dawnscanner 1.4.2 → 1.5.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.ruby-version +1 -1
- data/Changelog.md +85 -9
- data/KnowledgeBase.md +206 -5
- data/README.md +25 -25
- data/Rakefile +19 -5
- data/Roadmap.md +104 -46
- data/VERSION +10 -10
- data/bin/dawn +96 -15
- data/checksum/dawnscanner-1.4.2.gem.sha1 +1 -0
- data/dawnscanner.gemspec +21 -4
- data/doc/dawn_1_5_announcement.md +66 -0
- data/doc/{codesake-dawn.yaml.sample → dawnscanner.yaml.sample} +0 -0
- data/doc/new_knowledge_base_v1.0.md +78 -0
- data/lib/dawn/core.rb +22 -28
- data/lib/dawn/engine.rb +111 -54
- data/lib/dawn/kb/basic_check.rb +3 -0
- data/lib/dawn/kb/cve_2014_3483.rb +1 -0
- data/lib/dawn/kb/cve_2015_1819.rb +34 -0
- data/lib/dawn/kb/cve_2015_4020.rb +34 -0
- data/lib/dawn/kb/gem_check.rb +43 -0
- data/lib/dawn/kb/osvdb_115654.rb +33 -0
- data/lib/dawn/kb/osvdb_116010.rb +30 -0
- data/lib/dawn/kb/osvdb_117903.rb +30 -0
- data/lib/dawn/kb/osvdb_118954.rb +5 -3
- data/lib/dawn/kb/osvdb_119878.rb +3 -3
- data/lib/dawn/kb/osvdb_120415.rb +31 -0
- data/lib/dawn/kb/osvdb_120857.rb +34 -0
- data/lib/dawn/kb/osvdb_121701.rb +30 -0
- data/lib/dawn/kb/owasp_ror_cheatsheet.rb +23 -31
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +16 -20
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +31 -31
- data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +22 -22
- data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +23 -23
- data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +25 -25
- data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +21 -21
- data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +24 -24
- data/lib/dawn/kb/version_check.rb +4 -0
- data/lib/dawn/knowledge_base.rb +36 -4
- data/lib/dawn/registry.rb +43 -0
- data/lib/dawn/reporter.rb +88 -47
- data/lib/dawn/utils.rb +3 -4
- data/lib/dawn/version.rb +4 -4
- data/lib/dawnscanner.rb +4 -1
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +40 -0
- data/spec/lib/kb/cve_2014_3483_spec.rb +5 -1
- data/spec/lib/kb/cve_2015_1819_spec.rb +16 -0
- data/spec/lib/kb/cve_2015_4020_spec.rb +24 -0
- data/spec/lib/kb/osvdb_115654_spec.rb +15 -0
- data/spec/lib/kb/osvdb_116010_spec.rb +15 -0
- data/spec/lib/kb/osvdb_117903_spec.rb +23 -0
- data/spec/lib/kb/osvdb_118954_spec.rb +13 -1
- data/spec/lib/kb/osvdb_119878_spec.rb +8 -9
- data/spec/lib/kb/osvdb_120415_spec.rb +16 -0
- data/spec/lib/kb/osvdb_120857_spec.rb +32 -0
- data/spec/lib/kb/osvdb_121701_spec.rb +15 -0
- metadata +153 -12
- metadata.gz.sig +0 -0
- data/BUGS.md +0 -14
@@ -0,0 +1,43 @@
|
|
1
|
+
module Dawn
|
2
|
+
class Registry
|
3
|
+
include DataMapper::Resource
|
4
|
+
property :id, Serial
|
5
|
+
|
6
|
+
property :target, String, :default=>""
|
7
|
+
property :registry_version, String, :default=>"0.5"
|
8
|
+
property :dawn_version, String, :default=>Dawn::VERSION
|
9
|
+
property :output_dir, String, :default=>"", :length=>255
|
10
|
+
property :scan_started, DateTime, :default=>DateTime.now
|
11
|
+
property :scan_duration, Float, :default=>0
|
12
|
+
property :scan_status, Enum[ :completed, :failed ], :default=>:failed
|
13
|
+
property :issues_found, Integer, :default=>-1
|
14
|
+
property :message, String, :default=>"", :length=>255
|
15
|
+
|
16
|
+
|
17
|
+
property :created_at, DateTime
|
18
|
+
property :created_on, Date
|
19
|
+
property :updated_at, DateTime
|
20
|
+
property :updated_on, Date
|
21
|
+
|
22
|
+
|
23
|
+
def do_save(options={})
|
24
|
+
|
25
|
+
self.target = options[:target]
|
26
|
+
self.output_dir = options[:output_dir]
|
27
|
+
self.scan_status = options[:scan_status]
|
28
|
+
self.issues_found = options[:issues_found]
|
29
|
+
self.scan_started = options[:scan_started]
|
30
|
+
self.scan_duration = options[:scan_duration]
|
31
|
+
self.message = options[:message]
|
32
|
+
|
33
|
+
save
|
34
|
+
end
|
35
|
+
|
36
|
+
def self.dump
|
37
|
+
all.each do |entry|
|
38
|
+
puts "#{entry.scan_started.strftime("[%Y-%m-%d %H:%M:%S]")} #{entry.scan_status.upcase} -- : #{entry.target}: #{entry.issues_found} issues found - #{entry.output_dir}" if entry.scan_status == :completed
|
39
|
+
puts "#{entry.scan_started.strftime("[%Y-%m-%d %H:%M:%S]")} #{entry.scan_status.upcase} -- : #{entry.target}: #{entry.message}" if entry.scan_status == :failed
|
40
|
+
end
|
41
|
+
end
|
42
|
+
end
|
43
|
+
end
|
data/lib/dawn/reporter.rb
CHANGED
@@ -10,7 +10,7 @@ module Dawn
|
|
10
10
|
@format = options[:format] unless options[:format].nil?
|
11
11
|
@engine = options[:engine] unless options[:engine].nil?
|
12
12
|
|
13
|
-
@format = :
|
13
|
+
@format = :tabular unless is_valid_format?(@format)
|
14
14
|
end
|
15
15
|
|
16
16
|
def report
|
@@ -33,6 +33,33 @@ module Dawn
|
|
33
33
|
$logger.info "#{@filename} created (#{output.length} bytes)"
|
34
34
|
end
|
35
35
|
end
|
36
|
+
|
37
|
+
def write_html(path, content)
|
38
|
+
css_path = File.join(path, 'css')
|
39
|
+
js_path = File.join(path, 'js')
|
40
|
+
support_path = File.join(Dir.pwd, 'support')
|
41
|
+
|
42
|
+
FileUtils.mkdir_p(File.join(path, 'css'))
|
43
|
+
FileUtils.mkdir_p(File.join(path, 'js'))
|
44
|
+
|
45
|
+
FileUtils.cp(File.join(support_path, 'bootstrap.js'), js_path)
|
46
|
+
FileUtils.cp(File.join(support_path, 'bootstrap.min.css'), css_path)
|
47
|
+
FileUtils.cp(File.join(support_path, 'codesake.css'), css_path)
|
48
|
+
|
49
|
+
File.open(File.join(path, 'report.html'), "w") do |f|
|
50
|
+
f.puts content
|
51
|
+
end
|
52
|
+
$logger.info "#{File.join(path, 'report.html')} created (#{File.stat(File.join(path, 'report.html')).size} bytes)"
|
53
|
+
|
54
|
+
end
|
55
|
+
|
56
|
+
def write_table(path, content)
|
57
|
+
File.open(path, "w") do |f|
|
58
|
+
f.puts content
|
59
|
+
end
|
60
|
+
$logger.info "#{path} created (#{File.stat(path).size} bytes)"
|
61
|
+
end
|
62
|
+
|
36
63
|
def is_valid_format?(format)
|
37
64
|
return false if format.nil?
|
38
65
|
return true if (format == :console) || (format == :tabular) || (format == :json) || (format == :html) || (format == :csv)
|
@@ -40,10 +67,12 @@ module Dawn
|
|
40
67
|
end
|
41
68
|
|
42
69
|
def html_report
|
43
|
-
|
44
|
-
|
45
|
-
html_head
|
46
|
-
html_head += "<
|
70
|
+
output = @engine.create_output_dir
|
71
|
+
|
72
|
+
html_head = "<!doctype html>\n<html>\n<head>\n<title>Dawnscanner report for #{File.basename(@engine.target)}</title>"
|
73
|
+
html_head += "<script src=\"./js/bootstrap.js\"></script>\n"
|
74
|
+
html_head += "<link href=\"./css/codesake.css\" media=\"all\" rel=\"stylesheet\" />\n"
|
75
|
+
html_head += "<link href=\"./css/bootstrap.min.css\" media=\"all\" rel=\"stylesheet\" />\n"
|
47
76
|
html_head += "</head>\n"
|
48
77
|
html_body = "<body>\n"
|
49
78
|
html_body += ""
|
@@ -51,10 +80,10 @@ module Dawn
|
|
51
80
|
html_body += "<div class=\"container-narrow\">\n"
|
52
81
|
html_body += "<div class=\"masthead\">\n"
|
53
82
|
html_body += "<ul class=\"nav nav-pills pull-right\">\n"
|
54
|
-
html_body += "<li class=\"\"><a href=\"
|
55
|
-
html_body += "<li class=\"active\"><a href=\"https://github.com/
|
83
|
+
html_body += "<li class=\"\"><a href=\"http://dawnscanner.org\">Home</a></li>\n"
|
84
|
+
html_body += "<li class=\"active\"><a href=\"https://github.com/thesp0nge/dawnscanner\">Github repo</a></li>\n"
|
56
85
|
html_body += "</ul>\n"
|
57
|
-
html_body += "<h3 class=\"muted\">
|
86
|
+
html_body += "<h3 class=\"muted\">Dawnscanner</h3>\n"
|
58
87
|
html_body += "</div>\n"
|
59
88
|
html_body += "<h1>Security code review results for \"#{File.basename(@engine.target)}\"</h1>\n"
|
60
89
|
html_body += "<hr />\n"
|
@@ -91,10 +120,11 @@ module Dawn
|
|
91
120
|
html_body += "<hr />\n"
|
92
121
|
html_body += "<h2>Vulnerabilities found</h2>\n"
|
93
122
|
html_body += "<table class=\"table-striped table-bordered table\">\n"
|
94
|
-
html_body += "<thead><tr><td>Name</td><td>Severity</td><td>
|
123
|
+
html_body += "<thead><tr><td>Name</td><td>Severity</td><td>CVSS score</td><td>Description</td><td>Remediation</td></tr></thead>\n"
|
95
124
|
|
125
|
+
html_body += "<tbody>"
|
96
126
|
@engine.vulnerabilities.each do |vuln|
|
97
|
-
html_body += "<tr><td><a href=\"#{vuln[:cve_link]}\">#{vuln[:name]}</a></td><td>#{vuln[:severity]}</td><td>#{vuln[:
|
127
|
+
html_body += "<tr><td><a href=\"#{vuln[:cve_link]}\">#{vuln[:name]}</a></td><td>#{vuln[:severity]}</td><td>#{vuln[:cvss_score]}</td><td>#{vuln[:message]}</td><td>#{vuln[:remediation]}</td></tr>\n"
|
98
128
|
end
|
99
129
|
html_body += "</tbody>\n"
|
100
130
|
html_body += "</table>\n"
|
@@ -102,7 +132,7 @@ module Dawn
|
|
102
132
|
html_body += "<div id=\"push\"></div>\n"
|
103
133
|
html_body += "<div id=\"footer\">\n"
|
104
134
|
html_body += "<div class=\"container\">\n"
|
105
|
-
html_body += "<p class=\"muted credit\"
|
135
|
+
html_body += "<p class=\"muted credit\">Proudly generated with <a href=\"http://dawnscanner.org\">Dawnscanner</a> — #{Time.now.strftime("%Y")} — engine v#{Dawn::VERSION} (#{Dawn::RELEASE})</p>\n"
|
106
136
|
html_body += "</div>\n"
|
107
137
|
html_body += "</div>\n"
|
108
138
|
html_body += "</div>\n"
|
@@ -114,12 +144,14 @@ module Dawn
|
|
114
144
|
|
115
145
|
html = html_head + html_body
|
116
146
|
|
117
|
-
|
147
|
+
write_html(output, html)
|
118
148
|
true
|
119
149
|
end
|
120
150
|
|
121
151
|
def ascii_tabular_report
|
122
152
|
|
153
|
+
output = @engine.create_output_dir
|
154
|
+
|
123
155
|
# 0_First table: executive summary
|
124
156
|
rows = []
|
125
157
|
rows << ['Dawn version', Dawn::VERSION] unless Dawn::RELEASE == "(development)"
|
@@ -127,32 +159,44 @@ module Dawn
|
|
127
159
|
rows << ['Scan started', @engine.scan_start]
|
128
160
|
rows << ['Scan duration', "#{@engine.scan_time.round(3)} sec"]
|
129
161
|
rows << ['Target', @engine.target]
|
130
|
-
rows << ['
|
131
|
-
rows << ['
|
162
|
+
rows << ['Framework', "#{@engine.name} v#{@engine.get_mvc_version}" ] unless @engine.name == "Gemfile.lock"
|
163
|
+
rows << ['Framework', "#{@engine.force} v#{@engine.get_mvc_version}" ] if @engine.name == "Gemfile.lock"
|
132
164
|
if @ret
|
133
165
|
rows << ['Applied checks', "#{@engine.applied_checks} security checks"]
|
134
166
|
rows << ['Skipped checks', "#{@engine.skipped_checks} security checks"]
|
135
167
|
else
|
136
168
|
rows << ['Applied checks', "No security checks in the knowledge base"]
|
137
169
|
end
|
138
|
-
rows << ['Vulnerabilities found', @engine.count_vulnerabilities]
|
139
|
-
rows << ['
|
140
|
-
rows << ['Reflected XSS', @engine.reflected_xss.count]
|
170
|
+
rows << ['Vulnerabilities found in dependencies', @engine.count_vulnerabilities]
|
171
|
+
rows << ['Vulnerabilities mitigated by external factors', @engine.mitigated_issues.count] unless @engine.mitigated_issues.count == 0
|
172
|
+
rows << ['Reflected XSS found', @engine.reflected_xss.count]
|
141
173
|
table = Terminal::Table.new :title=>'Scan summary', :rows => rows
|
142
|
-
|
174
|
+
write_table(File.join(output, 'summary.txt'), table)
|
143
175
|
|
176
|
+
# 0_a) Application structure
|
177
|
+
rows = []
|
178
|
+
rows << ['Lines of code', 'to be added soon']
|
179
|
+
rows << ['Cyclomatic complexity index', 'to be added soon']
|
180
|
+
rows << ['Models', @engine.models.count]
|
181
|
+
rows << ['Views', @engine.views.count]
|
182
|
+
rows << ['Controllers', @engine.controllers.count]
|
183
|
+
table = Terminal::Table.new :title=>'Application stats', :rows => rows
|
184
|
+
write_table(File.join(output, 'statistics.txt'), table)
|
144
185
|
|
145
186
|
if @engine.count_vulnerabilities > 0
|
146
187
|
|
147
|
-
#
|
188
|
+
# 1) Vulnerabilities
|
189
|
+
|
190
|
+
# 1_a) Third party gem vulnerabilities
|
148
191
|
rows = []
|
149
192
|
@engine.vulnerabilities.each do |vuln|
|
150
|
-
rows << [vuln[:name].justify(10), vuln[:severity], vuln[:
|
193
|
+
rows << [vuln[:name].justify(10), vuln[:severity], vuln[:message].justify(30), vuln[:remediation].justify(15), vuln[:evidences].join.justify(15)]
|
151
194
|
rows << :separator
|
152
195
|
end
|
153
|
-
table = Terminal::Table.new :title=>"Vulnerabilities", :headings=>['Issue', 'Severity', '
|
154
|
-
|
196
|
+
table = Terminal::Table.new :title=>"Vulnerabilities", :headings=>['Issue', 'Severity', 'Description', 'Solution', 'Evidences'], :rows=>rows
|
197
|
+
write_table(File.join(output, 'third_party_vulnerabilities.txt'), table)
|
155
198
|
|
199
|
+
# 1_b) Refleted XXS
|
156
200
|
rows = []
|
157
201
|
if @engine.has_reflected_xss?
|
158
202
|
@engine.reflected_xss.each do |vuln|
|
@@ -160,8 +204,7 @@ module Dawn
|
|
160
204
|
rows << :separator
|
161
205
|
end
|
162
206
|
table = Terminal::Table.new :title=>"Reflected Cross Site Scripting", :headings=>['Sink name', 'View', 'Location the sink was read', 'Evidences'], :rows=>rows
|
163
|
-
|
164
|
-
|
207
|
+
write_table(File.join(output, 'reflected_xss.txt'), table)
|
165
208
|
end
|
166
209
|
|
167
210
|
end
|
@@ -174,7 +217,7 @@ module Dawn
|
|
174
217
|
rows << :separator
|
175
218
|
end
|
176
219
|
table = Terminal::Table.new :title=>"Mitigated issues", :headings=>['Issue', 'Description', 'Evidences'], :rows=>rows
|
177
|
-
|
220
|
+
write_table(File.join(output, 'mitigated_issues.txt'), table)
|
178
221
|
end
|
179
222
|
|
180
223
|
true
|
@@ -209,7 +252,6 @@ module Dawn
|
|
209
252
|
:name => v[:name],
|
210
253
|
:cve_link => v[:cve_link],
|
211
254
|
:severity => v[:severity],
|
212
|
-
:priority => v[:priority],
|
213
255
|
:cvss_score => v[:cvss_score],
|
214
256
|
:message => v[:message],
|
215
257
|
:remediation => v[:remediation]
|
@@ -227,51 +269,50 @@ module Dawn
|
|
227
269
|
|
228
270
|
def ascii_plain_report
|
229
271
|
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
272
|
+
result = sprintf "%s\n", "scanning #{@engine.target}"
|
273
|
+
result += sprintf "%s\n", "#{@engine.name} v#{@engine.get_mvc_version} detected" unless @engine.name == "Gemfile.lock"
|
274
|
+
result += sprintf "%s\n", "#{@engine.force} v#{@engine.get_mvc_version} detected" if @engine.name == "Gemfile.lock"
|
275
|
+
result += sprintf "%s\n", "applying all security checks"
|
234
276
|
if @ret
|
235
|
-
|
277
|
+
result += sprintf "%s\n", "#{@engine.applied_checks} security checks applied - #{@engine.skipped_checks} security checks skipped"
|
236
278
|
else
|
237
|
-
|
279
|
+
result += sprintf "%s\n", "no security checks in the knowledge base"
|
238
280
|
end
|
239
281
|
|
240
282
|
if @engine.count_vulnerabilities != 0
|
241
|
-
|
283
|
+
result += sprintf "%s\n", "#{@engine.count_vulnerabilities} vulnerabilities found"
|
242
284
|
@engine.vulnerabilities.each do |vuln|
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
$logger.info "Description: #{vuln[:message]}"
|
247
|
-
$logger.info "Solution: #{vuln[:remediation]}"
|
248
|
-
$logger.info "Evidence:"
|
285
|
+
result += sprintf "%s\n", "#{vuln[:name]} check failed\n"
|
286
|
+
result += sprintf "%s\n", "#{vuln[:message].justify(70)}"
|
287
|
+
result += sprintf "%s\n", "Evidence:"
|
249
288
|
vuln[:evidences].each do |evidence|
|
250
|
-
|
289
|
+
result += sprintf "%s\n", "\t#{evidence}"
|
251
290
|
end
|
291
|
+
result += sprintf "\n\n"
|
252
292
|
end
|
253
293
|
if @engine.has_reflected_xss?
|
254
|
-
|
294
|
+
result += sprintf "%s\n", "#{@engine.reflected_xss.count} reflected XSS found"
|
255
295
|
@engine.reflected_xss.each do |vuln|
|
256
|
-
|
257
|
-
|
296
|
+
result += sprintf "%s\n", "request parameter \"#{vuln[:sink_source]}\" is used without escaping in #{vuln[:sink_view]}. It was read here: #{vuln[:sink_file]}@#{vuln[:sink_line]}"
|
297
|
+
result += sprintf "%s\n", "evidence: #{vuln[:sink_evidence]}"
|
258
298
|
end
|
259
299
|
end
|
260
300
|
|
261
301
|
else
|
262
|
-
|
302
|
+
result += sprintf "%s\n", "no vulnerabilities found."
|
263
303
|
end
|
264
304
|
|
265
305
|
if @engine.mitigated_issues.count != 0
|
266
|
-
|
306
|
+
result += sprintf "%s\n", "#{@engine.mitigated_issues.count} mitigated vulnerabilities found"
|
267
307
|
@engine.mitigated_issues.each do |vuln|
|
268
|
-
|
308
|
+
result += sprintf "%s\n", "#{vuln[:name]} mitigated"
|
269
309
|
vuln[:evidences].each do |evidence|
|
270
|
-
|
310
|
+
result += sprintf "%s\n", evidence
|
271
311
|
end
|
272
312
|
end
|
273
313
|
end
|
274
314
|
|
315
|
+
write(result)
|
275
316
|
true
|
276
317
|
end
|
277
318
|
end
|
data/lib/dawn/utils.rb
CHANGED
@@ -1,5 +1,8 @@
|
|
1
1
|
module Dawn
|
2
2
|
module Utils
|
3
|
+
def debug_me(msg)
|
4
|
+
$logger.debug(msg) if @debug
|
5
|
+
end
|
3
6
|
|
4
7
|
def debug_me_and_return_true(msg)
|
5
8
|
__debug_me_and_return(msg, true)
|
@@ -7,10 +10,6 @@ module Dawn
|
|
7
10
|
def debug_me_and_return_false(msg)
|
8
11
|
__debug_me_and_return(msg, false)
|
9
12
|
end
|
10
|
-
def debug_me(msg)
|
11
|
-
$logger.debug(msg) if @debug
|
12
|
-
end
|
13
|
-
|
14
13
|
def __debug_me_and_return(msg, status)
|
15
14
|
$logger.debug(msg) if @debug
|
16
15
|
return status
|
data/lib/dawn/version.rb
CHANGED
data/lib/dawnscanner.rb
CHANGED
@@ -1034,4 +1034,44 @@ describe "The Codesake Dawn knowledge base" do
|
|
1034
1034
|
sc.should_not be_nil
|
1035
1035
|
sc.class.should == Dawn::Kb::CVE_2014_7818
|
1036
1036
|
end
|
1037
|
+
it "must have test for OSVDB_120415" do
|
1038
|
+
sc = kb.find("OSVDB_120415")
|
1039
|
+
sc.should_not be_nil
|
1040
|
+
sc.class.should == Dawn::Kb::OSVDB_120415
|
1041
|
+
end
|
1042
|
+
it "must have test for OSVDB_120857" do
|
1043
|
+
sc = kb.find("OSVDB_120857")
|
1044
|
+
sc.should_not be_nil
|
1045
|
+
sc.class.should == Dawn::Kb::OSVDB_120857
|
1046
|
+
end
|
1047
|
+
it "must have test for OSVDB_121701" do
|
1048
|
+
sc = kb.find("OSVDB_121701")
|
1049
|
+
sc.should_not be_nil
|
1050
|
+
sc.class.should == Dawn::Kb::OSVDB_121701
|
1051
|
+
end
|
1052
|
+
it "must have test for CVE-2015-4020" do
|
1053
|
+
sc = kb.find("CVE-2015-4020")
|
1054
|
+
sc.should_not be_nil
|
1055
|
+
sc.class.should == Dawn::Kb::CVE_2015_4020
|
1056
|
+
end
|
1057
|
+
it "must have test for OSVDB_117903" do
|
1058
|
+
sc = kb.find("OSVDB_117903")
|
1059
|
+
sc.should_not be_nil
|
1060
|
+
sc.class.should == Dawn::Kb::OSVDB_117903
|
1061
|
+
end
|
1062
|
+
it "must have test for OSVDB_115654" do
|
1063
|
+
sc = kb.find("OSVDB_115654")
|
1064
|
+
sc.should_not be_nil
|
1065
|
+
sc.class.should == Dawn::Kb::OSVDB_115654
|
1066
|
+
end
|
1067
|
+
it "must have test for OSVDB_116010" do
|
1068
|
+
sc = kb.find("OSVDB_116010")
|
1069
|
+
sc.should_not be_nil
|
1070
|
+
sc.class.should == Dawn::Kb::OSVDB_116010
|
1071
|
+
end
|
1072
|
+
it "must have test for CVE-2015-1819" do
|
1073
|
+
sc = kb.find("CVE-2015-1819")
|
1074
|
+
sc.should_not be_nil
|
1075
|
+
sc.class.should == Dawn::Kb::CVE_2015_1819
|
1076
|
+
end
|
1037
1077
|
end
|
@@ -2,7 +2,7 @@ require 'spec_helper'
|
|
2
2
|
describe "The CVE-2014-3483 vulnerability" do
|
3
3
|
before(:all) do
|
4
4
|
@check = Dawn::Kb::CVE_2014_3483.new
|
5
|
-
|
5
|
+
@check.debug = true
|
6
6
|
end
|
7
7
|
it "is reported when a rails gem version 4.0.6 is detected" do
|
8
8
|
@check.dependencies = [{:name=>"rails", :version=>"4.0.6"}]
|
@@ -20,4 +20,8 @@ describe "The CVE-2014-3483 vulnerability" do
|
|
20
20
|
@check.dependencies = [{:name=>"rails", :version=>"4.1.3"}]
|
21
21
|
@check.vuln?.should == false
|
22
22
|
end
|
23
|
+
it "is not reported when a rails gem version 3.2.21 is detected" do
|
24
|
+
@check.dependencies = [{:name=>"rails", :version=>"3.2.21"}]
|
25
|
+
@check.vuln?.should == false
|
26
|
+
end
|
23
27
|
end
|
@@ -0,0 +1,16 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2015-1819 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2015_1819.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when the vulnerable gem is detected" do
|
8
|
+
@check.dependencies = [{:name=>"nokogiri", :version=>"1.6.6.3"}]
|
9
|
+
@check.vuln?.should == true
|
10
|
+
end
|
11
|
+
it "is not reported when a fixed release is detected" do
|
12
|
+
@check.dependencies = [{:name=>"nokogiri", :version=>"1.6.6.4"}]
|
13
|
+
@check.vuln?.should == false
|
14
|
+
end
|
15
|
+
|
16
|
+
end
|
@@ -0,0 +1,24 @@
|
|
1
|
+
require 'spec_helper'
|
2
|
+
describe "The CVE-2015-4020 vulnerability" do
|
3
|
+
before(:all) do
|
4
|
+
@check = Dawn::Kb::CVE_2015_4020.new
|
5
|
+
# @check.debug = true
|
6
|
+
end
|
7
|
+
it "is reported when the vulnerable rubygem is detected" do
|
8
|
+
@check.my_gem_version="2.4.3"
|
9
|
+
@check.vuln?.should == true
|
10
|
+
end
|
11
|
+
it "is reported when the vulnerable rubygem is detected" do
|
12
|
+
@check.my_gem_version="2.2.4"
|
13
|
+
@check.vuln?.should == true
|
14
|
+
end
|
15
|
+
it "is reported when the vulnerable rubygem is detected" do
|
16
|
+
@check.my_gem_version="2.0.16"
|
17
|
+
@check.vuln?.should == true
|
18
|
+
end
|
19
|
+
it "is not reported when a fixed release is detected" do
|
20
|
+
@check.my_gem_version="2.4.9"
|
21
|
+
@check.vuln?.should == false
|
22
|
+
end
|
23
|
+
|
24
|
+
end
|