dawnscanner 1.4.2 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.ruby-version +1 -1
- data/Changelog.md +85 -9
- data/KnowledgeBase.md +206 -5
- data/README.md +25 -25
- data/Rakefile +19 -5
- data/Roadmap.md +104 -46
- data/VERSION +10 -10
- data/bin/dawn +96 -15
- data/checksum/dawnscanner-1.4.2.gem.sha1 +1 -0
- data/dawnscanner.gemspec +21 -4
- data/doc/dawn_1_5_announcement.md +66 -0
- data/doc/{codesake-dawn.yaml.sample → dawnscanner.yaml.sample} +0 -0
- data/doc/new_knowledge_base_v1.0.md +78 -0
- data/lib/dawn/core.rb +22 -28
- data/lib/dawn/engine.rb +111 -54
- data/lib/dawn/kb/basic_check.rb +3 -0
- data/lib/dawn/kb/cve_2014_3483.rb +1 -0
- data/lib/dawn/kb/cve_2015_1819.rb +34 -0
- data/lib/dawn/kb/cve_2015_4020.rb +34 -0
- data/lib/dawn/kb/gem_check.rb +43 -0
- data/lib/dawn/kb/osvdb_115654.rb +33 -0
- data/lib/dawn/kb/osvdb_116010.rb +30 -0
- data/lib/dawn/kb/osvdb_117903.rb +30 -0
- data/lib/dawn/kb/osvdb_118954.rb +5 -3
- data/lib/dawn/kb/osvdb_119878.rb +3 -3
- data/lib/dawn/kb/osvdb_120415.rb +31 -0
- data/lib/dawn/kb/osvdb_120857.rb +34 -0
- data/lib/dawn/kb/osvdb_121701.rb +30 -0
- data/lib/dawn/kb/owasp_ror_cheatsheet.rb +23 -31
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +16 -20
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +31 -31
- data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +22 -22
- data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +23 -23
- data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +25 -25
- data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +21 -21
- data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +24 -24
- data/lib/dawn/kb/version_check.rb +4 -0
- data/lib/dawn/knowledge_base.rb +36 -4
- data/lib/dawn/registry.rb +43 -0
- data/lib/dawn/reporter.rb +88 -47
- data/lib/dawn/utils.rb +3 -4
- data/lib/dawn/version.rb +4 -4
- data/lib/dawnscanner.rb +4 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +40 -0
- data/spec/lib/kb/cve_2014_3483_spec.rb +5 -1
- data/spec/lib/kb/cve_2015_1819_spec.rb +16 -0
- data/spec/lib/kb/cve_2015_4020_spec.rb +24 -0
- data/spec/lib/kb/osvdb_115654_spec.rb +15 -0
- data/spec/lib/kb/osvdb_116010_spec.rb +15 -0
- data/spec/lib/kb/osvdb_117903_spec.rb +23 -0
- data/spec/lib/kb/osvdb_118954_spec.rb +13 -1
- data/spec/lib/kb/osvdb_119878_spec.rb +8 -9
- data/spec/lib/kb/osvdb_120415_spec.rb +16 -0
- data/spec/lib/kb/osvdb_120857_spec.rb +32 -0
- data/spec/lib/kb/osvdb_121701_spec.rb +15 -0
- metadata +153 -12
- metadata.gz.sig +0 -0
- data/BUGS.md +0 -14
@@ -0,0 +1,43 @@
|
|
1
|
+
module Dawn
|
2
|
+
class Registry
|
3
|
+
include DataMapper::Resource
|
4
|
+
property :id, Serial
|
5
|
+
|
6
|
+
property :target, String, :default=>""
|
7
|
+
property :registry_version, String, :default=>"0.5"
|
8
|
+
property :dawn_version, String, :default=>Dawn::VERSION
|
9
|
+
property :output_dir, String, :default=>"", :length=>255
|
10
|
+
property :scan_started, DateTime, :default=>DateTime.now
|
11
|
+
property :scan_duration, Float, :default=>0
|
12
|
+
property :scan_status, Enum[ :completed, :failed ], :default=>:failed
|
13
|
+
property :issues_found, Integer, :default=>-1
|
14
|
+
property :message, String, :default=>"", :length=>255
|
15
|
+
|
16
|
+
|
17
|
+
property :created_at, DateTime
|
18
|
+
property :created_on, Date
|
19
|
+
property :updated_at, DateTime
|
20
|
+
property :updated_on, Date
|
21
|
+
|
22
|
+
|
23
|
+
def do_save(options={})
|
24
|
+
|
25
|
+
self.target = options[:target]
|
26
|
+
self.output_dir = options[:output_dir]
|
27
|
+
self.scan_status = options[:scan_status]
|
28
|
+
self.issues_found = options[:issues_found]
|
29
|
+
self.scan_started = options[:scan_started]
|
30
|
+
self.scan_duration = options[:scan_duration]
|
31
|
+
self.message = options[:message]
|
32
|
+
|
33
|
+
save
|
34
|
+
end
|
35
|
+
|
36
|
+
def self.dump
|
37
|
+
all.each do |entry|
|
38
|
+
puts "#{entry.scan_started.strftime("[%Y-%m-%d %H:%M:%S]")} #{entry.scan_status.upcase} -- : #{entry.target}: #{entry.issues_found} issues found - #{entry.output_dir}" if entry.scan_status == :completed
|
39
|
+
puts "#{entry.scan_started.strftime("[%Y-%m-%d %H:%M:%S]")} #{entry.scan_status.upcase} -- : #{entry.target}: #{entry.message}" if entry.scan_status == :failed
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
data/lib/dawn/reporter.rb
CHANGED
@@ -10,7 +10,7 @@ module Dawn
|
|
10
10
|
@format = options[:format] unless options[:format].nil?
|
11
11
|
@engine = options[:engine] unless options[:engine].nil?
|
12
12
|
|
13
|
-
@format = :
|
13
|
+
@format = :tabular unless is_valid_format?(@format)
|
14
14
|
end
|
15
15
|
|
16
16
|
def report
|
@@ -33,6 +33,33 @@ module Dawn
|
|
33
33
|
$logger.info "#{@filename} created (#{output.length} bytes)"
|
34
34
|
end
|
35
35
|
end
|
36
|
+
|
37
|
+
def write_html(path, content)
|
38
|
+
css_path = File.join(path, 'css')
|
39
|
+
js_path = File.join(path, 'js')
|
40
|
+
support_path = File.join(Dir.pwd, 'support')
|
41
|
+
|
42
|
+
FileUtils.mkdir_p(File.join(path, 'css'))
|
43
|
+
FileUtils.mkdir_p(File.join(path, 'js'))
|
44
|
+
|
45
|
+
FileUtils.cp(File.join(support_path, 'bootstrap.js'), js_path)
|
46
|
+
FileUtils.cp(File.join(support_path, 'bootstrap.min.css'), css_path)
|
47
|
+
FileUtils.cp(File.join(support_path, 'codesake.css'), css_path)
|
48
|
+
|
49
|
+
File.open(File.join(path, 'report.html'), "w") do |f|
|
50
|
+
f.puts content
|
51
|
+
end
|
52
|
+
$logger.info "#{File.join(path, 'report.html')} created (#{File.stat(File.join(path, 'report.html')).size} bytes)"
|
53
|
+
|
54
|
+
end
|
55
|
+
|
56
|
+
def write_table(path, content)
|
57
|
+
File.open(path, "w") do |f|
|
58
|
+
f.puts content
|
59
|
+
end
|
60
|
+
$logger.info "#{path} created (#{File.stat(path).size} bytes)"
|
61
|
+
end
|
62
|
+
|
36
63
|
def is_valid_format?(format)
|
37
64
|
return false if format.nil?
|
38
65
|
return true if (format == :console) || (format == :tabular) || (format == :json) || (format == :html) || (format == :csv)
|
@@ -40,10 +67,12 @@ module Dawn
|
|
40
67
|
end
|
41
68
|
|
42
69
|
def html_report
|
43
|
-
|
44
|
-
|
45
|
-
html_head
|
46
|
-
html_head += "<
|
70
|
+
output = @engine.create_output_dir
|
71
|
+
|
72
|
+
html_head = "<!doctype html>\n<html>\n<head>\n<title>Dawnscanner report for #{File.basename(@engine.target)}</title>"
|
73
|
+
html_head += "<script src=\"./js/bootstrap.js\"></script>\n"
|
74
|
+
html_head += "<link href=\"./css/codesake.css\" media=\"all\" rel=\"stylesheet\" />\n"
|
75
|
+
html_head += "<link href=\"./css/bootstrap.min.css\" media=\"all\" rel=\"stylesheet\" />\n"
|
47
76
|
html_head += "</head>\n"
|
48
77
|
html_body = "<body>\n"
|
49
78
|
html_body += ""
|
@@ -51,10 +80,10 @@ module Dawn
|
|
51
80
|
html_body += "<div class=\"container-narrow\">\n"
|
52
81
|
html_body += "<div class=\"masthead\">\n"
|
53
82
|
html_body += "<ul class=\"nav nav-pills pull-right\">\n"
|
54
|
-
html_body += "<li class=\"\"><a href=\"
|
55
|
-
html_body += "<li class=\"active\"><a href=\"https://github.com/
|
83
|
+
html_body += "<li class=\"\"><a href=\"http://dawnscanner.org\">Home</a></li>\n"
|
84
|
+
html_body += "<li class=\"active\"><a href=\"https://github.com/thesp0nge/dawnscanner\">Github repo</a></li>\n"
|
56
85
|
html_body += "</ul>\n"
|
57
|
-
html_body += "<h3 class=\"muted\">
|
86
|
+
html_body += "<h3 class=\"muted\">Dawnscanner</h3>\n"
|
58
87
|
html_body += "</div>\n"
|
59
88
|
html_body += "<h1>Security code review results for \"#{File.basename(@engine.target)}\"</h1>\n"
|
60
89
|
html_body += "<hr />\n"
|
@@ -91,10 +120,11 @@ module Dawn
|
|
91
120
|
html_body += "<hr />\n"
|
92
121
|
html_body += "<h2>Vulnerabilities found</h2>\n"
|
93
122
|
html_body += "<table class=\"table-striped table-bordered table\">\n"
|
94
|
-
html_body += "<thead><tr><td>Name</td><td>Severity</td><td>
|
123
|
+
html_body += "<thead><tr><td>Name</td><td>Severity</td><td>CVSS score</td><td>Description</td><td>Remediation</td></tr></thead>\n"
|
95
124
|
|
125
|
+
html_body += "<tbody>"
|
96
126
|
@engine.vulnerabilities.each do |vuln|
|
97
|
-
html_body += "<tr><td><a href=\"#{vuln[:cve_link]}\">#{vuln[:name]}</a></td><td>#{vuln[:severity]}</td><td>#{vuln[:
|
127
|
+
html_body += "<tr><td><a href=\"#{vuln[:cve_link]}\">#{vuln[:name]}</a></td><td>#{vuln[:severity]}</td><td>#{vuln[:cvss_score]}</td><td>#{vuln[:message]}</td><td>#{vuln[:remediation]}</td></tr>\n"
|
98
128
|
end
|
99
129
|
html_body += "</tbody>\n"
|
100
130
|
html_body += "</table>\n"
|
@@ -102,7 +132,7 @@ module Dawn
|
|
102
132
|
html_body += "<div id=\"push\"></div>\n"
|
103
133
|
html_body += "<div id=\"footer\">\n"
|
104
134
|
html_body += "<div class=\"container\">\n"
|
105
|
-
html_body += "<p class=\"muted credit\"
|
135
|
+
html_body += "<p class=\"muted credit\">Proudly generated with <a href=\"http://dawnscanner.org\">Dawnscanner</a> — #{Time.now.strftime("%Y")} — engine v#{Dawn::VERSION} (#{Dawn::RELEASE})</p>\n"
|
106
136
|
html_body += "</div>\n"
|
107
137
|
html_body += "</div>\n"
|
108
138
|
html_body += "</div>\n"
|
@@ -114,12 +144,14 @@ module Dawn
|
|
114
144
|
|
115
145
|
html = html_head + html_body
|
116
146
|
|
117
|
-
|
147
|
+
write_html(output, html)
|
118
148
|
true
|
119
149
|
end
|
120
150
|
|
121
151
|
def ascii_tabular_report
|
122
152
|
|
153
|
+
output = @engine.create_output_dir
|
154
|
+
|
123
155
|
# 0_First table: executive summary
|
124
156
|
rows = []
|
125
157
|
rows << ['Dawn version', Dawn::VERSION] unless Dawn::RELEASE == "(development)"
|
@@ -127,32 +159,44 @@ module Dawn
|
|
127
159
|
rows << ['Scan started', @engine.scan_start]
|
128
160
|
rows << ['Scan duration', "#{@engine.scan_time.round(3)} sec"]
|
129
161
|
rows << ['Target', @engine.target]
|
130
|
-
rows << ['
|
131
|
-
rows << ['
|
162
|
+
rows << ['Framework', "#{@engine.name} v#{@engine.get_mvc_version}" ] unless @engine.name == "Gemfile.lock"
|
163
|
+
rows << ['Framework', "#{@engine.force} v#{@engine.get_mvc_version}" ] if @engine.name == "Gemfile.lock"
|
132
164
|
if @ret
|
133
165
|
rows << ['Applied checks', "#{@engine.applied_checks} security checks"]
|
134
166
|
rows << ['Skipped checks', "#{@engine.skipped_checks} security checks"]
|
135
167
|
else
|
136
168
|
rows << ['Applied checks', "No security checks in the knowledge base"]
|
137
169
|
end
|
138
|
-
rows << ['Vulnerabilities found', @engine.count_vulnerabilities]
|
139
|
-
rows << ['
|
140
|
-
rows << ['Reflected XSS', @engine.reflected_xss.count]
|
170
|
+
rows << ['Vulnerabilities found in dependencies', @engine.count_vulnerabilities]
|
171
|
+
rows << ['Vulnerabilities mitigated by external factors', @engine.mitigated_issues.count] unless @engine.mitigated_issues.count == 0
|
172
|
+
rows << ['Reflected XSS found', @engine.reflected_xss.count]
|
141
173
|
table = Terminal::Table.new :title=>'Scan summary', :rows => rows
|
142
|
-
|
174
|
+
write_table(File.join(output, 'summary.txt'), table)
|
143
175
|
|
176
|
+
# 0_a) Application structure
|
177
|
+
rows = []
|
178
|
+
rows << ['Lines of code', 'to be added soon']
|
179
|
+
rows << ['Cyclomatic complexity index', 'to be added soon']
|
180
|
+
rows << ['Models', @engine.models.count]
|
181
|
+
rows << ['Views', @engine.views.count]
|
182
|
+
rows << ['Controllers', @engine.controllers.count]
|
183
|
+
table = Terminal::Table.new :title=>'Application stats', :rows => rows
|
184
|
+
write_table(File.join(output, 'statistics.txt'), table)
|
144
185
|
|
145
186
|
if @engine.count_vulnerabilities > 0
|
146
187
|
|
147
|
-
#
|
188
|
+
# 1) Vulnerabilities
|
189
|
+
|
190
|
+
# 1_a) Third party gem vulnerabilities
|
148
191
|
rows = []
|
149
192
|
@engine.vulnerabilities.each do |vuln|
|
150
|
-
rows << [vuln[:name].justify(10), vuln[:severity], vuln[:
|
193
|
+
rows << [vuln[:name].justify(10), vuln[:severity], vuln[:message].justify(30), vuln[:remediation].justify(15), vuln[:evidences].join.justify(15)]
|
151
194
|
rows << :separator
|
152
195
|
end
|
153
|
-
table = Terminal::Table.new :title=>"Vulnerabilities", :headings=>['Issue', 'Severity', '
|
154
|
-
|
196
|
+
table = Terminal::Table.new :title=>"Vulnerabilities", :headings=>['Issue', 'Severity', 'Description', 'Solution', 'Evidences'], :rows=>rows
|
197
|
+
write_table(File.join(output, 'third_party_vulnerabilities.txt'), table)
|
155
198
|
|
199
|
+
# 1_b) Refleted XXS
|
156
200
|
rows = []
|
157
201
|
if @engine.has_reflected_xss?
|
158
202
|
@engine.reflected_xss.each do |vuln|
|
@@ -160,8 +204,7 @@ module Dawn
|
|
160
204
|
rows << :separator
|
161
205
|
end
|
162
206
|
table = Terminal::Table.new :title=>"Reflected Cross Site Scripting", :headings=>['Sink name', 'View', 'Location the sink was read', 'Evidences'], :rows=>rows
|
163
|
-
|
164
|
-
|
207
|
+
write_table(File.join(output, 'reflected_xss.txt'), table)
|
165
208
|
end
|
166
209
|
|
167
210
|
end
|
@@ -174,7 +217,7 @@ module Dawn
|
|
174
217
|
rows << :separator
|
175
218
|
end
|
176
219
|
table = Terminal::Table.new :title=>"Mitigated issues", :headings=>['Issue', 'Description', 'Evidences'], :rows=>rows
|
177
|
-
|
220
|
+
write_table(File.join(output, 'mitigated_issues.txt'), table)
|
178
221
|
end
|
179
222
|
|
180
223
|
true
|
@@ -209,7 +252,6 @@ module Dawn
|
|
209
252
|
:name => v[:name],
|
210
253
|
:cve_link => v[:cve_link],
|
211
254
|
:severity => v[:severity],
|
212
|
-
:priority => v[:priority],
|
213
255
|
:cvss_score => v[:cvss_score],
|
214
256
|
:message => v[:message],
|
215
257
|
:remediation => v[:remediation]
|
@@ -227,51 +269,50 @@ module Dawn
|
|
227
269
|
|
228
270
|
def ascii_plain_report
|
229
271
|
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
272
|
+
result = sprintf "%s\n", "scanning #{@engine.target}"
|
273
|
+
result += sprintf "%s\n", "#{@engine.name} v#{@engine.get_mvc_version} detected" unless @engine.name == "Gemfile.lock"
|
274
|
+
result += sprintf "%s\n", "#{@engine.force} v#{@engine.get_mvc_version} detected" if @engine.name == "Gemfile.lock"
|
275
|
+
result += sprintf "%s\n", "applying all security checks"
|
234
276
|
if @ret
|
235
|
-
|
277
|
+
result += sprintf "%s\n", "#{@engine.applied_checks} security checks applied - #{@engine.skipped_checks} security checks skipped"
|
236
278
|
else
|
237
|
-
|
279
|
+
result += sprintf "%s\n", "no security checks in the knowledge base"
|
238
280
|
end
|
239
281
|
|
240
282
|
if @engine.count_vulnerabilities != 0
|
241
|
-
|
283
|
+
result += sprintf "%s\n", "#{@engine.count_vulnerabilities} vulnerabilities found"
|
242
284
|
@engine.vulnerabilities.each do |vuln|
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
$logger.info "Description: #{vuln[:message]}"
|
247
|
-
$logger.info "Solution: #{vuln[:remediation]}"
|
248
|
-
$logger.info "Evidence:"
|
285
|
+
result += sprintf "%s\n", "#{vuln[:name]} check failed\n"
|
286
|
+
result += sprintf "%s\n", "#{vuln[:message].justify(70)}"
|
287
|
+
result += sprintf "%s\n", "Evidence:"
|
249
288
|
vuln[:evidences].each do |evidence|
|
250
|
-
|
289
|
+
result += sprintf "%s\n", "\t#{evidence}"
|
251
290
|
end
|
291
|
+
result += sprintf "\n\n"
|
252
292
|
end
|
253
293
|
if @engine.has_reflected_xss?
|
254
|
-
|
294
|
+
result += sprintf "%s\n", "#{@engine.reflected_xss.count} reflected XSS found"
|
255
295
|
@engine.reflected_xss.each do |vuln|
|
256
|
-
|
257
|
-
|
296
|
+
result += sprintf "%s\n", "request parameter \"#{vuln[:sink_source]}\" is used without escaping in #{vuln[:sink_view]}. It was read here: #{vuln[:sink_file]}@#{vuln[:sink_line]}"
|
297
|
+
result += sprintf "%s\n", "evidence: #{vuln[:sink_evidence]}"
|
258
298
|
end
|
259
299
|
end
|
260
300
|
|
261
301
|
else
|
262
|
-
|
302
|
+
result += sprintf "%s\n", "no vulnerabilities found."
|
263
303
|
end
|
264
304
|
|
265
305
|
if @engine.mitigated_issues.count != 0
|
266
|
-
|
306
|
+
result += sprintf "%s\n", "#{@engine.mitigated_issues.count} mitigated vulnerabilities found"
|
267
307
|
@engine.mitigated_issues.each do |vuln|
|
268
|
-
|
308
|
+
result += sprintf "%s\n", "#{vuln[:name]} mitigated"
|
269
309
|
vuln[:evidences].each do |evidence|
|
270
|
-
|
310
|
+
result += sprintf "%s\n", evidence
|
271
311
|
end
|
272
312
|
end
|
273
313
|
end
|
274
314
|
|
315
|
+
write(result)
|
275
316
|
true
|
276
317
|
end
|
277
318
|
end
|
data/lib/dawn/utils.rb
CHANGED
@@ -1,5 +1,8 @@
|
|
1
1
|
module Dawn
|
2
2
|
module Utils
|
3
|
+
def debug_me(msg)
|
4
|
+
$logger.debug(msg) if @debug
|
5
|
+
end
|
3
6
|
|
4
7
|
def debug_me_and_return_true(msg)
|
5
8
|
__debug_me_and_return(msg, true)
|
@@ -7,10 +10,6 @@ module Dawn
|
|
7
10
|
def debug_me_and_return_false(msg)
|
8
11
|
__debug_me_and_return(msg, false)
|
9
12
|
end
|
10
|
-
def debug_me(msg)
|
11
|
-
$logger.debug(msg) if @debug
|
12
|
-
end
|
13
|
-
|
14
13
|
def __debug_me_and_return(msg, status)
|
15
14
|
$logger.debug(msg) if @debug
|
16
15
|
return status
|
data/lib/dawn/version.rb
CHANGED
data/lib/dawnscanner.rb
CHANGED
@@ -1034,4 +1034,44 @@ describe "The Codesake Dawn knowledge base" do
|
|
1034
1034
|
sc.should_not be_nil
|
1035
1035
|
sc.class.should == Dawn::Kb::CVE_2014_7818
|
1036
1036
|
end
|
1037
|
+
it "must have test for OSVDB_120415" do
|
1038
|
+
sc = kb.find("OSVDB_120415")
|
1039
|
+
sc.should_not be_nil
|
1040
|
+
sc.class.should == Dawn::Kb::OSVDB_120415
|
1041
|
+
end
|
1042
|
+
it "must have test for OSVDB_120857" do
|
1043
|
+
sc = kb.find("OSVDB_120857")
|
1044
|
+
sc.should_not be_nil
|
1045
|
+
sc.class.should == Dawn::Kb::OSVDB_120857
|
1046
|
+
end
|
1047
|
+
it "must have test for OSVDB_121701" do
|
1048
|
+
sc = kb.find("OSVDB_121701")
|
1049
|
+
sc.should_not be_nil
|
1050
|
+
sc.class.should == Dawn::Kb::OSVDB_121701
|
1051
|
+
end
|
1052
|
+
it "must have test for CVE-2015-4020" do
|
1053
|
+
sc = kb.find("CVE-2015-4020")
|
1054
|
+
sc.should_not be_nil
|
1055
|
+
sc.class.should == Dawn::Kb::CVE_2015_4020
|
1056
|
+
end
|
1057
|
+
it "must have test for OSVDB_117903" do
|
1058
|
+
sc = kb.find("OSVDB_117903")
|
1059
|
+
sc.should_not be_nil
|
1060
|
+
sc.class.should == Dawn::Kb::OSVDB_117903
|
1061
|
+
end
|
1062
|
+
it "must have test for OSVDB_115654" do
|
1063
|
+
sc = kb.find("OSVDB_115654")
|
1064
|
+
sc.should_not be_nil
|
1065
|
+
sc.class.should == Dawn::Kb::OSVDB_115654
|
1066
|
+
end
|
1067
|
+
it "must have test for OSVDB_116010" do
|
1068
|
+
sc = kb.find("OSVDB_116010")
|
1069
|
+
sc.should_not be_nil
|
1070
|
+
sc.class.should == Dawn::Kb::OSVDB_116010
|
1071
|
+
end
|
1072
|
+
it "must have test for CVE-2015-1819" do
|
1073
|
+
sc = kb.find("CVE-2015-1819")
|
1074
|
+
sc.should_not be_nil
|
1075
|
+
sc.class.should == Dawn::Kb::CVE_2015_1819
|
1076
|
+
end
|
1037
1077
|
end
|
@@ -2,7 +2,7 @@ require 'spec_helper'
|
|
2
2
|
describe "The CVE-2014-3483 vulnerability" do
|
3
3
|
before(:all) do
|
4
4
|
@check = Dawn::Kb::CVE_2014_3483.new
|
5
|
-
|
5
|
+
@check.debug = true
|
6
6
|
end
|
7
7
|
it "is reported when a rails gem version 4.0.6 is detected" do
|
8
8
|
@check.dependencies = [{:name=>"rails", :version=>"4.0.6"}]
|
@@ -20,4 +20,8 @@ describe "The CVE-2014-3483 vulnerability" do
|
|
20
20
|
@check.dependencies = [{:name=>"rails", :version=>"4.1.3"}]
|
21
21
|
@check.vuln?.should == false
|
22
22
|
end
|
23
|
+
it "is not reported when a rails gem version 3.2.21 is detected" do
|
24
|
+
@check.dependencies = [{:name=>"rails", :version=>"3.2.21"}]
|
25
|
+
@check.vuln?.should == false
|
26
|
+
end
|
23
27
|
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2015-1819 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2015_1819.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when the vulnerable gem is detected" do
|
8
|
+
@check.dependencies = [{:name=>"nokogiri", :version=>"1.6.6.3"}]
|
9
|
+
@check.vuln?.should == true
|
10
|
+
end
|
11
|
+
it "is not reported when a fixed release is detected" do
|
12
|
+
@check.dependencies = [{:name=>"nokogiri", :version=>"1.6.6.4"}]
|
13
|
+
@check.vuln?.should == false
|
14
|
+
end
|
15
|
+
|
16
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2015-4020 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2015_4020.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when the vulnerable rubygem is detected" do
|
8
|
+
@check.my_gem_version="2.4.3"
|
9
|
+
@check.vuln?.should == true
|
10
|
+
end
|
11
|
+
it "is reported when the vulnerable rubygem is detected" do
|
12
|
+
@check.my_gem_version="2.2.4"
|
13
|
+
@check.vuln?.should == true
|
14
|
+
end
|
15
|
+
it "is reported when the vulnerable rubygem is detected" do
|
16
|
+
@check.my_gem_version="2.0.16"
|
17
|
+
@check.vuln?.should == true
|
18
|
+
end
|
19
|
+
it "is not reported when a fixed release is detected" do
|
20
|
+
@check.my_gem_version="2.4.9"
|
21
|
+
@check.vuln?.should == false
|
22
|
+
end
|
23
|
+
|
24
|
+
end
|