dawnscanner 1.4.2 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. checksums.yaml +4 -4
  2. checksums.yaml.gz.sig +0 -0
  3. data.tar.gz.sig +0 -0
  4. data/.ruby-version +1 -1
  5. data/Changelog.md +85 -9
  6. data/KnowledgeBase.md +206 -5
  7. data/README.md +25 -25
  8. data/Rakefile +19 -5
  9. data/Roadmap.md +104 -46
  10. data/VERSION +10 -10
  11. data/bin/dawn +96 -15
  12. data/checksum/dawnscanner-1.4.2.gem.sha1 +1 -0
  13. data/dawnscanner.gemspec +21 -4
  14. data/doc/dawn_1_5_announcement.md +66 -0
  15. data/doc/{codesake-dawn.yaml.sample → dawnscanner.yaml.sample} +0 -0
  16. data/doc/new_knowledge_base_v1.0.md +78 -0
  17. data/lib/dawn/core.rb +22 -28
  18. data/lib/dawn/engine.rb +111 -54
  19. data/lib/dawn/kb/basic_check.rb +3 -0
  20. data/lib/dawn/kb/cve_2014_3483.rb +1 -0
  21. data/lib/dawn/kb/cve_2015_1819.rb +34 -0
  22. data/lib/dawn/kb/cve_2015_4020.rb +34 -0
  23. data/lib/dawn/kb/gem_check.rb +43 -0
  24. data/lib/dawn/kb/osvdb_115654.rb +33 -0
  25. data/lib/dawn/kb/osvdb_116010.rb +30 -0
  26. data/lib/dawn/kb/osvdb_117903.rb +30 -0
  27. data/lib/dawn/kb/osvdb_118954.rb +5 -3
  28. data/lib/dawn/kb/osvdb_119878.rb +3 -3
  29. data/lib/dawn/kb/osvdb_120415.rb +31 -0
  30. data/lib/dawn/kb/osvdb_120857.rb +34 -0
  31. data/lib/dawn/kb/osvdb_121701.rb +30 -0
  32. data/lib/dawn/kb/owasp_ror_cheatsheet.rb +23 -31
  33. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +16 -20
  34. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +31 -31
  35. data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +22 -22
  36. data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +23 -23
  37. data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +25 -25
  38. data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +21 -21
  39. data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +24 -24
  40. data/lib/dawn/kb/version_check.rb +4 -0
  41. data/lib/dawn/knowledge_base.rb +36 -4
  42. data/lib/dawn/registry.rb +43 -0
  43. data/lib/dawn/reporter.rb +88 -47
  44. data/lib/dawn/utils.rb +3 -4
  45. data/lib/dawn/version.rb +4 -4
  46. data/lib/dawnscanner.rb +4 -1
  47. data/spec/lib/dawn/codesake_knowledgebase_spec.rb +40 -0
  48. data/spec/lib/kb/cve_2014_3483_spec.rb +5 -1
  49. data/spec/lib/kb/cve_2015_1819_spec.rb +16 -0
  50. data/spec/lib/kb/cve_2015_4020_spec.rb +24 -0
  51. data/spec/lib/kb/osvdb_115654_spec.rb +15 -0
  52. data/spec/lib/kb/osvdb_116010_spec.rb +15 -0
  53. data/spec/lib/kb/osvdb_117903_spec.rb +23 -0
  54. data/spec/lib/kb/osvdb_118954_spec.rb +13 -1
  55. data/spec/lib/kb/osvdb_119878_spec.rb +8 -9
  56. data/spec/lib/kb/osvdb_120415_spec.rb +16 -0
  57. data/spec/lib/kb/osvdb_120857_spec.rb +32 -0
  58. data/spec/lib/kb/osvdb_121701_spec.rb +15 -0
  59. metadata +153 -12
  60. metadata.gz.sig +0 -0
  61. data/BUGS.md +0 -14
@@ -0,0 +1,43 @@
1
+ module Dawn
2
+ class Registry
3
+ include DataMapper::Resource
4
+ property :id, Serial
5
+
6
+ property :target, String, :default=>""
7
+ property :registry_version, String, :default=>"0.5"
8
+ property :dawn_version, String, :default=>Dawn::VERSION
9
+ property :output_dir, String, :default=>"", :length=>255
10
+ property :scan_started, DateTime, :default=>DateTime.now
11
+ property :scan_duration, Float, :default=>0
12
+ property :scan_status, Enum[ :completed, :failed ], :default=>:failed
13
+ property :issues_found, Integer, :default=>-1
14
+ property :message, String, :default=>"", :length=>255
15
+
16
+
17
+ property :created_at, DateTime
18
+ property :created_on, Date
19
+ property :updated_at, DateTime
20
+ property :updated_on, Date
21
+
22
+
23
+ def do_save(options={})
24
+
25
+ self.target = options[:target]
26
+ self.output_dir = options[:output_dir]
27
+ self.scan_status = options[:scan_status]
28
+ self.issues_found = options[:issues_found]
29
+ self.scan_started = options[:scan_started]
30
+ self.scan_duration = options[:scan_duration]
31
+ self.message = options[:message]
32
+
33
+ save
34
+ end
35
+
36
+ def self.dump
37
+ all.each do |entry|
38
+ puts "#{entry.scan_started.strftime("[%Y-%m-%d %H:%M:%S]")} #{entry.scan_status.upcase} -- : #{entry.target}: #{entry.issues_found} issues found - #{entry.output_dir}" if entry.scan_status == :completed
39
+ puts "#{entry.scan_started.strftime("[%Y-%m-%d %H:%M:%S]")} #{entry.scan_status.upcase} -- : #{entry.target}: #{entry.message}" if entry.scan_status == :failed
40
+ end
41
+ end
42
+ end
43
+ end
data/lib/dawn/reporter.rb CHANGED
@@ -10,7 +10,7 @@ module Dawn
10
10
  @format = options[:format] unless options[:format].nil?
11
11
  @engine = options[:engine] unless options[:engine].nil?
12
12
 
13
- @format = :console unless is_valid_format?(@format)
13
+ @format = :tabular unless is_valid_format?(@format)
14
14
  end
15
15
 
16
16
  def report
@@ -33,6 +33,33 @@ module Dawn
33
33
  $logger.info "#{@filename} created (#{output.length} bytes)"
34
34
  end
35
35
  end
36
+
37
+ def write_html(path, content)
38
+ css_path = File.join(path, 'css')
39
+ js_path = File.join(path, 'js')
40
+ support_path = File.join(Dir.pwd, 'support')
41
+
42
+ FileUtils.mkdir_p(File.join(path, 'css'))
43
+ FileUtils.mkdir_p(File.join(path, 'js'))
44
+
45
+ FileUtils.cp(File.join(support_path, 'bootstrap.js'), js_path)
46
+ FileUtils.cp(File.join(support_path, 'bootstrap.min.css'), css_path)
47
+ FileUtils.cp(File.join(support_path, 'codesake.css'), css_path)
48
+
49
+ File.open(File.join(path, 'report.html'), "w") do |f|
50
+ f.puts content
51
+ end
52
+ $logger.info "#{File.join(path, 'report.html')} created (#{File.stat(File.join(path, 'report.html')).size} bytes)"
53
+
54
+ end
55
+
56
+ def write_table(path, content)
57
+ File.open(path, "w") do |f|
58
+ f.puts content
59
+ end
60
+ $logger.info "#{path} created (#{File.stat(path).size} bytes)"
61
+ end
62
+
36
63
  def is_valid_format?(format)
37
64
  return false if format.nil?
38
65
  return true if (format == :console) || (format == :tabular) || (format == :json) || (format == :html) || (format == :csv)
@@ -40,10 +67,12 @@ module Dawn
40
67
  end
41
68
 
42
69
  def html_report
43
- html_head = "<!doctype html>\n<html>\n<head>\n<title>Dawn report for #{File.basename(@engine.target)}</title>"
44
- html_head += "<script src=\"./support/bootstrap.js\"></script>\n"
45
- html_head += "<link href=\"./support/codesake.css\" media=\"all\" rel=\"stylesheet\" />\n"
46
- html_head += "<link href=\"./support/bootstrap.min.css\" media=\"all\" rel=\"stylesheet\" />\n"
70
+ output = @engine.create_output_dir
71
+
72
+ html_head = "<!doctype html>\n<html>\n<head>\n<title>Dawnscanner report for #{File.basename(@engine.target)}</title>"
73
+ html_head += "<script src=\"./js/bootstrap.js\"></script>\n"
74
+ html_head += "<link href=\"./css/codesake.css\" media=\"all\" rel=\"stylesheet\" />\n"
75
+ html_head += "<link href=\"./css/bootstrap.min.css\" media=\"all\" rel=\"stylesheet\" />\n"
47
76
  html_head += "</head>\n"
48
77
  html_body = "<body>\n"
49
78
  html_body += ""
@@ -51,10 +80,10 @@ module Dawn
51
80
  html_body += "<div class=\"container-narrow\">\n"
52
81
  html_body += "<div class=\"masthead\">\n"
53
82
  html_body += "<ul class=\"nav nav-pills pull-right\">\n"
54
- html_body += "<li class=\"\"><a href=\"https://dawn.codesake.com\">Home</a></li>\n"
55
- html_body += "<li class=\"active\"><a href=\"https://github.com/codesake/codesake-dawn\">Github repo</a></li>\n"
83
+ html_body += "<li class=\"\"><a href=\"http://dawnscanner.org\">Home</a></li>\n"
84
+ html_body += "<li class=\"active\"><a href=\"https://github.com/thesp0nge/dawnscanner\">Github repo</a></li>\n"
56
85
  html_body += "</ul>\n"
57
- html_body += "<h3 class=\"muted\">Dawn</h3>\n"
86
+ html_body += "<h3 class=\"muted\">Dawnscanner</h3>\n"
58
87
  html_body += "</div>\n"
59
88
  html_body += "<h1>Security code review results for \"#{File.basename(@engine.target)}\"</h1>\n"
60
89
  html_body += "<hr />\n"
@@ -91,10 +120,11 @@ module Dawn
91
120
  html_body += "<hr />\n"
92
121
  html_body += "<h2>Vulnerabilities found</h2>\n"
93
122
  html_body += "<table class=\"table-striped table-bordered table\">\n"
94
- html_body += "<thead><tr><td>Name</td><td>Severity</td><td>Priority</td><td>CVSS score</td><td>Description</td><td>Remediation</td></tr></thead>\n"
123
+ html_body += "<thead><tr><td>Name</td><td>Severity</td><td>CVSS score</td><td>Description</td><td>Remediation</td></tr></thead>\n"
95
124
 
125
+ html_body += "<tbody>"
96
126
  @engine.vulnerabilities.each do |vuln|
97
- html_body += "<tr><td><a href=\"#{vuln[:cve_link]}\">#{vuln[:name]}</a></td><td>#{vuln[:severity]}</td><td>#{vuln[:priority]}</td><td>#{vuln[:cvss_score]}</td><td>#{vuln[:message]}</td><td>#{vuln[:remediation]}</td></tr>\n"
127
+ html_body += "<tr><td><a href=\"#{vuln[:cve_link]}\">#{vuln[:name]}</a></td><td>#{vuln[:severity]}</td><td>#{vuln[:cvss_score]}</td><td>#{vuln[:message]}</td><td>#{vuln[:remediation]}</td></tr>\n"
98
128
  end
99
129
  html_body += "</tbody>\n"
100
130
  html_body += "</table>\n"
@@ -102,7 +132,7 @@ module Dawn
102
132
  html_body += "<div id=\"push\"></div>\n"
103
133
  html_body += "<div id=\"footer\">\n"
104
134
  html_body += "<div class=\"container\">\n"
105
- html_body += "<p class=\"muted credit\">&copy; <a href=\"http://dawn.codesake.com\">Dawn</a> &mdash; #{Time.now.strftime("%Y")} &mdash; engine v#{Dawn::VERSION} (#{Dawn::RELEASE})</p>\n"
135
+ html_body += "<p class=\"muted credit\">Proudly generated with <a href=\"http://dawnscanner.org\">Dawnscanner</a> &mdash; #{Time.now.strftime("%Y")} &mdash; engine v#{Dawn::VERSION} (#{Dawn::RELEASE})</p>\n"
106
136
  html_body += "</div>\n"
107
137
  html_body += "</div>\n"
108
138
  html_body += "</div>\n"
@@ -114,12 +144,14 @@ module Dawn
114
144
 
115
145
  html = html_head + html_body
116
146
 
117
- write(html)
147
+ write_html(output, html)
118
148
  true
119
149
  end
120
150
 
121
151
  def ascii_tabular_report
122
152
 
153
+ output = @engine.create_output_dir
154
+
123
155
  # 0_First table: executive summary
124
156
  rows = []
125
157
  rows << ['Dawn version', Dawn::VERSION] unless Dawn::RELEASE == "(development)"
@@ -127,32 +159,44 @@ module Dawn
127
159
  rows << ['Scan started', @engine.scan_start]
128
160
  rows << ['Scan duration', "#{@engine.scan_time.round(3)} sec"]
129
161
  rows << ['Target', @engine.target]
130
- rows << ['MVC detected framework', "#{@engine.name} v#{@engine.get_mvc_version}" ] unless @engine.name == "Gemfile.lock"
131
- rows << ['MVC detected framework', "#{@engine.force} v#{@engine.get_mvc_version}" ] if @engine.name == "Gemfile.lock"
162
+ rows << ['Framework', "#{@engine.name} v#{@engine.get_mvc_version}" ] unless @engine.name == "Gemfile.lock"
163
+ rows << ['Framework', "#{@engine.force} v#{@engine.get_mvc_version}" ] if @engine.name == "Gemfile.lock"
132
164
  if @ret
133
165
  rows << ['Applied checks', "#{@engine.applied_checks} security checks"]
134
166
  rows << ['Skipped checks', "#{@engine.skipped_checks} security checks"]
135
167
  else
136
168
  rows << ['Applied checks', "No security checks in the knowledge base"]
137
169
  end
138
- rows << ['Vulnerabilities found', @engine.count_vulnerabilities]
139
- rows << ['Mitigated issues found', @engine.mitigated_issues.count]
140
- rows << ['Reflected XSS', @engine.reflected_xss.count]
170
+ rows << ['Vulnerabilities found in dependencies', @engine.count_vulnerabilities]
171
+ rows << ['Vulnerabilities mitigated by external factors', @engine.mitigated_issues.count] unless @engine.mitigated_issues.count == 0
172
+ rows << ['Reflected XSS found', @engine.reflected_xss.count]
141
173
  table = Terminal::Table.new :title=>'Scan summary', :rows => rows
142
- puts table
174
+ write_table(File.join(output, 'summary.txt'), table)
143
175
 
176
+ # 0_a) Application structure
177
+ rows = []
178
+ rows << ['Lines of code', 'to be added soon']
179
+ rows << ['Cyclomatic complexity index', 'to be added soon']
180
+ rows << ['Models', @engine.models.count]
181
+ rows << ['Views', @engine.views.count]
182
+ rows << ['Controllers', @engine.controllers.count]
183
+ table = Terminal::Table.new :title=>'Application stats', :rows => rows
184
+ write_table(File.join(output, 'statistics.txt'), table)
144
185
 
145
186
  if @engine.count_vulnerabilities > 0
146
187
 
147
- # 1_Vulnerabilities
188
+ # 1) Vulnerabilities
189
+
190
+ # 1_a) Third party gem vulnerabilities
148
191
  rows = []
149
192
  @engine.vulnerabilities.each do |vuln|
150
- rows << [vuln[:name].justify(10), vuln[:severity], vuln[:priority], vuln[:message].justify(50), vuln[:remediation].justify(15), vuln[:evidences].join.justify(15)]
193
+ rows << [vuln[:name].justify(10), vuln[:severity], vuln[:message].justify(30), vuln[:remediation].justify(15), vuln[:evidences].join.justify(15)]
151
194
  rows << :separator
152
195
  end
153
- table = Terminal::Table.new :title=>"Vulnerabilities", :headings=>['Issue', 'Severity', 'Priority', 'Description', 'Solution', 'Evidences'], :rows=>rows
154
- puts table
196
+ table = Terminal::Table.new :title=>"Vulnerabilities", :headings=>['Issue', 'Severity', 'Description', 'Solution', 'Evidences'], :rows=>rows
197
+ write_table(File.join(output, 'third_party_vulnerabilities.txt'), table)
155
198
 
199
+ # 1_b) Refleted XXS
156
200
  rows = []
157
201
  if @engine.has_reflected_xss?
158
202
  @engine.reflected_xss.each do |vuln|
@@ -160,8 +204,7 @@ module Dawn
160
204
  rows << :separator
161
205
  end
162
206
  table = Terminal::Table.new :title=>"Reflected Cross Site Scripting", :headings=>['Sink name', 'View', 'Location the sink was read', 'Evidences'], :rows=>rows
163
- puts table
164
-
207
+ write_table(File.join(output, 'reflected_xss.txt'), table)
165
208
  end
166
209
 
167
210
  end
@@ -174,7 +217,7 @@ module Dawn
174
217
  rows << :separator
175
218
  end
176
219
  table = Terminal::Table.new :title=>"Mitigated issues", :headings=>['Issue', 'Description', 'Evidences'], :rows=>rows
177
- puts table
220
+ write_table(File.join(output, 'mitigated_issues.txt'), table)
178
221
  end
179
222
 
180
223
  true
@@ -209,7 +252,6 @@ module Dawn
209
252
  :name => v[:name],
210
253
  :cve_link => v[:cve_link],
211
254
  :severity => v[:severity],
212
- :priority => v[:priority],
213
255
  :cvss_score => v[:cvss_score],
214
256
  :message => v[:message],
215
257
  :remediation => v[:remediation]
@@ -227,51 +269,50 @@ module Dawn
227
269
 
228
270
  def ascii_plain_report
229
271
 
230
- $logger.info "scanning #{@engine.target}"
231
- $logger.info "#{@engine.name} v#{@engine.get_mvc_version} detected" unless @engine.name == "Gemfile.lock"
232
- $logger.info "#{@engine.force} v#{@engine.get_mvc_version} detected" if @engine.name == "Gemfile.lock"
233
- $logger.info "applying all security checks"
272
+ result = sprintf "%s\n", "scanning #{@engine.target}"
273
+ result += sprintf "%s\n", "#{@engine.name} v#{@engine.get_mvc_version} detected" unless @engine.name == "Gemfile.lock"
274
+ result += sprintf "%s\n", "#{@engine.force} v#{@engine.get_mvc_version} detected" if @engine.name == "Gemfile.lock"
275
+ result += sprintf "%s\n", "applying all security checks"
234
276
  if @ret
235
- $logger.info "#{@engine.applied_checks} security checks applied - #{@engine.skipped_checks} security checks skipped"
277
+ result += sprintf "%s\n", "#{@engine.applied_checks} security checks applied - #{@engine.skipped_checks} security checks skipped"
236
278
  else
237
- $logger.error "no security checks in the knowledge base"
279
+ result += sprintf "%s\n", "no security checks in the knowledge base"
238
280
  end
239
281
 
240
282
  if @engine.count_vulnerabilities != 0
241
- $logger.info "#{@engine.count_vulnerabilities} vulnerabilities found"
283
+ result += sprintf "%s\n", "#{@engine.count_vulnerabilities} vulnerabilities found"
242
284
  @engine.vulnerabilities.each do |vuln|
243
- $logger.error "#{vuln[:name]} check failed"
244
- $logger.info "Severity: #{vuln[:severity]}"
245
- $logger.info "Priority: #{vuln[:priority]}"
246
- $logger.info "Description: #{vuln[:message]}"
247
- $logger.info "Solution: #{vuln[:remediation]}"
248
- $logger.info "Evidence:"
285
+ result += sprintf "%s\n", "#{vuln[:name]} check failed\n"
286
+ result += sprintf "%s\n", "#{vuln[:message].justify(70)}"
287
+ result += sprintf "%s\n", "Evidence:"
249
288
  vuln[:evidences].each do |evidence|
250
- $logger.info "\t#{evidence}"
289
+ result += sprintf "%s\n", "\t#{evidence}"
251
290
  end
291
+ result += sprintf "\n\n"
252
292
  end
253
293
  if @engine.has_reflected_xss?
254
- $logger.info "#{@engine.reflected_xss.count} reflected XSS found"
294
+ result += sprintf "%s\n", "#{@engine.reflected_xss.count} reflected XSS found"
255
295
  @engine.reflected_xss.each do |vuln|
256
- $logger.info "request parameter \"#{vuln[:sink_source]}\" is used without escaping in #{vuln[:sink_view]}. It was read here: #{vuln[:sink_file]}@#{vuln[:sink_line]}"
257
- $logger.error "evidence: #{vuln[:sink_evidence]}"
296
+ result += sprintf "%s\n", "request parameter \"#{vuln[:sink_source]}\" is used without escaping in #{vuln[:sink_view]}. It was read here: #{vuln[:sink_file]}@#{vuln[:sink_line]}"
297
+ result += sprintf "%s\n", "evidence: #{vuln[:sink_evidence]}"
258
298
  end
259
299
  end
260
300
 
261
301
  else
262
- $logger.info "no vulnerabilities found."
302
+ result += sprintf "%s\n", "no vulnerabilities found."
263
303
  end
264
304
 
265
305
  if @engine.mitigated_issues.count != 0
266
- $logger.info "#{@engine.mitigated_issues.count} mitigated vulnerabilities found"
306
+ result += sprintf "%s\n", "#{@engine.mitigated_issues.count} mitigated vulnerabilities found"
267
307
  @engine.mitigated_issues.each do |vuln|
268
- $logger.info "#{vuln[:name]} mitigated"
308
+ result += sprintf "%s\n", "#{vuln[:name]} mitigated"
269
309
  vuln[:evidences].each do |evidence|
270
- $logger.error evidence
310
+ result += sprintf "%s\n", evidence
271
311
  end
272
312
  end
273
313
  end
274
314
 
315
+ write(result)
275
316
  true
276
317
  end
277
318
  end
data/lib/dawn/utils.rb CHANGED
@@ -1,5 +1,8 @@
1
1
  module Dawn
2
2
  module Utils
3
+ def debug_me(msg)
4
+ $logger.debug(msg) if @debug
5
+ end
3
6
 
4
7
  def debug_me_and_return_true(msg)
5
8
  __debug_me_and_return(msg, true)
@@ -7,10 +10,6 @@ module Dawn
7
10
  def debug_me_and_return_false(msg)
8
11
  __debug_me_and_return(msg, false)
9
12
  end
10
- def debug_me(msg)
11
- $logger.debug(msg) if @debug
12
- end
13
-
14
13
  def __debug_me_and_return(msg, status)
15
14
  $logger.debug(msg) if @debug
16
15
  return status
data/lib/dawn/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  module Dawn
2
- VERSION = "1.4.2"
2
+ VERSION = "1.5.0"
3
3
  CODENAME = "Tow Mater"
4
- RELEASE = "20151013"
5
- BUILD = "5"
6
- COMMIT = "g1f95333"
4
+ RELEASE = "20151209"
5
+ BUILD = "60"
6
+ COMMIT = "g24e3b7e"
7
7
  end
data/lib/dawnscanner.rb CHANGED
@@ -8,6 +8,9 @@ require "dawn/padrino"
8
8
  require "dawn/gemfile_lock"
9
9
  require "dawn/reporter"
10
10
  require "dawn/logger"
11
- # require "codesake-commons"
11
+
12
+ # Datamapper classes
13
+ require 'data_mapper'
14
+ require "dawn/registry"
12
15
 
13
16
  require "date"
@@ -1034,4 +1034,44 @@ describe "The Codesake Dawn knowledge base" do
1034
1034
  sc.should_not be_nil
1035
1035
  sc.class.should == Dawn::Kb::CVE_2014_7818
1036
1036
  end
1037
+ it "must have test for OSVDB_120415" do
1038
+ sc = kb.find("OSVDB_120415")
1039
+ sc.should_not be_nil
1040
+ sc.class.should == Dawn::Kb::OSVDB_120415
1041
+ end
1042
+ it "must have test for OSVDB_120857" do
1043
+ sc = kb.find("OSVDB_120857")
1044
+ sc.should_not be_nil
1045
+ sc.class.should == Dawn::Kb::OSVDB_120857
1046
+ end
1047
+ it "must have test for OSVDB_121701" do
1048
+ sc = kb.find("OSVDB_121701")
1049
+ sc.should_not be_nil
1050
+ sc.class.should == Dawn::Kb::OSVDB_121701
1051
+ end
1052
+ it "must have test for CVE-2015-4020" do
1053
+ sc = kb.find("CVE-2015-4020")
1054
+ sc.should_not be_nil
1055
+ sc.class.should == Dawn::Kb::CVE_2015_4020
1056
+ end
1057
+ it "must have test for OSVDB_117903" do
1058
+ sc = kb.find("OSVDB_117903")
1059
+ sc.should_not be_nil
1060
+ sc.class.should == Dawn::Kb::OSVDB_117903
1061
+ end
1062
+ it "must have test for OSVDB_115654" do
1063
+ sc = kb.find("OSVDB_115654")
1064
+ sc.should_not be_nil
1065
+ sc.class.should == Dawn::Kb::OSVDB_115654
1066
+ end
1067
+ it "must have test for OSVDB_116010" do
1068
+ sc = kb.find("OSVDB_116010")
1069
+ sc.should_not be_nil
1070
+ sc.class.should == Dawn::Kb::OSVDB_116010
1071
+ end
1072
+ it "must have test for CVE-2015-1819" do
1073
+ sc = kb.find("CVE-2015-1819")
1074
+ sc.should_not be_nil
1075
+ sc.class.should == Dawn::Kb::CVE_2015_1819
1076
+ end
1037
1077
  end
@@ -2,7 +2,7 @@ require 'spec_helper'
2
2
  describe "The CVE-2014-3483 vulnerability" do
3
3
  before(:all) do
4
4
  @check = Dawn::Kb::CVE_2014_3483.new
5
- # @check.debug = true
5
+ @check.debug = true
6
6
  end
7
7
  it "is reported when a rails gem version 4.0.6 is detected" do
8
8
  @check.dependencies = [{:name=>"rails", :version=>"4.0.6"}]
@@ -20,4 +20,8 @@ describe "The CVE-2014-3483 vulnerability" do
20
20
  @check.dependencies = [{:name=>"rails", :version=>"4.1.3"}]
21
21
  @check.vuln?.should == false
22
22
  end
23
+ it "is not reported when a rails gem version 3.2.21 is detected" do
24
+ @check.dependencies = [{:name=>"rails", :version=>"3.2.21"}]
25
+ @check.vuln?.should == false
26
+ end
23
27
  end
@@ -0,0 +1,16 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2015-1819 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2015_1819.new
5
+ # @check.debug = true
6
+ end
7
+ it "is reported when the vulnerable gem is detected" do
8
+ @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.6.3"}]
9
+ @check.vuln?.should == true
10
+ end
11
+ it "is not reported when a fixed release is detected" do
12
+ @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.6.4"}]
13
+ @check.vuln?.should == false
14
+ end
15
+
16
+ end
@@ -0,0 +1,24 @@
1
+ require 'spec_helper'
2
+ describe "The CVE-2015-4020 vulnerability" do
3
+ before(:all) do
4
+ @check = Dawn::Kb::CVE_2015_4020.new
5
+ # @check.debug = true
6
+ end
7
+ it "is reported when the vulnerable rubygem is detected" do
8
+ @check.my_gem_version="2.4.3"
9
+ @check.vuln?.should == true
10
+ end
11
+ it "is reported when the vulnerable rubygem is detected" do
12
+ @check.my_gem_version="2.2.4"
13
+ @check.vuln?.should == true
14
+ end
15
+ it "is reported when the vulnerable rubygem is detected" do
16
+ @check.my_gem_version="2.0.16"
17
+ @check.vuln?.should == true
18
+ end
19
+ it "is not reported when a fixed release is detected" do
20
+ @check.my_gem_version="2.4.9"
21
+ @check.vuln?.should == false
22
+ end
23
+
24
+ end