dawnscanner 1.5.2 → 1.6.0

data/lib/dawn/knowledge_base.rb

@@ -243,7 +243,27 @@ require "dawn/kb/cve_2015_3226"
 require "dawn/kb/cve_2015_3227"
 require "dawn/kb/cve_2015_3448"
 require "dawn/kb/cve_2015_4020"
-
+require "dawn/kb/cve_2015_5312"
+require "dawn/kb/cve_2015_7497"
+require "dawn/kb/cve_2015_7498"
+require "dawn/kb/cve_2015_7499"
+require "dawn/kb/cve_2015_7500"
+require "dawn/kb/cve_2015_7519"
+require "dawn/kb/cve_2015_7541"
+require "dawn/kb/cve_2015_7576"
+require "dawn/kb/cve_2015_7577"
+require "dawn/kb/cve_2015_7578"
+require "dawn/kb/cve_2015_7579"
+require "dawn/kb/cve_2015_7581"
+require "dawn/kb/cve_2015_8241"
+require "dawn/kb/cve_2015_8242"
+require "dawn/kb/cve_2015_8317"
+
+# CVE - 2016
+
+require "dawn/kb/cve_2016_0751"
+require "dawn/kb/cve_2016_0752"
+require "dawn/kb/cve_2016_0753"
 
 # OSVDB
 
@@ -525,6 +545,24 @@ module Dawn
           Dawn::Kb::CVE_2015_3227.new,
           Dawn::Kb::CVE_2015_3448.new,
           Dawn::Kb::CVE_2015_4020.new,
+          Dawn::Kb::CVE_2015_5312.new,
+          Dawn::Kb::CVE_2015_7497.new,
+          Dawn::Kb::CVE_2015_7498.new,
+          Dawn::Kb::CVE_2015_7499.new,
+          Dawn::Kb::CVE_2015_7500.new,
+          Dawn::Kb::CVE_2015_7519.new,
+          Dawn::Kb::CVE_2015_7541.new,
+          Dawn::Kb::CVE_2015_7576.new,
+          Dawn::Kb::CVE_2015_7577.new,
+          Dawn::Kb::CVE_2015_7578.new,
+          Dawn::Kb::CVE_2015_7579.new,
+          Dawn::Kb::CVE_2015_7581.new,
+          Dawn::Kb::CVE_2015_8241.new,
+          Dawn::Kb::CVE_2015_8242.new,
+          Dawn::Kb::CVE_2015_8317.new,
+          Dawn::Kb::CVE_2016_0751.new,
+          Dawn::Kb::CVE_2016_0752.new,
+          Dawn::Kb::CVE_2016_0753.new,
 
 
           # OSVDB Checks are still here since are all about dependencies

data/lib/dawn/reporter.rb

@@ -26,7 +26,7 @@ module Dawn
       puts output if @filename.nil?
 
       unless @filename.nil?
-        $logger.warn "I will use codesake.css, bootstrap.min.css and bootstrap.js stored in ./support/ directory" if @format == :html
+        # $logger.warn "I will use codesake.css, bootstrap.min.css and bootstrap.js stored in ./support/ directory" if @format == :html
         File.open(@filename, "w") do |f|
           f.puts output
         end
@@ -37,7 +37,7 @@ module Dawn
     def write_html(path, content)
       css_path = File.join(path, 'css')
       js_path = File.join(path, 'js')
-      support_path = File.join(Dir.pwd, 'support')
+      support_path = File.join(File.dirname(__FILE__), '..', '..', 'support')
 
       FileUtils.mkdir_p(File.join(path, 'css'))
       FileUtils.mkdir_p(File.join(path, 'js'))
@@ -67,13 +67,18 @@ module Dawn
     end
 
     def html_report
-      output = @engine.create_output_dir
-
+      output = @engine.create_output_dir if @filename.nil?
       html_head = "<!doctype html>\n<html>\n<head>\n<title>Dawnscanner report for #{File.basename(@engine.target)}</title>"
-      html_head += "<script src=\"./js/bootstrap.js\"></script>\n"
-      html_head += "<link href=\"./css/codesake.css\" media=\"all\" rel=\"stylesheet\" />\n"
-      html_head += "<link href=\"./css/bootstrap.min.css\" media=\"all\" rel=\"stylesheet\" />\n"
+      html_head +=" <link rel=\"stylesheet\" href=\"https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css\" integrity=\"sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7\" crossorigin=\"anonymous\">"
+
+      html_head += "<script src=\"https://code.jquery.com/jquery-2.2.0.min.js\"></script>"
+      html_head += "<link rel=\"stylesheet\" href=\"https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap-theme.min.css\" integrity=\"sha384-fLW2N01lMqjakBkx3l/M9EahuwpSfeNvV63J5ezn3uZzapT0u7EYsXMjQV+0En5r\" crossorigin=\"anonymous\">"
+
+      html_head += "<script src=\"https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js\" integrity=\"sha384-0mSbJDEHialfmuBBQP6A4Qrprq5OVfW37PRR3j5ELqxss1yVqOtnepnHVP9aJ7xS\" crossorigin=\"anonymous\"></script>"
+      html_head += "<style type=\"text/css\">body{padding-top:20px;padding-bottom:40px}.container-narrow{margin:0 auto;max-width:700px}.container-narrow>hr{margin:30px 0}.jumbotron,.marketing{margin:60px 0}.jumbotron{text-align:center}.jumbotron h1{font-size:72px;line-height:1}.jumbotron .btn{font-size:21px;padding:14px 24px}.marketing p+h4{margin-top:28px}#wrap{min-height:100%;height:auto!important;height:100%;margin:0 auto -60px}#footer,#push{height:60px}#footer{background-color:#f5f5f5}@media (max-width:767px){#footer{margin-left:-20px;margin-right:-20px;padding-left:20px;padding-right:20px}}
+</style>"
       html_head += "</head>\n"
+
       html_body =  "<body>\n"
       html_body +=  ""
       html_body += "<div id=\"wrap\">\n"
@@ -144,7 +149,11 @@ module Dawn
 
       html = html_head + html_body
 
-      write_html(output,  html)
+      unless @filename.nil?
+        write(html)
+      else
+        write_html(output,  html)
+      end
       true
     end
 

data/lib/dawn/version.rb

@@ -1,7 +1,7 @@
 module Dawn
-    VERSION = "1.5.2"
+    VERSION = "1.6.0"
     CODENAME = "Tow Mater"
-    RELEASE = "20151216"
-    BUILD = "4"
-    COMMIT = "gee91733"
+    RELEASE = "20160203"
+    BUILD = "23"
+    COMMIT = "g46c66f6"
 end

data/spec/lib/dawn/codesake_knowledgebase_spec.rb

@@ -1074,4 +1074,94 @@ describe "The Codesake Dawn knowledge base" do
     sc.should_not   be_nil
     sc.class.should == Dawn::Kb::CVE_2015_1819
   end
+  it "must have test for CVE-2015-7576" do
+    sc = kb.find("CVE-2015-7576")
+    sc.should_not   be_nil
+    sc.class.should == Dawn::Kb::CVE_2015_7576
+  end
+  it "must have test for CVE-2016-0751" do
+  sc = kb.find("CVE-2016-0751")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2016_0751
+end
+  it "must have test for CVE-2015-7577" do
+  sc = kb.find("CVE-2015-7577")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7577
+end
+it "must have test for CVE-2015-7579" do
+  sc = kb.find("CVE-2015-7579")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7579
+end
+it "must have test for CVE-2016-0752" do
+  sc = kb.find("CVE-2016-0752")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2016_0752
+end
+it "must have test for CVE-2016-0753" do
+  sc = kb.find("CVE-2016-0753")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2016_0753
+end
+it "must have test for CVE-2015-7578" do
+  sc = kb.find("CVE-2015-7578")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7578
+end
+it "must have test for CVE-2015-7581" do
+  sc = kb.find("CVE-2015-7581")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7581
+end
+it "must have test for CVE-2015-5312" do
+  sc = kb.find("CVE-2015-5312")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_5312
+end
+it "must have test for CVE-2015-7497" do
+  sc = kb.find("CVE-2015-7497")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7497
+end
+it "must have test for CVE-2015-7498" do
+  sc = kb.find("CVE-2015-7498")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7498
+end
+it "must have test for CVE-2015-7499" do
+  sc = kb.find("CVE-2015-7499")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7499
+end
+it "must have test for CVE-2015-7500" do
+  sc = kb.find("CVE-2015-7500")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7500
+end
+it "must have test for CVE-2015-8241" do
+  sc = kb.find("CVE-2015-8241")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_8241
+end
+it "must have test for CVE-2015-8242" do
+  sc = kb.find("CVE-2015-8242")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_8242
+end
+it "must have test for CVE-2015-8317" do
+  sc = kb.find("CVE-2015-8317")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_8317
+end
+it "must have test for CVE-2015-7541" do
+  sc = kb.find("CVE-2015-7541")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7541
+end
+it "must have test for CVE-2015-7519" do
+  sc = kb.find("CVE-2015-7519")
+  sc.should_not   be_nil
+  sc.class.should == Dawn::Kb::CVE_2015_7519
+end
 end

data/spec/lib/kb/codesake_version_check_spec.rb

@@ -64,7 +64,7 @@ describe "The version check should" do
       @check.is_vulnerable_version?('2.3.0', '2.3.0.beta9').should == true
     end
     it "reports a safe condition when a beta version is safe and the stable version is detected" do
-      @check.is_vulnerable_version?('2.3.0.beta9', '2.3.0').should == true
+      @check.is_vulnerable_version?('2.3.0.beta9', '2.3.0').should == false
     end
     it "reports a vulnerability when a previous beta version is detected" do
       @check.is_vulnerable_version?('2.3.0', '2.2.10.beta2').should == true
@@ -124,7 +124,7 @@ describe "The version check should" do
       @check.is_vulnerable_version?('2.3.0', '2.3.0.pre9').should == true
     end
     it "reports a safe condition when a pre version is safe and the stable version is detected" do
-      @check.is_vulnerable_version?('2.3.0.pre9', '2.3.0').should == true
+      @check.is_vulnerable_version?('2.3.0.pre9', '2.3.0').should == false
     end
     it "reports a vulnerability when a previous pre version is detected" do
       @check.is_vulnerable_version?('2.3.0', '2.2.10.pre2').should == true

data/spec/lib/kb/cve_2015_5312_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+describe "The CVE-2015-5312 vulnerability" do
+	before(:all) do
+		@check = Dawn::Kb::CVE_2015_5312.new
+		# @check.debug = true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.5"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.0"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7"}]
+		@check.vuln?.should   == true
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7.1"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.5.6"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.4.6"}]
+		@check.vuln?.should   == false
+	end
+end

data/spec/lib/kb/cve_2015_7497_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+describe "The CVE-2015-7497 vulnerability" do
+	before(:all) do
+		@check = Dawn::Kb::CVE_2015_7497.new
+		# @check.debug = true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.5"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.0"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7"}]
+		@check.vuln?.should   == true
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7.1"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.5.6"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.4.6"}]
+		@check.vuln?.should   == false
+	end
+end

data/spec/lib/kb/cve_2015_7498_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+describe "The CVE-2015-7498 vulnerability" do
+	before(:all) do
+		@check = Dawn::Kb::CVE_2015_7498.new
+		# @check.debug = true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.5"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.0"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7"}]
+		@check.vuln?.should   == true
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7.1"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.5.6"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.4.6"}]
+		@check.vuln?.should   == false
+	end
+end

data/spec/lib/kb/cve_2015_7499_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+describe "The CVE-2015-7499 vulnerability" do
+	before(:all) do
+		@check = Dawn::Kb::CVE_2015_7499.new
+		# @check.debug = true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.5"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.0"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7"}]
+		@check.vuln?.should   == true
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7.1"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.5.6"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.4.6"}]
+		@check.vuln?.should   == false
+	end
+end

data/spec/lib/kb/cve_2015_7500_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+describe "The CVE-2015-7500 vulnerability" do
+	before(:all) do
+		@check = Dawn::Kb::CVE_2015_7500.new
+		# @check.debug = true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.5"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.0"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7"}]
+		@check.vuln?.should   == true
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.6.7.1"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.5.6"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"nokogiri", :version=>"1.4.6"}]
+		@check.vuln?.should   == false
+	end
+end

data/spec/lib/kb/cve_2015_7519_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+describe "The CVE-2015-7519 vulnerability" do
+	before(:all) do
+		@check = Dawn::Kb::CVE_2015_7519.new
+		# @check.debug = true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"passenger", :version=>"4.0.54"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"passenger", :version=>"5.0.12"}]
+		@check.vuln?.should   == true
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"passenger", :version=>"4.0.60"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"passenger", :version=>"5.0.22"}]
+		@check.vuln?.should   == false
+	end
+end

data/spec/lib/kb/cve_2015_7541_spec.rb

@@ -0,0 +1,15 @@
+require 'spec_helper'
+describe "The CVE-2015-7541 vulnerability" do
+	before(:all) do
+		@check = Dawn::Kb::CVE_2015_7541.new
+		# @check.debug = true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"colorscore", :version=>"0.0.4"}]
+		@check.vuln?.should   == true
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"colorscore", :version=>"0.0.5"}]
+		@check.vuln?.should   == false
+	end
+end

data/spec/lib/kb/cve_2015_7576_spec.rb

@@ -0,0 +1,51 @@
+require 'spec_helper'
+describe "The CVE-2015-7576 vulnerability" do
+	before(:all) do
+		@check = Dawn::Kb::CVE_2015_7576.new
+		@check.debug = true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"5.0.0.beta.1"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"4.2.5"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"4.1.14"}]
+		@check.vuln?.should   == true
+	end
+	it "is reported when the vulnerable gem is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"3.2.22"}]
+		@check.vuln?.should   == true
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"5.0.0"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"4.2.5.1"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"4.2.6"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"4.1.14.2"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"4.1.15"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"3.2.22.1"}]
+		@check.vuln?.should   == false
+	end
+	it "is not reported when a fixed release is detected" do
+    @check.dependencies = [{:name=>"actionpack", :version=>"3.2.23"}]
+		@check.vuln?.should   == false
+	end
+end