_issues << {:name=> check.name,
+                              :severity=>check.severity,
+                              :priority=>check.priority,
+                              :kind=>check.check_family,
+                              :message=>check.message,
+                              :remediation=>check.remediation,
+                              :evidences=>check.evidences,
+                              :vulnerable_checks=>nil} if check.mitigated?
+      else
+        debug_me "skipping check #{check.name}"
+        @skipped_checks += 1
+      end
+
+      true
+    end
+
+    def gather_statistics
+      dirs = CodeMetrics::StatsDirectories.new
+      puts target
+      dirs.add_directories("#{target}/**/*.rb", "#{target}")
+      puts CodeMetrics::Statistics.new(*dirs).to_s
+    end
   end
 end