RubyGems - dawnscanner - Versions diffs - 1.5.2 → 1.6.0 - Mend

dawnscanner 1.5.2 → 1.6.0

Files changed (54) hide show

checksums.yaml +4 -4
checksums.yaml.gz.sig +0 -0
data.tar.gz.sig +0 -0
data/.travis.yml +8 -1
data/Changelog.md +64 -1
data/KnowledgeBase.md +38 -2
data/README.md +2 -1
data/VERSION +2 -3
data/bin/dawn +2 -0
data/checksum/dawnscanner-1.5.2.gem.sha1 +1 -0
data/lib/dawn/kb/cve_2015_5312.rb +30 -0
data/lib/dawn/kb/cve_2015_7497.rb +32 -0
data/lib/dawn/kb/cve_2015_7498.rb +32 -0
data/lib/dawn/kb/cve_2015_7499.rb +32 -0
data/lib/dawn/kb/cve_2015_7500.rb +32 -0
data/lib/dawn/kb/cve_2015_7519.rb +31 -0
data/lib/dawn/kb/cve_2015_7541.rb +31 -0
data/lib/dawn/kb/cve_2015_7576.rb +35 -0
data/lib/dawn/kb/cve_2015_7577.rb +32 -0
data/lib/dawn/kb/cve_2015_7578.rb +30 -0
data/lib/dawn/kb/cve_2015_7579.rb +30 -0
data/lib/dawn/kb/cve_2015_7581.rb +33 -0
data/lib/dawn/kb/cve_2015_8241.rb +32 -0
data/lib/dawn/kb/cve_2015_8242.rb +32 -0
data/lib/dawn/kb/cve_2015_8317.rb +32 -0
data/lib/dawn/kb/cve_2016_0751.rb +30 -0
data/lib/dawn/kb/cve_2016_0752.rb +35 -0
data/lib/dawn/kb/cve_2016_0753.rb +31 -0
data/lib/dawn/kb/version_check.rb +61 -29
data/lib/dawn/knowledge_base.rb +39 -1
data/lib/dawn/reporter.rb +17 -8
data/lib/dawn/version.rb +4 -4
data/spec/lib/dawn/codesake_knowledgebase_spec.rb +90 -0
data/spec/lib/kb/codesake_version_check_spec.rb +2 -2
data/spec/lib/kb/cve_2015_5312_spec.rb +31 -0
data/spec/lib/kb/cve_2015_7497_spec.rb +31 -0
data/spec/lib/kb/cve_2015_7498_spec.rb +31 -0
data/spec/lib/kb/cve_2015_7499_spec.rb +31 -0
data/spec/lib/kb/cve_2015_7500_spec.rb +31 -0
data/spec/lib/kb/cve_2015_7519_spec.rb +23 -0
data/spec/lib/kb/cve_2015_7541_spec.rb +15 -0
data/spec/lib/kb/cve_2015_7576_spec.rb +51 -0
data/spec/lib/kb/cve_2015_7577_spec.rb +51 -0
data/spec/lib/kb/cve_2015_7578_spec.rb +15 -0
data/spec/lib/kb/cve_2015_7579_spec.rb +23 -0
data/spec/lib/kb/cve_2015_7581_spec.rb +51 -0
data/spec/lib/kb/cve_2015_8241_spec.rb +31 -0
data/spec/lib/kb/cve_2015_8242_spec.rb +31 -0
data/spec/lib/kb/cve_2015_8317_spec.rb +31 -0
data/spec/lib/kb/cve_2016_0751_spec.rb +51 -0
data/spec/lib/kb/cve_2016_0752_spec.rb +51 -0
data/spec/lib/kb/cve_2016_0753_spec.rb +51 -0
metadata +57 -2
metadata.gz.sig +0 -0

data/lib/dawn/kb/cve_2015_7577.rb ADDED Viewed

@@ -0,0 +1,32 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-01-29
+			class CVE_2015_7577
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+				def initialize
+          message = "There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled."
+          super({
+            :title=>title,
+            :name=> "CVE-2015-7577",
+            :cve=>"2015-7577",
+            :osvdb=>"",
+            :cvss=>"",
+            :release_date => Date.new(2016, 1, 26),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade activerecord gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
+            :aux_links=>["http://securitytracker.com/id/1034816"]
+           })
+          self.save_minor=true
+          self.save_major=true
+          self.safe_dependencies = [{:name=>"activerecord", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2015_7578.rb ADDED Viewed

@@ -0,0 +1,30 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-01
+			class CVE_2015_7578
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+				def initialize
+          message = "There is a possible XSS vulnerability in rails-html-sanitizer. Certain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications."
+           super({
+            :title=>title,
+            :name=> "CVE-2015-7578",
+            :cve=>"2015-7578",
+            :osvdb=>"",
+            :cvss=>"",
+            :release_date => Date.new(2016, 1, 26),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails-html-sanitizer gem to version 1.0.3 or later.",
+            :aux_links=>["http://securitytracker.com/id/1034816"]
+           })
+           self.safe_dependencies = [{:name=>"rails-html-sanitizer", :version=>['1.0.3']}]
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2015_7579.rb ADDED Viewed

@@ -0,0 +1,30 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-01-31
+			class CVE_2015_7579
+				include DependencyCheck
+				def initialize
+          message = "There is a XSS vulnerability in Rails::Html::FullSanitizer used by Action View's strip_tags. Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's strip_tags these entities will be unescaped what may cause a XSS attack if used in combination with raw or html_safe."
+          super({
+            :title=>title,
+            :name=> "CVE-2015-7579",
+            :cve=>"2015-7579",
+            :osvdb=>"",
+            :cvss=>"",
+            :release_date => Date.new(2016, 1, 26),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rails-html-sanitizer to version 1.0.3 or later.",
+            :aux_links=>["http://securitytracker.com/id/1034816"]
+           })
+          self.safe_dependencies = [{:name=>"rails-html-sanitizer", :version=>['1.0.3']}]
+          self.not_affected = {:name=>"rails-html-sanitizer", :version=>['1.0.0', '1.0.1']}
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2015_7581.rb ADDED Viewed

@@ -0,0 +1,33 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-01
+			class CVE_2015_7581
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+				def initialize
+          message = "There is an object leak vulnerability for wildcard controllers in Action Pack. Users that have a route that contains the string \":controller\" are susceptible to objects being leaked globally which can lead to unbounded memory growth. "
+            super({
+            :title=>title,
+            :name=> "CVE-2015-7581",
+            :cve=>"2015-7581",
+            :osvdb=>"",
+            :cvss=>"",
+            :release_date => Date.new(2016, 1, 26),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade actionpack gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
+            :aux_links=>["http://securitytracker.com/id/1034816"]
+           })
+          self.save_minor=true
+          self.save_major=true
+          self.safe_dependencies = [{:name=>"actionpack", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2015_8241.rb ADDED Viewed

@@ -0,0 +1,32 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-02
+			class CVE_2015_8241
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+				def initialize
+          message ="The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data."
+           super({
+            :title=>title,
+            :name=> "CVE-2015-8241",
+            :cve=>"2015-8241",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:P",
+            :release_date => Date.new(2015, 12, 15),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
+           })
+           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
+           self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2015_8242.rb ADDED Viewed

@@ -0,0 +1,32 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-02
+			class CVE_2015_8242
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+				def initialize
+          message = "The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data."
+          super({
+            :title=>title,
+            :name=> "CVE-2015-8242",
+            :cve=>"2015-8242",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:P",
+            :release_date => Date.new(2015, 12, 15),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
+           })
+           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
+           self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2015_8317.rb ADDED Viewed

@@ -0,0 +1,32 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-02
+			class CVE_2015_8317
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+				def initialize
+          message = "The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read"
+           super({
+            :title=>title,
+            :name=> "CVE-2015-8317",
+            :cve=>"2015-8317",
+            :osvdb=>"",
+            :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
+            :release_date => Date.new(2015, 12, 15),
+            :cwe=>"119",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
+            :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
+           })
+           self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
+           self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2016_0751.rb ADDED Viewed

@@ -0,0 +1,30 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-01-28
+			class CVE_2016_0751
+				# Include the testing skeleton for this CVE
+				include DependencyCheck
+				def initialize
+          message = "There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack."
+          super({
+            :title=>title,
+            :name=> "CVE-2016-0751",
+            :cve=>"2016-0751",
+            :osvdb=>"",
+            :cvss=>"",
+            :release_date => Date.new(2016, 1, 26),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade actionpack gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
+            :aux_links=>["http://securitytracker.com/id/1034816"]
+           })
+          self.safe_dependencies = [{:name=>"actionpack", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2016_0752.rb ADDED Viewed

@@ -0,0 +1,35 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-01-31
+			class CVE_2016_0752
+				# Include the testing skeleton for this CVE
+				# include PatternMatchCheck
+				include DependencyCheck
+				# include RubyVersionCheck
+				def initialize
+          message = "There is a possible directory traversal and information leak vulnerability in Action View. Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability."
+          super({
+            :title=>title,
+            :name=> "CVE-2016-0752",
+            :cve=>"2016-0752",
+            :osvdb=>"",
+            :cvss=>"",
+            :release_date => Date.new(2016, 1, 26),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade actionview gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
+            :aux_links=>["http://securitytracker.com/id/1034816"]
+           })
+          self.save_minor=true
+          self.save_major=true
+          self.safe_dependencies = [{:name=>"actionview", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
+				end
+			end
+		end
+end

data/lib/dawn/kb/cve_2016_0753.rb ADDED Viewed

@@ -0,0 +1,31 @@
+module Dawn
+		module Kb
+			# Automatically created with rake on 2016-02-01
+			class CVE_2016_0753
+				include DependencyCheck
+				def initialize
+          message = "There is a possible input validation circumvention vulnerability in Active Model. Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations."
+           super({
+            :title=>title,
+            :name=> "CVE-2016-0753",
+            :cve=>"2016-0753",
+            :osvdb=>"",
+            :cvss=>"",
+            :release_date => Date.new(2016, 1, 26),
+            :cwe=>"",
+            :owasp=>"A9",
+            :applies=>["rails", "sinatra", "padrino"],
+            :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade activemodel gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
+            :aux_links=>["http://securitytracker.com/id/1034816"]
+           })
+          self.save_minor=true
+          self.save_major=true
+          self.safe_dependencies = [{:name=>"activemodel", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
+				end
+			end
+		end
+end

data/lib/dawn/kb/version_check.rb CHANGED Viewed

@@ -42,6 +42,7 @@ module Dawn
         return debug_me_and_return_false("detected version #{@detected} is higher than all version marked safe")  if is_detected_highest?
         @safe.sort.each do |s|
+          debug_me "vuln?: evaluating #{@detected} against save version: #{s}"
           @save_minor_fix   = save_minor_fix
           @save_major_fix   = save_major_fix
@@ -49,7 +50,7 @@ module Dawn
           vuln  = is_vulnerable_version?(s, @detected)
-          debug_me "VULN=#{vuln} SAVE_MINOR=#{@save_minor_fix} SAVE_MAJOR=#{@save_major_fix}"
+          debug_me "DETECTED #{@detected} is marked VULN=#{vuln} against #{s} ( SAVE_MINOR_FIX=#{@save_minor_fix} SAVE_MAJOR_FIX=#{@save_major_fix})"
           return true if vuln
         end
@@ -102,6 +103,10 @@ module Dawn
         # patchlevel is 0 for sake of comparison.
         aa[:version] << 0 if aa[:version].count == 2
         ba[:version] << 0 if ba[:version].count == 2
+        # Handling a = '1.2.3.4' and b = '1.2.3'
+        ba[:version] << 0 if aa[:version].count == 4 and ba[:version].count == 3
         ver = true if aa[:version][0] > ba[:version][0]
         ver = true if aa[:version][0] == ba[:version][0] && aa[:version][1] > ba[:version][1]
         ver = true if aa[:version].count == 3 && ba[:version].count == 3 && aa[:version][0] == ba[:version][0] && aa[:version][1] == ba[:version][1] && aa[:version][2] > ba[:version][2]
@@ -164,9 +169,12 @@ module Dawn
         dva = version_string_to_array(@detected)[:version]
         @safe.sort.each do |s|
           sva = version_string_to_array(s)[:version]
-          debug_me("#SVA=#{sva};DVA=#{dva};SM=#{is_same_major?(sva, dva)};sm=#{is_same_minor?(sva, dva)}; ( dva[2] >= sva[2] )=#{(dva[2] >= sva[2])}")
-          return true if is_same_major?(sva, dva) && is_same_minor?(sva, dva) && dva[2] >= sva[2] && hm
-          return true if is_same_major?(sva, dva) && hm
+          sM = is_same_major?(sva, dva)
+          sm = is_same_minor?(sva, dva)
+          debug_me("save_minor_fix: SVA=#{sva};DVA=#{dva};SAME_MAJOR? = #{sM}; SAME_MINOR?=#{sm}; ( dva[2] >= sva[2] )=#{(dva[2] >= sva[2])}")
+          debug_me("save_minor_fix: is_there_higher_minor_version? = #{hm}")
+          return true if sM and sm and dva[2] >= sva[2] && hm
+          return true if sM and hm
         end
         return false
       end
@@ -204,6 +212,8 @@ module Dawn
         return (safe_version[2] > detected_version[2])
       end
       def is_vulnerable_aux_patch?(safe_version, detected_version)
+        debug_me "is_vulnerable_aux_patch?: SV[3]=#{safe_version[3]}, DV[3]=#{detected_version[3]}"
+        return true if detected_version[3].nil? and ! safe_version[3].nil?
         return false if safe_version[3].nil? || detected_version[3].nil?
         return (safe_version[3] > detected_version[3])
       end
@@ -221,7 +231,7 @@ module Dawn
           # safe version is kinda more complex e.g. 2.3.2
           # in this case we return the version is vulnerable if the
           # detected_version major is less or equal the safe one.
-          return (safe_version[0] <= detected_version[0])
+          return (safe_version[0] < detected_version[0])
         end
         # support for x as safe minor version
@@ -232,7 +242,7 @@ module Dawn
         return false if safe_version[1] <= detected_version[1]
       end
-      def is_same_version?(safe_version_array, detected_version_array)
+      def is_same_version?(safe_version_array, detected_version_array, limit=false)
         ret = false
         ret = true if (safe_version_array[0] == detected_version_array[0]) if (safe_version_array[1] == 'x')
@@ -240,6 +250,15 @@ module Dawn
         ret = true if (safe_version_array[0] == detected_version_array[0]) && (safe_version_array[1] == detected_version_array[1]) && (safe_version_array[2] == detected_version_array[2]) && (safe_version_array.count == 3) && (detected_version_array.count == 3)
         ret = true if (safe_version_array[0] == detected_version_array[0]) && (safe_version_array[1] == detected_version_array[1]) && (safe_version_array[2] == detected_version_array[2]) && (safe_version_array[3] == detected_version_array[3]) && (safe_version_array.count == 4) && (detected_version_array.count == 4)
+        if limit
+          # this if handles comparison limited to first 3 items in version arrays
+          # eg. in case of a beta release, the array is [5,0,0,1] meaning
+          # 5.0.0.beta1. Of course it must be handled in a different way than
+          # 5.0.0.1 release that it will result in the same array
+          debug_me "is_same_version? with limit=TRUE"
+          ret = true if (safe_version_array[0] == detected_version_array[0]) && (safe_version_array[1] == detected_version_array[1]) && (safe_version_array[2] == detected_version_array[2])
+        end
         debug_me "is_same_version? SVA=#{safe_version_array} DVA=#{detected_version_array} RET=#{ret}"
         return ret
@@ -250,16 +269,19 @@ module Dawn
       #########################
       def is_beta_check?(safe_version_beta, detected_version_beta)
-        ( safe_version_beta != 0 || detected_version_beta != 0)
+        ( safe_version_beta != -1 || detected_version_beta != -1)
       end
       def is_vulnerable_beta?(safe_version_beta, detected_version_beta)
         # if the safe_version_beta is 0 then the detected_version_beta is
         # vulnerable by design, since the safe version is a stable and we
         # detected a beta.
-        return true if safe_version_beta == 0 && detected_version_beta != 0
-        return false if safe_version_beta <= detected_version_beta
-        return true if safe_version_beta > detected_version_beta
+        debug_me("is_vulnerable_beta?: safe_version_beta=#{safe_version_beta} - detected_version_beta=#{detected_version_beta}")
+        return debug_me_and_return_false("is_vulnerable_beta? = FALSE") if safe_version_beta != -1 and detected_version_beta == -1
+        return debug_me_and_return_true("is_vulnerable_beta? = TRUE") if safe_version_beta == -1 and detected_version_beta != -1
+        return debug_me_and_return_true("is_vulnerable_beta? = TRUE") if safe_version_beta == 0 && detected_version_beta != -1
+        return debug_me_and_return_false("is_vulnerable_beta? = FALSE") if safe_version_beta <= detected_version_beta
+        return debug_me_and_return_true("is_vulnerable_beta? = TRUE") if safe_version_beta > detected_version_beta
         # fallback
         return false
@@ -271,7 +293,7 @@ module Dawn
       #########################
       def is_rc_check?(safe_version_rc, detected_version_rc)
-        ( safe_version_rc != 0 || detected_version_rc != 0)
+        ( safe_version_rc != -1 || detected_version_rc != -1 )
       end
       def is_vulnerable_rc?(safe_version_rc, detected_version_rc)
@@ -279,10 +301,13 @@ module Dawn
         # vulnerable by design, since the safe version is a stable and we
         # detected a rc.
         debug_me "entering is_vulnerable_rc?: s=#{safe_version_rc}, d=#{detected_version_rc}"
-        return true if safe_version_rc == 0 && detected_version_rc != 0
-        return false if safe_version_rc != 0 && detected_version_rc == 0
-        return false if safe_version_rc <= detected_version_rc
-        return true if safe_version_rc > detected_version_rc
+        return debug_me_and_return_false("is_vulnerable_rc? = FALSE") if detected_version_rc == -1
+        return debug_me_and_return_false("is_vulnerable_rc? = FALSE") if safe_version_rc != -1 and detected_version_rc == -1
+        return debug_me_and_return_true("is_vulnerable_rc? = TRUE") if safe_version_rc == -1 and detected_version_rc != -1
+        return debug_me_and_return_true("is_vulnerable_rc? = TRUE") if safe_version_rc == 0 && detected_version_rc != -1
+        return debug_me_and_return_false("is_vulnerable_rc? = FALSE") if safe_version_rc <= detected_version_rc
+        return debug_me_and_return_true("is_vulnerable_rc? = TRUE") if safe_version_rc > detected_version_rc
         # fallback
         return false
@@ -294,16 +319,19 @@ module Dawn
       #########################
       def is_pre_check?(safe_version_pre, detected_version_pre)
-        ( safe_version_pre != 0 || detected_version_pre != 0)
+        ( safe_version_pre != -1 || detected_version_pre != -1 )
       end
       def is_vulnerable_pre?(safe_version_pre, detected_version_pre)
         # if the safe_version_pre is 0 then the detected_version_pre is
         # vulnerable by design, since the safe version is a stable and we
         # detected a pre.
-        return true if safe_version_pre == 0 && detected_version_pre != 0
-        return false if safe_version_pre <= detected_version_pre
-        return true if safe_version_pre > detected_version_pre
+        return debug_me_and_return_false("is_vulnerable_pre? = FALSE") if safe_version_pre != -1 and detected_version_pre == -1
+        return debug_me_and_return_true("is_vulnerable_pre? = TRUE") if safe_version_pre == -1 and detected_version_pre != -1
+        return debug_me_and_return_true("is_vulnerable_pre? = TRUE") if safe_version_pre == 0 && detected_version_pre != -1
+        return debug_me_and_return_false("is_vulnerable_pre? = FALSE") if safe_version_pre <= detected_version_pre
+        return debug_me_and_return_true("is_vulnerable_pre? = TRUE") if safe_version_pre > detected_version_pre
         # fallback
         return false
@@ -312,6 +340,8 @@ module Dawn
       def is_vulnerable_version?(safe_version, detected_version)
         sva = version_string_to_array(safe_version)
         dva = version_string_to_array(detected_version)
+        debug_me("SVA=#{sva.inspect}")
+        debug_me("DVA=#{dva.inspect}")
         safe_version_array = sva[:version]
         detected_version_array = dva[:version]
@@ -323,11 +353,13 @@ module Dawn
         patch = is_vulnerable_patch?(safe_version_array, detected_version_array)
         aux_patch = is_vulnerable_aux_patch?(safe_version_array, detected_version_array)
-        debug_me "is_vulnerable_version? S=#{safe_version},D=#{detected_version} -> MAJOR=#{major} MINOR=#{minor} PATCH=#{patch} AUX_PATCH=#{aux_patch} SAVE_MINOR=#{@save_minor_fix} SAVE_MAJOR=#{@save_major_fix}"
+        debug_me "is_vulnerable_version? SAVE_VERSION=#{safe_version},DETECTED=#{detected_version} -> IS_VULN_MAJOR?=#{major} IS_VULN_MINOR?=#{minor} IS_VULN_PATCH?=#{patch} IS_VULN_AUX_PATCH=#{aux_patch} SAVE_MINOR_FIX=#{@save_minor_fix} SAVE_MAJOR_FIX=#{@save_major_fix}"
+        return debug_me_and_return_false("#{detected_version} doesn't have a vulnerable MAJOR number") if is_higher_major?(detected_version, safe_version) #and minor and patch
-        return is_vulnerable_beta?(sva[:beta], dva[:beta]) if is_same_version?(safe_version_array, detected_version_array) && is_beta_check?(sva[:beta], dva[:beta])
-        return is_vulnerable_rc?(sva[:rc], dva[:rc]) if is_same_version?(safe_version_array, detected_version_array) && is_rc_check?(sva[:rc], dva[:rc])
-        return is_vulnerable_pre?(sva[:pre], dva[:pre]) if is_same_version?(safe_version_array, detected_version_array) && is_pre_check?(sva[:pre], dva[:pre])
+        return is_vulnerable_beta?(sva[:beta], dva[:beta]) if is_same_version?(safe_version_array, detected_version_array, true) && is_beta_check?(sva[:beta], dva[:beta])
+        return is_vulnerable_rc?(sva[:rc], dva[:rc]) if is_same_version?(safe_version_array, detected_version_array, true) && is_rc_check?(sva[:rc], dva[:rc])
+        return is_vulnerable_pre?(sva[:pre], dva[:pre]) if is_same_version?(safe_version_array, detected_version_array, true) && is_pre_check?(sva[:pre], dva[:pre])
         # we have a non vulnerable major, but the minor is and there is an higher version in array
         # eg. we detected v1.3.2, safe version is 1.3.3 and there is also a safe 2.x.x
@@ -399,17 +431,17 @@ module Dawn
         # I can't use this nice onliner... stays here until I finish writing new code.
         # return string.split(".").map! { |n| (n=='x')? n : n.to_i }
         ver   = []
-        beta  = 0
-        rc    = 0
-        pre   = 0
+        beta  = -1
+        rc    = -1
+        pre   = -1
         string.split(".").each do |x|
           ver << x.to_i unless x == 'x' || x.start_with?('beta') || x.start_with?('rc') || x.start_with?('pre')
           ver << x if x == 'x'
-          beta = x.split("beta")[1].to_i if x.class == String && x.start_with?('beta') && beta == 0
-          rc = x.split("rc")[1].to_i if x.class == String && x.start_with?('rc') && rc == 0
-          pre = x.split("pre")[1].to_i if x.class == String && x.start_with?('pre') && pre == 0
+          beta = x.split("beta")[1].to_i if x.class == String && x.start_with?('beta') && beta == -1
+          rc = x.split("rc")[1].to_i if x.class == String && x.start_with?('rc') && rc == -1
+          pre = x.split("pre")[1].to_i if x.class == String && x.start_with?('pre') && pre == -1
         end
         {:version=>ver, :beta=>beta, :rc=>rc, :pre=>pre}